Is there a howto on setting up GPG w/ RT-3.8.0?

I have gotten RT 3.8.0 working pretty well. It so far is doing
everything I want except one thing. Which comes more from my lack of
understanding how GPG works with RT.

I have read the docs on how gpg works, and what sort of configs I need
to do for RT, but I’m still having a difficult time wrapping my head
around what needs to be done.

I really rather not be hand held the whole way here but I can barely
find any real documentation on how to get GPG functionality working,
so I must ask for some hand holding.

Really What I need to know are the following.

1.) What GPG files does RT look for? I could just recreate my own
GnuPG folder but I’m not really sure if this is correct.
2.) What configuration options are needed to encrypt email messages?
( We have a mixed environment here that most of our users encrypt
email, but outsiders don’t. )

This is my only options I have in my RT_SiteConfig.PM as far as GPG is
concerned.

Set(%GnuPG, Enable=>1, OutgoingMessagesFormat=>RFC,
EncryptDataInDb=>0,);
Set(%GnuPGOptions, homedir=>’/usr/local/rt-3.8.0/var/data/gpg’,);

Can anyone fill in the blanks here for me?

Charlie

I have gotten RT 3.8.0 working pretty well. It so far is doing
everything I want except one thing. Which comes more from my lack of
understanding how GPG works with RT.

I have read the docs on how gpg works, and what sort of configs I need
to do for RT, but I’m still having a difficult time wrapping my head
around what needs to be done.

I really rather not be hand held the whole way here but I can barely
find any real documentation on how to get GPG functionality working,
so I must ask for some hand holding.

Really What I need to know are the following.

1.) What GPG files does RT look for? I could just recreate my own
GnuPG folder but I’m not really sure if this is correct.
2.) What configuration options are needed to encrypt email messages?
( We have a mixed environment here that most of our users encrypt
email, but outsiders don’t. )

This is my only options I have in my RT_SiteConfig.PM as far as GPG is
concerned.

Set(%GnuPG, Enable=>1, OutgoingMessagesFormat=>RFC,
EncryptDataInDb=>0,);
Set(%GnuPGOptions, homedir=>’/usr/local/rt-3.8.0/var/data/gpg’,);

Can anyone fill in the blanks here for me?
perldoc lib/RT/Crypt/GnuPG.pm

Charlie


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Best regards, Ruslan.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charlie Reddington escribi�:
| Set(%GnuPG, Enable=>1, OutgoingMessagesFormat=>RFC,
| EncryptDataInDb=>0,);
| Set(%GnuPGOptions, homedir=>’/usr/local/rt-3.8.0/var/data/gpg’,);

That’s ok but not enough.
I’ll tell you my own little experience.

The key’s managment is the admin (root?)[0] with gpg by command line (
dont forget set the homedir in ‘/usr/…/gpg’ like you said in your
config file)

For example, i have a user called ‘myuser’ associated with the mail
’myuser@mydomain.com’.
You need create the par keys for that user (you know how, i guess) with
the email equal to the RT (‘myuser@mydomain.com’).

After that, you need import that in the keyring (with root)

V�ila! Now, ‘myuser’ can select (from a select-box) his keys.

Cheers.

[0] ‘admin’ := homedir’s owner


A\C Mario A. del Riego
Unidad de Recursos Inform�ticos
Facultad de Ingenier�a - UdelaR
"La Universidad no puede ser un dep�sito indiferente de sue�os
y frustraciones personales…" Dr. G. Perera
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkivS80ACgkQB6f+NSnOywQkAwCfQTkMHZXvmvRbimaq3t86Hy2R
f4IAoLRTMdmso4T7LQk6rkq1S+6jc24J
=g12q
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charlie Reddington escribió:
| Set(%GnuPG, Enable=>1, OutgoingMessagesFormat=>RFC,
| EncryptDataInDb=>0,);
| Set(%GnuPGOptions, homedir=>’/usr/local/rt-3.8.0/var/data/gpg’,);

That’s ok but not enough.
I’ll tell you my own little experience.

The key’s managment is the admin (root?)[0] with gpg by command line (
dont forget set the homedir in ‘/usr/…/gpg’ like you said in your
config file)

For example, i have a user called ‘myuser’ associated with the mail
’myuser@mydomain.com’.
You need create the par keys for that user (you know how, i guess) with
the email equal to the RT (‘myuser@mydomain.com’).

After that, you need import that in the keyring (with root)

Vóila! Now, ‘myuser’ can select (from a select-box) his keys.
You don’t have to generate keys for users. Either you can import his
key or use keyservers.

Cheers.

[0] ‘admin’ := homedir’s owner


A\C Mario A. del Riego
Unidad de Recursos Informáticos
Facultad de Ingeniería - UdelaR
"La Universidad no puede ser un depósito indiferente de sueños
y frustraciones personales…" Dr. G. Perera
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkivS80ACgkQB6f+NSnOywQkAwCfQTkMHZXvmvRbimaq3t86Hy2R
f4IAoLRTMdmso4T7LQk6rkq1S+6jc24J
=g12q
-----END PGP SIGNATURE-----


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Best regards, Ruslan.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ruslan Zakirov escribió:
|> You don’t have to generate keys for users. Either you can import his
|> key or use keyservers.

