Feature #11240

Document monkeysign

Added by sajolida 2016-03-15 12:04:04 . Updated 2019-06-10 14:47:53 .

Status:
Rejected
Priority:
Normal
Assignee:
sajolida
Category:
Target version:
Start date:
2016-03-15
Due date:
% Done:

20%

Feature Branch:
emmapeel:docs/11240-monkeysign
Type of work:
End-user documentation
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

I managed to send monkeysign emails doing:

torsocks monkeysign --user=sajolida@pimienta.org --smtp=mssatgg2rwa4aytk.onion:587 --smtpuser=sajolida@pimienta.org 0x66c8c2d7c5aa446d

So it works and we should document this briefly as an “advanced topics”.


Subtasks


Related issues

Related to Tails - Feature #8401: Improve monkeysign integration in Tails Rejected 2014-12-06

History

#1 Updated by muri 2016-03-15 14:25:07

when i try to sign the tails signing key with monkeysign i get:

monkeysign 0xDBB802B258ACD84F
Traceback (most recent call last):
  File "/usr/bin/monkeysign", line 41, in <module>
    u.main()
  File "/usr/lib/python2.7/dist-packages/monkeysign/cli.py", line 64, in main
    self.copy_secrets()
  File "/usr/lib/python2.7/dist-packages/monkeysign/ui.py", line 256, in copy_secrets
    keys = self.keyring.get_keys(None, True, False)
  File "/usr/lib/python2.7/dist-packages/monkeysign/gpg.py", line 385, in get_keys
    key = OpenPGPkey(keydata)
  File "/usr/lib/python2.7/dist-packages/monkeysign/gpg.py", line 656, in __init__
    self.parse_gpg_list(data)
  File "/usr/lib/python2.7/dist-packages/monkeysign/gpg.py", line 698, in parse_gpg_list
    (null, self.trust, self.length, self.algo, keyid, self.creation, self.expiry, serial, trust, uid, sigclass, purpose, smime, wtf, wtf, wtf) = record
ValueError: too many values to unpack


i think the tool we choose should be able to sign our own key ;)

#2 Updated by intrigeri 2016-03-15 20:10:11

It might be that by design, monkeysign needs the key that will be certified to have an encryption subkey, so that the certification can be sent encrypted to the signee?

#3 Updated by sajolida 2016-03-16 11:28:04

I think it’s this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736548.

This is slightly off topic here, unless we’re discussing whether monkeysign is good enough to be documented and thus get more audience, generate more user support requests, etc.

#4 Updated by emmapeel 2016-08-20 06:33:45

  • Assignee set to emmapeel

#5 Updated by emmapeel 2016-08-27 04:05:25

  • Status changed from Confirmed to In Progress
  • Assignee deleted (emmapeel)
  • QA Check set to Ready for QA
  • Feature Branch set to emmapeel:docs/11240-monkeysign

Please review

https://git-tails.immerda.ch/emmapeel/tails/tree/wiki/src/doc/advanced_topics/monkeysign.mdwn?h=docs/11240-monkeysign

#6 Updated by intrigeri 2016-08-27 08:48:04

  • Assignee set to sajolida

(Sorry if I guess wrong, in which case reassign to me and I’ll try to find someone else :)

#7 Updated by emmapeel 2016-09-01 07:39:46

  • Assignee changed from sajolida to emmapeel
  • QA Check changed from Ready for QA to Dev Needed

Asked on the monkeysign forum, at

https://0xacab.org/monkeysphere/monkeysign/issues/5

Developer says it looks good, although better to sign with the fingerprint (silly me!), specially when using Tor.

#8 Updated by emmapeel 2016-09-03 13:14:21

  • Assignee deleted (emmapeel)
  • QA Check changed from Dev Needed to Ready for QA

#9 Updated by intrigeri 2016-09-09 14:39:22

  • Assignee set to intrigeri
  • Target version set to Tails_2.7

Thanks! I’ll have a look for technical correctness, and then will reassign to sajolida for tech writing review.

