Hacker News new | past | comments | ask | show | jobs | submit login
GopenPGP, an open source encryption library for native applications (protonmail.com)
80 points by gallypette 9 days ago | hide | past | web | favorite | 18 comments

I’m not sure I understand why Protonmail forked the Go crypto library here. Did they fork the entire thing and make substantial changes/updates throughout, or did they just make changes to the PGP implementation available in Go/crypto?

Go/crypto already implements elliptic curve cryptography[1], so I’m curious which specific elliptic curve primitives (or algorithms) they added to their fork.


1. https://golang.org/pkg/crypto/

Go wanted to deprecate OpenPGP support. But, it looks as if they have walked that back a lot:


"We will be deprecating the packages listed above, except openpgp/, otr/ and xts/.

I'll update the proposal and send a CL shortly."



They changed defaults. 570d0c5fa7ef500786f15958b39af43af3359719 is interesting: "Add secp256k1 / x25519 / brainpool curves to openpgp".

I wonder if/when a C or C++ bindings to this library will be made. It would be nice to have some alternative to GpgME.

There is also sequoia, with an explicit goal of being easy to link to C. If you can bear the license.

Source: https://sequoia-pgp.org/

For those wondering, the license for Sequoia is GPLv3.

So not an option for iOS iPhone email clients?

Are there any feature complete PGP/GPG libraries that target iOS? I use the Pass password manager, and it has a wonderful 3rd-party app for iOS, but the PGP implementation it uses (ObjectivePGP) is bizarrely licensed. All the other GPG implementations I am aware of have licenses that preclude their use on iOS.

Why can't you put GPL v3 software (or Apache or whatever GPL-compatible license you prefer) into the app store?

Not a lawyer, but I assume because the GPL v3 requires that other people be able to modify the program and redistribute their modified versions. Since Apple are the sole gatekeepers of anyone’s ability to distribute iOS apps to users, complying with the license is problematic.

Here's the FSF's take on it: https://www.fsf.org/blogs/licensing/more-about-the-app-store...

Long story short, the GPL requires you to grant a license to run the application for any purpose. You can also not add additional constraints to this. The App Store's terms and conditions say that you may only offer the software to be used under the usage terms that Apple gives. These two things are in conflict. Apple generally does not approve apps with a GPL license and most people think it's because of this reason (as far as I know they haven't ever made a comment about it). A few apps have apparently made it through, it seems this has been an error on Apple's part.

I think GPL at any version would be a problem with the app store. LGPL too.

IANAL, but my understanding is GPL means any distribution has to come with source upon reasonable request. Apple doesn't have source and thus can't comply with that, and shouldn't distribute the binaries.

LGPL I believe says that the LGPL portion has to user-replaceable. Seems incompatible with code signing enforcement and static linking.

Now, I think a lot of people are probably breaking the letter and spirit of these licenses and publishing to the app store anyway.

Edit: after googling around, it seems this was a popular conversation topic around 2011, and the part being discussed was mostly Apple's TOS rather than above points about the license.

GPLv3 is incompatible with with the App Store's terms. I like to think that LGPL is technically compatible, but it's certainly a gray area. Note that iOS allows for dynamic linking libraries these days, though code must still be signed before it can be executed.

Probably because of TiVoization clause of GPLv3.

It’s not going on the as currently licensed, no.

The instructions aren't very straightforward, but you can compile Go code (which GopenPGP is) into a C archive https://golang.org/cmd/go/#hdr-Build_modes

This[0] (from Alistair Crooks (NetBSD), who constantly amazes me) might fit the bill?

[0] http://netpgp.com/

iOS/macOS developers have an alternative with https://github.com/krzyzanowskim/ObjectivePGP that is tailored to the Apple platforms.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact