From 9f3407f48d642e32ca60b66802d3468bedbc88fc Mon Sep 17 00:00:00 2001
From: Tom Ryder <tom@sanctum.geek.nz>
Date: Tue, 19 May 2020 22:11:52 +1200
Subject: Update Mutt config; self and opportunistic encrypt

Install the GPG_KEYID export, built using whatever the value of the
GPG_KEYID macro is (renamed from KEY)
---
 .gitignore                   |  2 ++
 Makefile                     | 19 +++++++++++++++----
 git/config.mi5               |  2 +-
 gnupg/profile.d/gnupg.sh.mi5 |  3 +++
 mutt/muttrc                  | 42 ++++++++++++++++++++++++++++++++++++++++--
 5 files changed, 61 insertions(+), 7 deletions(-)
 create mode 100644 gnupg/profile.d/gnupg.sh.mi5

diff --git a/.gitignore b/.gitignore
index 6f90d859..6d38b02a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -181,6 +181,8 @@
 /git/template/hooks/pre-commit
 /git/template/hooks/prepare-commit-msg
 /git/template/hooks/post-update
+/gnupg/profile.d/gnupg.sh
+/gnupg/profile.d/gnupg.sh.m4
 /include/mktd.m4
 /less/less
 /urxvt/ext/select
diff --git a/Makefile b/Makefile
index ee57aba9..724473aa 100644
--- a/Makefile
+++ b/Makefile
@@ -97,7 +97,7 @@ XDG_DATA_HOME = $(HOME)/.local/share
 
 NAME = 'Tom Ryder'
 EMAIL = tom@sanctum.geek.nz
-KEY = FA09C06E1B670CD0B2F5DE60C14286EA77BB8872
+GPG_KEYID = FA09C06E1B670CD0B2F5DE60C14286EA77BB8872
 SENDMAIL = msmtp
 
 BINS = bin/ap \
@@ -282,7 +282,11 @@ GIT_TEMPLATE_HOOKS = git/template/hooks/post-update \
     git/template/hooks/pre-commit \
     git/template/hooks/prepare-commit-msg
 
-all: $(BINS) git/config less/less $(GIT_TEMPLATE_HOOKS)
+all: $(BINS) \
+	$(GIT_TEMPLATE_HOOKS) \
+	git/config \
+	gnupg/profile.d/gnupg.sh \
+	less/less
 
 clean distclean:
 	rm -f -- \
@@ -295,6 +299,7 @@ clean distclean:
 		dillo/dillorc.m4 \
 		git/config \
 		git/config.m4 \
+		gnupg/profile.d/gnupg.sh \
 		include/mktd.m4 \
 		less/less \
 		urxvt/ext/select \
@@ -347,7 +352,7 @@ git/config: git/config.m4
 	m4 \
 		-D NAME=$(NAME) \
 		-D EMAIL=$(EMAIL) \
-		-D KEY=$(KEY) \
+		-D GPG_KEYID=$(GPG_KEYID) \
 		-D SENDMAIL=$(SENDMAIL) \
 		-D XDG_CONFIG_HOME=$(XDG_CONFIG_HOME) \
 		git/config.m4 > $@
@@ -355,6 +360,11 @@ git/config: git/config.m4
 less/less: less/lesskey
 	lesskey --output $@ less/lesskey
 
+gnupg/profile.d/gnupg.sh: gnupg/profile.d/gnupg.sh.m4
+	m4 \
+		-D GPG_KEYID=$(GPG_KEYID) \
+		gnupg/profile.d/gnupg.sh.m4 > $@
+
 MAILDIR = $(HOME)/Mail
 
 install: install-bin \
@@ -443,7 +453,8 @@ install-git: git/config $(GIT_TEMPLATE_HOOKS)
 			$(XDG_CONFIG_HOME)/git/template"$${1#git/template}"' \
 		_ {} \;
 
-install-gnupg:
+install-gnupg: gnupg/profile.d/gnupg.sh install-sh
+	cp -p -- gnupg/profile.d/* $(HOME)/.profile.d
 	mkdir -m 0700 -p -- $(HOME)/.gnupg
 	cp -p -- gnupg/*.conf $(HOME)/.gnupg
 
diff --git a/git/config.mi5 b/git/config.mi5
index fba79411..3337a683 100644
--- a/git/config.mi5
+++ b/git/config.mi5
@@ -34,4 +34,4 @@
 [user]
 	name = <% NAME %>
 	email = <% EMAIL %>
-	signingKey = <% KEY %>
+	signingKey = <% GPG_KEYID %>
diff --git a/gnupg/profile.d/gnupg.sh.mi5 b/gnupg/profile.d/gnupg.sh.mi5
new file mode 100644
index 00000000..33a57dd0
--- /dev/null
+++ b/gnupg/profile.d/gnupg.sh.mi5
@@ -0,0 +1,3 @@
+# GPG key details
+GPG_KEYID=<% GPG_KEYID %>
+export GPG_KEYID
diff --git a/mutt/muttrc b/mutt/muttrc
index 528127fe..bd244f8a 100644
--- a/mutt/muttrc
+++ b/mutt/muttrc
@@ -26,13 +26,51 @@ set beep_new
 #
 unset confirmappend
 
-# Use the GPGME library for PGP.  Sign replies to messages that are themselves
-# signed or encrypted.
+# Use the GPGME library for PGP; sign replies to messages that are themselves
+# signed (whether encrypted or not), and encrypt when we have a key for every
+# recipient (opportunistic).
 #
 set crypt_use_gpgme
+set crypt_opportunistic_encrypt
 set crypt_replysign
 set crypt_replysignencrypted
 
+# Use a default key for self-encrypting both sent and draft messages so that
+# they're protected but legible.  This defaults to the GPG_KEYID environment
+# variable, so be careful to set that lest you send useless OpenPGP headers!
+# My kingdom for muttrc(5) conditionals...
+#
+set pgp_default_key = $GPG_KEYID
+set pgp_self_encrypt
+set postpone_encrypt
+
+# Always include OpenPGP header with the selected default key, regardless of
+# whether the message is protected or not:
+#
+# <https://datatracker.ietf.org/doc/draft-josefsson-openpgp-mailnews-header/>
+#
+# This RFC has expired and doesn't seem to have seen widespread adoption, but
+# it seems that Thunderbird's Enigmail extension is still sending key IDs with
+# it, and it doesn't do any harm.
+#
+my_hdr OpenPGP: id=$pgp_default_key\; \
+preference=signencrypt\; \
+url=https://keyserver.pgp.com/vkd/DownloadKey.event?keyid=0x$pgp_default_key
+
+# Because I (personally) never want to encrypt mail without signing it, add in
+# a hook for sending or changing a message that forces a signature if it's
+# encrypted but not signed.  This may not suit anyone else reading.
+#
+send-hook '~G !~g' 'push <pgp-menu>s'
+send2-hook '~G !~g' 'push <pgp-menu>s'
+
+# Because of the order in which opportunistic encryption is applied, we queue
+# up a no-op change by opening the PGP menu and then doing nothing (pressing
+# Enter), to trigger send2-hooks to run and turn signatures on if opportunistic
+# encryption happens to have decided to switch encryption on.
+#
+send-hook '!~G !~g' 'push <pgp-menu><enter>'
+
 # Default to a subject format for forwarded messages that's more familiar to
 # most mail users, unless sending mail to a list where they're more likely to
 # appreciate the nicer default that uses square brackets and the author email
-- 
cgit v1.2.3