With the release of Snow Leopard, GPGMail is no longer functional. GPGMail has been a commonly-used application for encrypting and signing emails. After some research, I found the developer of the application has stated he will not be releasing an update to make the application compatible with Mail.app in Snow Leopard. This is because the application was using an undocumented/unsupported feature in Mail.app, and Apple has discontinued the protocols that where being used by GPGMail.
This left me to look into new methods of signing and securing emails with out spending money on a commercial application like PGP. The following provides directions for using thawte to achieve email encryption and signing. By default, thawte stores your private keys on their system, which is all fine and good, but personally, I do not want anyone having copies of my private keys --that is, after all, why they are called private keys. The downfall of my method, of course, is that you want to make sure you do not lose your key pair!
Note: These directions require use of the command line. If you are not comfortable with the command line, then do not attempt this process.
[robg adds: Read on for the solution; in researching this hint, I found this email discussion stating that someone's working on a Python port of GPGMail, and that beta testing may open soon, for those interested.]
The following commands are run in Terminal, unless otherwise noted.
- Generate your private key: openssl genrsa -des3 -out mail.key 1024. This process should look like this:
$ openssl genrsa -des3 -out mail.key 1024 Generating RSA private key, 1024 bit long modulus Enter pass phrase for mail.key: [this is your secret pass phrase] Verifying - Enter pass phrase for mail.key: [this is your secret pass phrase] $ - Login to thawte and request a new certificate by clicking Test. The Test button should have a label above it that says "Developers of New Security Applications ONLY." You'll have to select an email address, click OK a few times, accept the default extaensions, and go all the way through until it gives you a string of numbers and letters. Copy that string into your clipboard.
- Generate a CSR for thawte, and paste your clipboard into the Common Name field: openssl req -new -key mail.key -out mail.csr.
$ openssl req -new -key mail.key -out mail.csr Enter pass phrase for mail.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Florida Locality Name (eg, city) []:Key Largo Organization Name (eg, company) [Internet Widgits Pty Ltd]:TCH Enterprises Organizational Unit Name (eg, section) []:EMAIL Common Name (eg, YOUR name) []:paste_your_certificate_here Email Address []:your_email@domain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: $ - Open up mail.csr in an editor, copy it to your clipboard, and paste that into the web browser dialog window that popped up. You should delete the two lines that it has there initially.
- Once your keys are generated, load this page on the thawte site. Do not download using the email link sent to your email! On the web page, click Generic X509 and then click Fetch.
- In Terminal, type pico deliver.exe, and place the following in the file:
-----BEGIN PKCS7----- insert the contents of your fetched key file. YOU ONLY WANT THE CONTENT LOCATED IN THE PKCS7 section of the document which is located between "-----BEGIN PKCS #7 SIGNED DATA-----" and "-----END PKCS #7 SIGNED DATA----. Remove any blank lines in the base64 code. -----END PKCS7----- - Verify that your deliver.exe file looks like the following, then save it:
-----BEGIN PKCS7----- MIIJmQYJKoZIhvcNAQcCoIIJijCCCYYCAQExADALBgkqhkiG9w0BBwGgggluMIIC 9jCCAl+gAwIB AgIDDB8KMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSU wIwYDVQQKExxUaGF3dGUgQ29u (about 80 lines of this) TA4MjBaFw0wNTA0MTMxOTA4MjBaMGoxDjAMBgNVBAQTBUJha2Vy -----END PKCS7----- - Export the certificates from thawte: openssl pkcs7 -print_certs -in deliver.exe > deliver.certs. There won't be any output from this command.
- Create the PKCS#12 file for Mac OS's Keychain: openssl pkcs12 -export -inkey mail.key -in deliver.certs -out mail.p12. This process looks like this:
$ openssl pkcs12 -export -inkey mail.key -in deliver.certs -out mail.p12 Enter Export Password: Verifying - Enter Export Password: $ - Import your key for use: open mail.p12. You will be prompted to enter your key password by Keychain Access.app.
- Quit and relaunch Mail.app.
Posting your public key to the web:
The easiest way to get your public key is send yourself an email that is signed. Open the email in a web-based email client and download the attachment. This attachment is your public key, which you can now post to your personal website for people to download. This will allow them to send you encrypted emails even if you have never sent them a signed email.
Do not lose your key pair! If you lose your key pair, there is no way to get it back. Make a backup copy and store it in a secure location -- a secure location is a spot not on your own computer, and is ideally stored at an offsite location.
[robg adds: I haven't tested this one.]