#10 Updated by intrigeri 2016-09-23 02:41:53

  • Assignee changed from intrigeri to emmapeel
  • QA Check changed from Ready for QA to Dev Needed
  • Does it really work to pass a fingerprint with spaces? I would be somewhat surprised. The upstream doc has examples without space.
  • Please use HTTPS when pointing to the upstream doc.
  • Please use consistent terminology wrt. “key ID”. I see “key id” and “keyid”, the gpg manpage uses “key ID”.
  • I’m sad that we’re reinforcing the “signing” vs. “certifying” confusion here, but I understand that it’s probably more important to be consistent with upstream’s terminology :/ Not your fault, of course.
  • Pointing to “learn more” at the beginning of the doc feels wrong to me, but I’ll let sajolida handle this part of the review.
  • The commands must not be split over multiple lines: it won’t work as-is. Worst case, if web formatting/layout requires it, use backslash to indicate line break in the middle of the command (even though it will make it harder to edit the command line for many users).
  • --smtpuser=amnesia in the template command feels wrong given the other bits that the user must replace are provided between brackets.
  • “specially when using it through the Tor network” is disputable and add little information (in Tails you’re always using Tor anyway), so I would simply drop it.
  • “With your `amnesia@boum.org` OpenPGP key” is not consistent with the use of Riseup’s SMTP.
  • Does it really work to sign Tails’ signing key this way? At least “an encrypted and signed message will be sent” seems strange, given our signing key has no encryption subkey. If it really works, then I’m curious to what key the outgoing message will be encrypted: (just guessing:) any pubkey with an encryption subkey and a matching email address? If yes, this would be a minor security flaw in Monkeysign.

#11 Updated by intrigeri 2016-09-23 02:46:52

  • % Done changed from 0 to 20

Also:

  • https://monkeysign.readthedocs.io/en/2.x/usage.html has an example using Thunderbird (that likely most people using OpenPGP for email in Tails use); how about using it instead of manually passing SMTP info, that many people will have a hard time figuring out, on the command-line? Our Icedove now has the account configuration wizard, so it will autodetect these settings :)
  • I would assume that people using Monkeysign in Tails won’t do it only once, and have persistence enabled (to store their private key). So what about documenting how to write all required settings in a config file (+ how to make it persistent), or pointing to the upstream doc that already explains that? Maybe it’s too much work on our side, for little benefit, I don’t know. What do you think?
  • In general I’m glad that you worked with upstream on this one! The linking to it might need improvements, but I’m glad that the proposed branch does not attempt to duplicate all the info that upstream doc already has!

#12 Updated by emmapeel 2016-09-23 02:49:29

intrigeri wrote:
> * Does it really work to pass a fingerprint with spaces? I would be somewhat surprised. The upstream doc has examples without space.
It does now. Tested it in Tails.

> * Please use HTTPS when pointing to the upstream doc.

Ack!

> * Please use consistent terminology wrt. “key ID”. I see “key id” and “keyid”, the gpg manpage uses “key ID”.

> * I’m sad that we’re reinforcing the “signing” vs. “certifying” confusion here, but I understand that it’s probably more important to be consistent with upstream’s terminology :/ Not your fault, of course.
> * Pointing to “learn more” at the beginning of the doc feels wrong to me, but I’ll let sajolida handle this part of the review.
> * The commands must not be split over multiple lines: it won’t work as-is. Worst case, if web formatting/layout requires it, use backslash to indicate line break in the middle of the command (even though it will make it harder to edit the command line for many users).
> * --smtpuser=amnesia in the template command feels wrong given the other bits that the user must replace are provided between brackets.
> * “specially when using it through the Tor network” is disputable and add little information (in Tails you’re always using Tor anyway), so I would simply drop it.
> * “With your `amnesia@boum.org` OpenPGP key” is not consistent with the use of Riseup’s SMTP.

The thing is: there tends to be more than one GPG key on our key ring in Tails. So I wanted to show how you can choose the gpg key to sign the message to, and a different mailbox to send… maybe I should be more explicit.

> * Does it really work to sign Tails’ signing key this way? At least “an encrypted and signed message will be sent” seems strange, given our signing key has no encryption subkey. If it really works, then I’m curious to what key the outgoing message will be encrypted: (just guessing:) any pubkey with an encryption subkey and a matching email address? If yes, this would be a minor security flaw in Monkeysign.

TBH, I tested it with other fingerprint… copied that one but I cannot sign it anyway because it is already signed with my key…

#13 Updated by emmapeel 2016-09-23 02:55:59

intrigeri wrote:
> Also:
>
> * https://monkeysign.readthedocs.io/en/2.x/usage.html has an example using Thunderbird (that likely most people using OpenPGP for email in Tails use); how about using it instead of manually passing SMTP info, that many people will have a hard time figuring out, on the command-line? Our Icedove now has the account configuration wizard, so it will autodetect these settings :)

I know! But this is not working in our monkeysign version shipped in Tails. Will be working with monkeysign 2.1 https://0xacab.org/monkeysphere/monkeysign/milestones/1

> * I would assume that people using Monkeysign in Tails won’t do it only once, and have persistence enabled (to store their private key). So what about documenting how to write all required settings in a config file (+ how to make it persistent), or pointing to the upstream doc that already explains that? Maybe it’s too much work on our side, for little benefit, I don’t know. What do you think?

