/ 
Mail-Make-v0.21.0
River stage zero No dependents
/ Mail::Make::GPG

NAME

Mail::Make::GPG - OpenPGP signing and encryption for Mail::Make

SYNOPSIS

use Mail::Make;

my $mail = Mail::Make->new
    ->from(    'jack@deguest.jp' )
    ->to(      'alice@example.com' )
    ->subject( 'Signed message' )
    ->plain(   "Hello Alice.\n" );

# Sign only — multipart/signed (RFC 3156 §5)
$mail->gpg_sign(
    KeyId      => '35ADBC3AF8355E845139D8965F3C0261CDB2E752',
    Passphrase => 'my-passphrase',   # or: sub { MyKeyring::get('gpg') }
)->smtpsend( %smtp_opts );

# Encrypt only — multipart/encrypted (RFC 3156 §4)
$mail->gpg_encrypt(
    Recipients => [ 'alice@example.com' ],
)->smtpsend( %smtp_opts );

# Sign then encrypt
$mail->gpg_sign_encrypt(
    KeyId      => '35ADBC3AF8355E845139D8965F3C0261CDB2E752',
    Passphrase => sub { MyKeyring::get_passphrase() },
    Recipients => [ 'alice@example.com', 'bob@example.com' ],
)->smtpsend( %smtp_opts );

# Auto-fetch recipient keys from a keyserver
$mail->gpg_encrypt(
    Recipients  => [ 'alice@example.com' ],
    KeyServer   => 'keys.openpgp.org',
    AutoFetch   => 1,
)->smtpsend( %smtp_opts );

VERSION

v0.1.4

DESCRIPTION

Mail::Make::GPG adds OpenPGP support to Mail::Make via direct calls to the gpg binary using IPC::Run. It produces RFC 3156-compliant multipart/signed and multipart/encrypted MIME structures.

This approach supports all key types that your installed GnuPG supports (RSA, DSA, Ed25519, ECDSA, etc.) and integrates naturally with gpg-agent for transparent passphrase caching.

This module is not normally used directly. The gpg_sign(), gpg_encrypt(), and gpg_sign_encrypt() methods are added to Mail::Make itself as fluent methods that load and delegate to this module.

OPTIONS

All options may be passed to the gpg_sign(), gpg_encrypt(), and gpg_sign_encrypt() methods on Mail::Make directly; they are forwarded to this module.

KeyId

Signing key fingerprint or ID (required for signing operations). Example: 35ADBC3AF8355E845139D8965F3C0261CDB2E752.

Passphrase

Passphrase to unlock the secret key. May be a plain string or a CODE reference called with no arguments at operation time. If omitted, GnuPG's agent handles passphrase prompting.

Recipients

Array reference of recipient addresses or key IDs (required for encryption).

Digest

Hash algorithm for signing. Defaults to SHA256. Valid values: SHA256, SHA384, SHA512, SHA1.

GpgBin

Full path to the gpg executable. If omitted, gpg2 and then gpg are searched in PATH.

KeyServer

Keyserver URL for auto-fetching recipient public keys. Only consulted when AutoFetch is true. Example: 'keys.openpgp.org'.

AutoFetch

Boolean. When true and KeyServer is set, gpg --locate-keys is called for each recipient address before encryption. Defaults to 0 (disabled).

METHODS

auto_fetch( [$bool] )

Gets or sets the auto-fetch flag. When true and keyserver() is set, gpg --locate-keys is called for each recipient before encryption.

Default: 0.

digest( [$algorithm] )

Gets or sets the hash algorithm used for signing. The value is uppercased automatically.

Default: SHA256.

Valid values: SHA256, SHA384, SHA512, SHA1.

encrypt( entity => $mail [, %opts] )

Encrypts $mail for one or more recipients and returns a new Mail::Make object whose top-level MIME type is multipart/encrypted (RFC 3156 §4).

The caller is responsible for supplying recipient public keys in the GnuPG keyring. When auto_fetch() and keyserver() are set, key retrieval via gpg --locate-keys is attempted before encryption.

Required options:

entity => $mail_make_obj

The Mail::Make object to encrypt.

recipients => \@addrs_or_key_ids

Array reference of recipient e-mail addresses or key fingerprints.

Optional options mirror the accessor names: digest, gpg_bin, key_id, keyserver, passphrase.

gpg_bin( [$path] )

Gets or sets the full path to the gpg executable. When not set, gpg2 and then gpg are searched in PATH.

key_id( [$fingerprint] )

Gets or sets the default signing key fingerprint or ID.

keyserver( [$url] )

Gets or sets the keyserver URL used for auto-fetching recipient public keys.

Example: 'keys.openpgp.org'.

passphrase( [$string_or_coderef] )

Gets or sets the passphrase for the secret key. May be a plain string or a CODE reference called with no arguments at operation time. When undef, GnuPG's agent is expected to handle passphrase prompting.

sign( entity => $mail [, %opts] )

Signs $mail and returns a new Mail::Make object whose top-level MIME type is multipart/signed (RFC 3156 §5). The signature is always detached and ASCII-armoured.

Required options:

entity => $mail_make_obj

The Mail::Make object to sign.

key_id => $fingerprint_or_id

Signing key fingerprint or short ID.

Optional options: digest, gpg_bin, passphrase.

sign_encrypt( entity => $mail, recipients => \@addrs [, %opts] )

Signs then encrypts $mail. Returns a new Mail::Make object whose top-level MIME type is multipart/encrypted containing a signed and encrypted OpenPGP payload.

Accepts all options from both "sign" and "encrypt".

DEPENDENCIES

IPC::Run

Loaded on demand. Required for all GPG operations.

File::Which

Loaded on demand. Used to locate the gpg binary in PATH.

GnuPG 2.x

Must be installed and accessible as gpg2 or gpg in PATH, or explicitly set via the GpgBin option.

STANDARDS

RFC 3156 — MIME Security with OpenPGP
RFC 4880 — OpenPGP Message Format

AUTHOR

Jacques Deguest <jack@deguest.jp>

SEE ALSO

Mail::Make, IPC::Run, File::Which

COPYRIGHT & LICENSE

Copyright(c) 2026 DEGUEST Pte. Ltd.

All rights reserved.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.