An easier way to sign OpenPGP keys over the local network. A GTK/GNOME application to use GnuPG for signing other peoples' keys. Quickly, easily, and securely.

gnome-keysign, updated 🕥 2023-02-08 04:16:53

GNOME Keysign

A tool for signing OpenPGP keys.

Its purpose is to ease signing other peoples' keys. It is similar to caff, PIUS, or monkeysign. In fact, it is influenced a lot by these tools and either re-implements ideas or reuses code. Consider either of the above mentioned tools when you need a much more mature codebase.

In contrast to caff or monkeysign, this tool enables you to sign a key without contacting a key server. It downloads an authenticated copy of the key from the other party. For now, the key is authenticated by a Message Authentication Code which is securely transferred via a QR code. Alternatively, the user may type the fingerprint manually, assuming that it has been transferred securely via the audible channel. After having obtained an authentic copy of the key, its UIDs are signed. The signatures are then separately encrypted and sent via email to each UID. xdg-email is used to pop up a pre-filled email composer window of the mail client the user has already configured to use. This greatly reduces complexity as no SMTP configuration needs to be obtained and gives the user a well known interface.

The list of features includes:

* Modern GTK3 GUI
* Avahi-based discovery of peers in the local network
* alternatively: Key transfer via Bluetooth
* Cryptographically authenticated key exchange
* No (unauthenticated) connection to the Internet
* display of scanned QR code to prevent a maliciously injected frame
* alternatively manual fingerprint verification of the key
* signatures for each UID separately signed, encrypted, and sent
* no SMTP setup needed due to use of desktop portals or xdg-email
* runs in a Flatpak sandbox to isolate the app from the rest of the system

Installation

Before you can install GNOME Keysign, you need to have a few dependencies installed.

The list of dependencies includes:

* avahi with python bindings
* dbus with python bindings
* GStreamer with the good and bad plugins
* GTK and Cairo
* gobject introspection for those libraries
* Magic Wormhole
* PyBluez (optional)

openSUSE installation

openSUSE has packaged the application <https://build.opensuse.org/package/show/GNOME:Apps/gnome-keysign>_ so it should be easy for you to install it.

Arch Linux installation

On Arch Linux you can find GNOME Keysign in the AUR <https://aur.archlinux.org/packages/gnome-keysign/>_. For example you can install it with:

.. code::

yay -S gnome-keysign

Debian and Ubuntu dependencies

Some versions of Debian/Ubuntu have packaged the application <https://packages.debian.org/gnome-keysign>_ so it should be easy for you to install it.

If your version is older than that, this list of packages seems to make it work:

python  python-babelgladeextractor avahi-daemon  python-gi  gir1.2-glib-2.0   gir1.2-gtk-3.0 python-dbus    gir1.2-gstreamer-1.0 gir1.2-gst-plugins-base-1.0 gstreamer1.0-plugins-bad gstreamer1.0-plugins-good gstreamer1.0-gtk3  python-gi-cairo python-gpg  python-twisted python-future

Magic Wormhole can be installed with pip:

.. code::

pip install magic-wormhole

In Ubuntu, the package gstreamer1.0-plugins-bad provides the zbar element and in versions older than 18.04 the gtksink element. In newer versions of Ubuntu, the gtksink element is provided by the gstreamer1.0-gtk3 packages. gstreamer1.0-plugins-good provides the autovideosrc element.

These packages should be optional:

python-requests python-qrcode python-bluez

Fedora dependencies

Eventually an up to date version is in Fedora's COPR <https://copr.fedorainfracloud.org/coprs/muelli/gnome-keysign/>_.

If that does not work or is not recent enough, then you may try an OpenSuSE package as mentioned above or install the dependencies yourself. The following has worked at least once for getting the application running, assuming that pip and git are already installed:

.. code::

sudo dnf install -y python-babel-BabelGladeExtractor python-gobject dbus-python gstreamer1-plugins-bad-free-gtk gstreamer1-plugins-good  gnupg python-gnupg  python-twisted
pip install magic-wormhole

As optional:

.. code::

sudo dnf install -y pybluez

Installation with pip

You may try the following in order to install the program to your user's home directory.

