symmetric OpenPGP vs recent Iceweasel
|Type of work:||Code||Affected tool:|
- Work in progress
- Archive: implementation ideas
A great bunch of Tails users currently use symmetric OpenPGP encryption in Iceweasel, thanks to FireGPG. We want to support this usecase on the long run.
Also, we've been wanting to ship "Iceweasel 5.x":./Iceweasel_5.x.html as soon as possible, but FireGPG is discontinued upstream is known not to work with FF4+ "because of the missing IPC library", and generally is a security mess.
We need to find a way to support symmetric OpenPGP encryption in Tails.
Work in progress¶
The Seahorse applet already knows how to decrypt symmetrically encrypted text. But it does not support symmetric encryption, seems dead upstream, was never released for GNOME3 and therefore is not part of Debian testing.
Therefore, we have written another OpenPGP panel applet; the
bugfix/remove_firegpg branch does not run the Seahorse applet anymore. It does not install FireGPG either. Our own panel applet features:
- symmetrically encrypt clipboard content
- decrypt clipboard content (regardless of the kind of OpenPGP encryption)
- status icon and action menu change depending on the content of the clipboard(s), the same way as the Seahorse applet does
Missing features wrt. the Seahorse + FireGPG combo, we can live with:
- asymmetric (i.e. public key) encryption
- import key (covered by other parts of the Seahorse UI, though)
- symmetric encryption of files
Also, we prepared a "fake" FireGPG plugin that explains why it's not here anymore and points to the alternative.
done in Tails 0.10.
On the long run, we hope Seahorse gets support for symmetric encryption, and seahorse-plugins to be relived upstream. See details below.
Archive: implementation ideas¶
Port FireGPG to recent Firefox/Iceweasel releases¶
Dismissed: the webbrowser is too much of a scary place to run GnuPG operations in.
- ipccode: see
ipc/get.shin darkpixel's repository
- a local clone of the mozilla source code (canonical repository, releases).
Mike Cardwell's easy installation recipe works, but it uses a binary IPC extension shipped in the Git repository.
We therefore need to build the IPC extension against the Iceweasel 5 source code and test the result. Note that a "simple" clone of the Mercurial mozilla-release repository seems not enough as it lacks the
obj-ff-release directory. Is this directory generated when compiling Firefox itself?
The Html Validator compilation instructions have stuff related to the mysterious
Find another user-interface that provides the missing feature¶
This could be a nice middle-term workaround.
Writing a simplistic GUI able to symmetrically encrypt/decrypt text should be quite quick.
- May be needed to show all of GPG's output to the user: one can be burnt by GPG-wrapper GUIs misleading about what GPG thinks.
- A message may be signed and encrypted using
gpg --symmetric --sign
- only supports encryption
- only supports encryption
Add symmetric encryption support to GNOME¶
The Seahorse applet already knows how to decrypt symmetrically encrypted text. So the missing bit is symmetric encryption.
This would be the perfect long-term solution, but we probably lack the time and energy needed to implement it.
We asked the Seahorse authors to include this feature a while ago:
seahorse-plugins vs. GNOME3¶
Another problem is that seahorse-plugins (which the panel applet is part of) is not very well maintained upstream.
Stef Walters wants to get the Nautilus plugin ready for GNOME 3.4, we've asked about their plans for the panel applet.