Basic commands such as `SPC' visualize messages signed or encrypted with PGP as well. Let's start with a simple example:
8 S07/22 Sakai-san Re: home was full A bug of MsgStore.pm
9 E07/23 Neat Sumikawa Wine From good morning to
Massage 8 and 9 is marked with "S" and "E", respectively. This means that the *body* is signed and encrypted, respectively.
PGP/MIME also allows to sign and/or encrypt some parts of a message. In this case, these marks don't appear. It is a message whose *body* is singed or encrypted that the "S" mark or the "E" mark appears on.
"Sign" and "encrypt" used above means the last procedure applied the body is "sign" and "encrypted", respectively. Examples above may have been produced with more complex process. As far as the firmer message, for instance, the body may have been signed after encrypting the body. It is likely that some part of the latter message was first signed then the body was encrypted.
If some parts or the body is encrypted, Mew asks you to input your pass-phrase to get plain text. The pass-phrase is used to decrypt your secret key. The secret key is then used to decrypt cipher text.
To visualize PGP/MIME, you need to input your pass-phrase everytime you encounter cipher text. This is because Mew does not cache pass-phrases anywhere for security reasons. If you feel this is inconvenient, set the following configuration so that your pass-phrases are cached for a while. Please refer to See section Updating and visiting folder to know what you should take care to use this feature.
(setq mew-use-pgp-cached-passphrase t)
Since decrypted messages are cached for a while, you perhaps need not to input your pass-phrase at the next time when the message will be displayed, even if you do not use the pass-phrase cache.
To verify signatures, senders' public keys are used. So, you are not asked to type your pass-phrase.
Since Mew automatically verifies signatures and/or decrypts cipher text with inputed pass-phrase, it is likely that users don't notice that the original message has signatures and/or which parts were encrypted.
To tell users the results of verification of signatures or which parts were decrypted, Mew inserts the X-Mew: field in the header as follows:
X-Mew: <body> PGP decrypted.
Good PGP sign "kazu@mew.org" COMPLETE
The number in "<>" indicates which part was protected with PGP. "body" means the body was protected. This example tells us that the body was singed by kazu then encrypted for the reader. Mew first decrypted it then verified its signature of the decrypted message. The signature is good. So, nobody has modified the content since it was signed by the secret key whose ID is kazu@mew.org. The validity of the public key used to verify the signature is "complete". Thus, the receiver believes that the public key actually belongs to the user whom the ID tells. That is, this message was verified by the trusted public key AND its results was good, so no alternation was found.
In the following example, the signature of the body, which is multipart, was first verified then part 2, which is a message, was decrypted. That is, the composing process was that part 2 was first encrypted then the entire body was signed.
X-Mew: <body multi> Good PGP sign "kazu@mew.org" COMPLETE X-Mew: <2 message> PGP decrypted.
Smart users may wonder what if a bad guy or gal sends you a message with an illegal X-Mew: field. Take it easy. First Mew carefully removes the X-Mew: field then inserted a valid X-Mew: field to the header.
X-Mew: tells you many other types of result. For example, no public key is available, the decryption failed, etc. The following example indicates that the public key whose key ID is 0x1B8BF431 is missing.
X-Mew: <body multi> No his/her public key. ID = 0x1B8BF431
In this case, if you type `C-cC-f', Mew tries fetching this public key using URL specified in `mew-pgp-keyserver-url-template'. If the X-Mew: field does not exist, `C-cC-f' takes the From: field as ID. Also, `C-uC-cC-f' extracts key IDs from fields specified in `mew-x-pgp-key-list' in addition to the X-Mew: field then tries fetching them.
Mew supports PGPv2, PGPv5, and GNUPG. You can select one of those by `C-cC-v' in Summary mode. If you want to use those PGPs, you should set the command name of PGPv2, PGPv5, and GNUPG to `mew-prog-pgp2', `mew-prog-pgp5', and `mew-prog-gpg', respectively. Also, set the default PGP name to `mew-prog-pgp'. Note that pass-phrases are cached independently for each PGP.