.. code::

pip install --user 'git+https://github.com/GNOME-Keysign/gnome-keysign.git#egg=gnome-keysign'

You should find a script in ~/.local/bin/gnome-keysign as well as a .desktop launcher in ~/.local/share/applications/.

As a flatpak

GNOME Keysign is available as a Flatpak on Flathub. You will need to have the xdg-desktop-portals installed in order to send email. You also need a pinentry to does not require access to the X window. A pinentry-gnome3 as of 1.0.0 works.

A note to Arch users: This Pipewire bug <https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/104>_ is preventing gstreamer from running correctly.

From git

If you intend to hack on the software (yay!), you may want to clone the repository and install from there.

.. code::

git clone --recursive https://github.com/gnome-keysign/gnome-keysign.git
cd gnome-keysign
virtualenv --system-site-packages --python=python3 /tmp/keysign
/tmp/keysign/bin/pip install .

Note that this installs the application in the virtual environment, so you run the program from there, e.g. /tmp/keysign/bin/gnome-keysign.

Starting

If you have installed the application with pip, a .desktop file should have been deployed such that you should be able to run the program from your desktop shell. Search for "Keysign". If you want to run the program from the command line, you can add ~/.local/bin to your PATH. The installation should have put an executable named keysign in that directory.

If you haven't installed via pip or not to your user's home directory (i.e. with --user), you can start the program from your environment's ./bin/ directory.

Running

Server side

This describes running the application's server mode in order to allow you to have your key signed by others running the application in client mode.

Once you've fired up the application, you can see a list of your private keys. Select one and the application will advance to the next stage.

You will see the details of the key you've selected. If you are happy with the key you have selected, click "Next".
This will cause the key's availability to be published on the local network. Also, a HTTP server will be spawned in order to enable others to download your key. In order for others to find you, the app displays both a string identifying your key and a bar code.

Either share the string or the bar code with someone who wants to sign your key.

Client side

Here, the client side is described. This is to sign someone's key.

You are presented with feed of your camera and an entry field to type in a string. If you meet someone who has the server side of the application running, you can scan the bar code present at the other party.

After you either typed a fingerprint or scanned a bar code, the program will look for the relevant key on your local network. Note that you've transmitted the fingerprint securely, i.e. via a visual channel in form of a bar code or the displayed fingerprint. This data allows to find the correct key. In fact, the client tries to find the correct key by comparing the fingerprint of the keys available on the local network.

After the correct key has been found, you see details of the key to be signed. If you are happy with what you see, i.e. because you have checked the names on the key to be correct, you can click next. This will cause the program to sign the key and open your mail program with the encrypted signature preloaded as attachment.

Issues

build(deps): bump cryptography from 38.0.1 to 39.0.1

opened on 2023-02-08 04:16:52 by dependabot[bot]

Bumps cryptography from 38.0.1 to 39.0.1.

Changelog

Sourced from cryptography's changelog.

39.0.1 - 2023-02-07
* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python
  buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931**
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.
.. _v39-0-0:
39.0.0 - 2023-01-01
BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.0 has been removed. Users on older version of OpenSSL will need to upgrade.

BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.5. The new minimum LibreSSL version is 3.5.0. Going forward our policy is to support versions of LibreSSL that are available in versions of OpenBSD that are still receiving security support.

BACKWARDS INCOMPATIBLE: Removed the encode_point and from_encoded_point methods on :class:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers, which had been deprecated for several years. :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes and :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point should be used instead.

BACKWARDS INCOMPATIBLE: Support for using MD5 or SHA1 in :class:~cryptography.x509.CertificateBuilder, other X.509 builders, and PKCS7 has been removed.

BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.10 and 10.11, macOS users must upgrade to 10.12 or newer.

ANNOUNCEMENT: The next version of cryptography (40.0) will change the way we link OpenSSL. This will only impact users who build cryptography from source (i.e., not from a wheel), and specify their own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables will no longer be respected. Instead, users will need to configure their builds as documented here_.

Added support for :ref:disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>.