Ok, you dont have to… but when ‘myuser’ sign or encrypt a comment on a
ticket, How RT get his private key? I can’t understand that…

(I guess when you say ‘import his key’ is his public key)

Thanks.


A\C Mario A. del Riego
Unidad de Recursos Informáticos
Facultad de Ingeniería - UdelaR
"La Universidad no puede ser un depósito indiferente de sueños
y frustraciones personales…" Dr. G. Perera
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkivY6sACgkQB6f+NSnOywSgugCfahvdUIHtHdGw9koVMAvLxETX
Hh4AoNYs/Cmvbn55nXVHSQY2MwfJW9MC
=h/OP
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ruslan Zakirov escribió:
|> You don’t have to generate keys for users. Either you can import his
|> key or use keyservers.

Ok, you dont have to… but when ‘myuser’ sign or encrypt a comment on a
ticket, How RT get his private key? I can’t understand that…
content is encrypted using recipients’ public keys. content is signed
using queues’ private keys.

(I guess when you say ‘import his key’ is his public key)

Thanks.


A\C Mario A. del Riego
Unidad de Recursos Informáticos
Facultad de Ingeniería - UdelaR
"La Universidad no puede ser un depósito indiferente de sueños
y frustraciones personales…" Dr. G. Perera
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkivY6sACgkQB6f+NSnOywSgugCfahvdUIHtHdGw9koVMAvLxETX
Hh4AoNYs/Cmvbn55nXVHSQY2MwfJW9MC
=h/OP
-----END PGP SIGNATURE-----


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Best regards, Ruslan.

Okay I have some progress but more questions.

When I use only this line for my GPG options I get the options in my
queue to ‘sign by default’ and ‘encrypt by default’.

Set(%GnuPG, Enable=>1, OutgoingMessagesFormat=>RFC,
EncryptDataInDb=>0,);

What I did was as root , create a gpg key using the email address that
I am sending in to. As for the name I didn’t k now what to put so I
used the name prior to the @ of the email address.

But when I send tickets in that are encrypted, it doesn’t send
responses because of these errors.

[Mon Aug 25 15:51:29 2008] [info]:
<rt-3.8.0-20903-1219679489-1116.31-3-0@> #31/370 - Scrip 3 On
Create Autoreply To Requestors (/usr/local/rt-3.8.0/bin/…/lib/RT/
Action/SendEmail.pm:302)
[Mon Aug 25 15:51:30 2008] [warning]: gpg: WARNING: unsafe ownership
on homedir “/usr/local/rt-3.8.0/var/data/gpg” (/usr/local/rt-3.8.0/
bin/…/lib/RT/Crypt/GnuPG.pm:546) ** This shows up after I made the
directory writable as I was getting errors that it couldn’t create
temp files **
[Mon Aug 25 15:51:30 2008] [error]: gpg: keyring /usr/local/rt-3.8.0/ var/data/gpg/secring.gpg' created gpg: keyring/usr/local/rt-3.8.0/var/data/gpg/pubring.gpg’ created
gpg: no default secret key: secret key not available
gpg: [stdin]: sign+encrypt failed: secret key not available (/usr/
local/rt-3.8.0/bin/…/lib/RT/Crypt/GnuPG.pm:547)
[Mon Aug 25 15:51:30 2008] [info]:
<rt-3.8.0-20903-1219679489-268.31-4-0@> #31/370 - Scrip 4 On
Create Notify AdminCcs (/usr/local/rt-3.8.0/bin/…/lib/RT/Action/
SendEmail.pm:302)
[Mon Aug 25 15:51:30 2008] [info]:
<rt-3.8.0-20903-1219679489-268.31-4-0@> No recipients found.
Not sending. (/usr/local/rt-3.8.0/bin/…/lib/RT/Interface/Email.pm:337)
[Mon Aug 25 15:51:30 2008] [info]: Ticket 31 created in queue
’General’ by charlier@.com (/usr/local/rt-3.8.0/bin/…/lib/RT/
Ticket_Overlay.pm:659)

But when I try to offer RT the creds it may need to put the passphrase
in, it no longer gives any encrypt options. This is what I’m using for
that.

Set(%GnuPGOptions, homedir=>’/usr/local/rt-3.8.0/var/data/gpg’,’–
passphrase’=>‘passphrase secret’);

Any advise here?

CharlieOn Aug 23, 2008, at 12:16 AM, Ruslan Zakirov wrote:

On Sat, Aug 23, 2008 at 5:11 AM, Mario A. del Riego delriego@fing.edu.uy wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ruslan Zakirov escribió:
|> You don’t have to generate keys for users. Either you can import
his
|> key or use keyservers.

Ok, you dont have to… but when ‘myuser’ sign or encrypt a comment
on a
ticket, How RT get his private key? I can’t understand that…
content is encrypted using recipients’ public keys. content is signed
using queues’ private keys.

(I guess when you say ‘import his key’ is his public key)

Thanks.


A\C Mario A. del Riego
Unidad de Recursos Informáticos
Facultad de Ingeniería - UdelaR
"La Universidad no puede ser un depósito indiferente de sueños
y frustraciones personales…" Dr. G. Perera
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkivY6sACgkQB6f+NSnOywSgugCfahvdUIHtHdGw9koVMAvLxETX
Hh4AoNYs/Cmvbn55nXVHSQY2MwfJW9MC
=h/OP
-----END PGP SIGNATURE-----


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com


Best regards, Ruslan.