Actually the config file was my next goal. We had some issues with the readthedocs implementation but now it is easier to work on monkeysign docs :)

I asked monkeysign people for review, and offered to document it upstream. Then we could point our users there.

https://0xacab.org/monkeysphere/monkeysign/merge_requests?scope=all&state=merged#

> * In general I’m glad that you worked with upstream on this one! The linking to it might need improvements, but I’m glad that the proposed branch does not attempt to duplicate all the info that upstream doc already has!

(wax on, wax off!)

#14 Updated by intrigeri 2016-09-23 03:22:57

> I know! But this is not working in our monkeysign version shipped in Tails. Will be working with monkeysign 2.1 https://0xacab.org/monkeysphere/monkeysign/milestones/1
> […]
> Actually the config file was my next goal. We had some issues with the readthedocs implementation but now it is easier to work on monkeysign docs :)

Excellent, thanks!

#15 Updated by intrigeri 2016-09-23 03:25:37

>> * Does it really work to pass a fingerprint with spaces? I would be somewhat surprised. The upstream doc has examples without space.
> It does now. Tested it in Tails.

Cool :)

>> * “With your `amnesia@boum.org` OpenPGP key” is not consistent with the use of Riseup’s SMTP.

> The thing is: there tends to be more than one GPG key on our key ring in Tails. So I wanted to show how you can choose the gpg key to sign the message to, and a different mailbox to send… maybe I should be more explicit.

I see. But presumably, in general one should use the SMTP server corresponding to the signing key’s UID, in order to avoid linking identities together, no? So perhaps it’s actually better to not suggest that anyone does differently.

> TBH, I tested it with other fingerprint… copied that one but I cannot sign it anyway because it is already signed with my key…

OK, so let’s play it safe and not pretend that this thing will work, since it’s unlikely to.

#16 Updated by bertagaz 2016-11-17 17:38:33

  • Target version changed from Tails_2.7 to Tails_2.9.1

#17 Updated by anonym 2016-12-14 20:11:18

  • Target version changed from Tails_2.9.1 to Tails 2.10

#18 Updated by anonym 2017-01-24 20:48:45

  • Target version changed from Tails 2.10 to Tails_2.11

#19 Updated by anonym 2017-03-09 14:00:27

  • Target version changed from Tails_2.11 to Tails_2.12

#20 Updated by intrigeri 2017-04-20 07:02:52

  • Target version deleted (Tails_2.12)

No progress since 7 months => dropping target version for now. Feel free to re-add a (realistic) one if it helps you organize your work!

#21 Updated by sajolida 2018-01-11 20:27:03

  • Description updated

#22 Updated by sajolida 2018-01-11 20:29:02

  • Description updated

#23 Updated by Anonymous 2018-01-15 13:54:20

So it seems that the last thing to do on this ticket is to write a documentation for the working command?

#24 Updated by Anonymous 2018-08-17 16:16:51

  • Assignee changed from emmapeel to sajolida

assigning to doc writers.

#25 Updated by intrigeri 2018-08-17 16:23:32

Monkeysign is dead upstream and it’s unclear whether it’ll make it into Buster, so if I were you I would not spend time on it right now.

#26 Updated by Anonymous 2018-08-18 12:56:51

  • related to Feature #8401: Improve monkeysign integration in Tails added

#27 Updated by sajolida 2018-09-09 17:52:41

  • Target version set to Tails_4.0
  • QA Check deleted (Dev Needed)

Reassigning to 4.0 then :)

Though I see a release in June 2018:

#28 Updated by intrigeri 2019-01-04 10:49:22

sajolida wrote:
> Though I see a release in June 2018:

This was some kind of “wrap things up and ship fixes that are ready” release, announced by the upstream author at the same time he announced on some mailing list that he was mostly giving up on this project. Sorry I can’t find the reference to that announcement.

#29 Updated by muri 2019-01-04 10:54:17

intrigeri wrote:
> This was some kind of “wrap things up and ship fixes that are ready” release, announced by the upstream author at the same time he announced on some mailing list that he was mostly giving up on this project. Sorry I can’t find the reference to that announcement.

FTR: https://lists.riseup.net/www/arc/monkeysphere/2018-06/msg00004.html

#30 Updated by intrigeri 2019-02-07 08:20:31

See “Monkeysign alternatives testing” on https://anarc.at/blog/2019-02-06-report/, whose conclusion is “So, surprisingly, Monkeysign might survive a bit longer, as much as I have come to dislike the poor little thing…”.

#31 Updated by intrigeri 2019-04-02 15:08:30

  • Target version deleted (Tails_4.0)

Let’s see if we remove it it Feature #15291.

#32 Updated by sajolida 2019-06-10 14:47:53

  • Status changed from In Progress to Rejected

We removed monkeysign in 3.14.