Added support for disabling RSA key validation checks when loading RSA keys via :func:~cryptography.hazmat.primitives.serialization.load_pem_private_key, :func:~cryptography.hazmat.primitives.serialization.load_der_private_key, and :meth:~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key. This speeds up key loading but is :term:unsafe if you are loading potentially attacker supplied keys.

Significantly improved performance for :class:~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305

... (truncated)

Commits

d6951dc changelog + security fix backport (#8231)
138da90 workaround scapy bug in downstream tests (#8218) (#8228)
69527bc bookworm is py311 now (#8200)
111deef backport main branch CI to 39.0.x (#8153)
338a65a 39.0.0 version bump (#7954)
84a3cd7 automatically download and upload circleci wheels (#7949)
525c0b3 Type annotate release.py (#7951)
46d2a94 Use the latest 3.10 release when wheel building (#7953)
f150dc1 fix CI to work with ubuntu 22.04 (#7950)
8867724 fix README for python3 (#7947)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/gnome-keysign/gnome-keysign/network/alerts).

build(deps): bump certifi from 2022.9.14 to 2022.12.7

opened on 2022-12-09 08:02:55 by dependabot[bot]

Bumps certifi from 2022.9.14 to 2022.12.7.

Commits

9e9e840 2022.12.07
b81bdb2 2022.09.24
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

programming error detected

opened on 2022-02-01 09:10:14 by bintonw

Description

Give this report a short descriptive title. Use something like "{feature-that-broke}: {what-went-wrong}" for the title, if you can. Then please replace this text with a longer description of the bug. Screenshots or videos are great, too!

Steps to reproduce

Please tell us what you were doing when the error message popped up. If you can provide step-by-step instructions on how to reproduce the bug, that's even better.

Traceback

python System information: Linux-5.4.0-96-generic-x86_64-with-Peppermint-10-bionic Python information: 2.7.17 (default, Feb 27 2021, 15:10:58) [GCC 7.5.0] Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keysign/scan_barcode.py", line 142, on_map(self=<scan_barcode.BarcodeReaderGTK object at 0x7f862...scan_barcode+BarcodeReaderGTK at 0x5646d3d59f90)>, *args=(<scan_barcode.BarcodeReaderGTK object at 0x7f862...scan_barcode+BarcodeReaderGTK at 0x5646d3d59f90)>,), **kwargs={}) '''It seems this is called when the widget is becoming visible''' self.run() variables: {'self.run': ('local', <bound method BarcodeReaderGTK.run of <scan_barcode.BarcodeReaderGTK object at 0x7f86265dfb90 (keysign+scan_barcode+BarcodeReaderGTK at 0x5646d3d59f90)>>)} File "/usr/lib/python2.7/dist-packages/keysign/scan_barcode.py", line 113, run(self=<scan_barcode.BarcodeReaderGTK object at 0x7f862...scan_barcode+BarcodeReaderGTK at 0x5646d3d59f90)>) log.info("Launching pipeline %s", pipeline) pipeline = Gst.parse_launch(pipeline) variables: {'pipeline': ('local', 'autovideosrc \n ! tee name=t \n t. ! queue ! videoconvert \n ! zbar cache=true attach_frame=true \n ! fakesink \n t. ! queue ! videoconvert \n ! gtksink sync=false name=imagesink enable-last-sample=false \n'), 'Gst.parse_launch': ('global', gi.FunctionInfo(parse_launch))} Error: gst_parse_error: no element "gtksink" (1)

Make error dialogue translatable

opened on 2021-04-15 09:09:52 by muelli

We have introduced two strings which are not translatable :(

https://github.com/gnome-keysign/gnome-keysign/blob/68745b555a9ee41cd50cef6c96df86307ad861ca/keysign/keyconfirm.py#L152

While we could just import _ there, the much cleaner solution, I believe, is to define the dialogue in Glade and mark it as translatable there.

Use Camera portal

opened on 2020-12-04 18:19:15 by muelli

This will make it possible for the flatpaked version to get hold of a video feed without access to all devices.

https://github.com/flatpak/xdg-desktop-portal/issues/414#issuecomment-737999539 references https://gitlab.gnome.org/-/snippets/762 as an example.

On my Ubuntu 20.04 it throws

dbus.exceptions.DBusException: org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.Camera” on object at path /org/freedesktop/portal/desktop probably because the portals are not new enough. If we want to care about that, we might want to detect that failure and fall-back to the status quo.

Fails with Gtk3 requires X11, and no DISPLAY environment variable is set

opened on 2020-07-10 21:14:32 by ieugen

Hi,

I installed the app from https://flathub.org/apps/details/org.gnome.Keysign and I get this:

$ flatpak run org.gnome.Keysign Traceback (most recent call last): File "/app/bin/gnome-keysign", line 10, in <module> sys.exit(main()) File "/app/lib/python3.7/site-packages/keysign/__init__.py", line 22, in main from . import app File "/app/lib/python3.7/site-packages/keysign/app.py", line 31, in <module> from twisted.internet import gtk3reactor File "/app/lib/python3.7/site-packages/twisted/internet/gtk3reactor.py", line 38, in <module> "Gtk3 requires X11, and no DISPLAY environment variable is set") ImportError: Gtk3 requires X11, and no DISPLAY environment variable is set

I was able to fix it by using Flatseal and removing socket=wayland permission.

Linux daos-495 5.7.0-1-amd64 #1 SMP Debian 5.7.6-1 (2020-06-24) x86_64 GNU/Linux

Releases

2019-09-13 14:54:50

GNOME Keysign is a tool to make signing OpenPGP keys as easy as possible. This is the v1.1.1 release which introduces key transport via the Internet.

You can get the app from:

        https://github.com/GNOME-Keysign/gnome-keysign/

Changes

Allow to drag and drop an email or its attachment into the app
show options to save produced certification as a file
Added a tooltip to the Internet button
Change logo to a wax seal
select usable private keys for signing, only

Resources

Download: https://github.com/GNOME-Keysign/gnome-keysign/archive/1.1.1.tar.gz Web site: https://wiki.gnome.org/Apps/Keysign

2019-09-13 10:30:02

GNOME Keysign is a tool to make signing OpenPGP keys as easy as possible. This is the v1.1 release which introduces key transport via the Internet.

You can get the app from:

        https://github.com/GNOME-Keysign/gnome-keysign/

Changes

Allow to drag and drop an email or its attachment into the app
show options to save produced certification as a file
Added a tooltip to the Internet button
Change logo to a wax seal
select usable private keys for signing, only

Resources

Download: https://github.com/GNOME-Keysign/gnome-keysign/archive/1.1.tar.gz Web site: https://wiki.gnome.org/Apps/Keysign

2019-01-21 14:00:51

GNOME Keysign is a tool to make signing OpenPGP keys as easy as possible. This is the v1.0.1 release which introduces key transport via the Internet.

You can get the app from:

        https://github.com/GNOME-Keysign/gnome-keysign/

Changes

fixed up appdata
Cater for newer wormhole close() semantics

Resources

Download: https://github.com/GNOME-Keysign/gnome-keysign/archive/1.0.1.tar.gz Web site: https://wiki.gnome.org/Apps/Keysign

v1.0.0 2019-01-03 19:10:19

Changes

Run with python3 from the desktop file
Removed monkeysign support
Stop installing gks-qrcode
Increased Python2 support in the tests
Fixed stopping wormhole discovery
Ship a new icon for the app
Removed gpgmh wrapper module

0.9.9 2018-08-31 19:15:29

GNOME Keysign is a tool to make signing OpenPGP keys as easy as possible. This is the v0.9.9 release which introduces key transport via the Internet.

You can get the app from:

        https://github.com/GNOME-Keysign/gnome-keysign/

Changes

Added support for magic wormhole as transport

Resources

Download: https://github.com/GNOME-Keysign/gnome-keysign/archive/0.9.9.tar.gz Web site: https://wiki.gnome.org/Apps/GnomeKeysign

2018-07-04 15:35:08

GNOME Keysign

GitHub Repository

python openpgp keysign certification gnome gtk avahi gnupg bluetooth hacktoberfest