monkeysign removal from bullseye

Andrew Gallagher andrewg at andrewg.com
Sun Mar 22 19:01:09 CET 2020 

On 22/03/2020 16:35, Antoine Beaupré wrote:
>
> Within less than 24 hours, I get this email offering help.

Hi, Antoine.

I'm sorry to hear about the lack of support for your project. It had so
many maintainers! I personally only became aware of this when all of my
open tickets against monkeysign were forcibly closed.

> Besides, if people want a GUI to sign keys, GNOME keysign is pretty much
> the state of the art there, as the issue above documents.

GNOME keysign looks similar, but AFAICT it requires a "keysign server"
on the (mutual?) local network. That seems to be an extreme restriction,
and makes it totally useless to me (and I suspect most other people
too). It also doesn't see any of my private keys, which is a pretty big
blocker.

> I have a dev/python3 branch that is the latest work on this, if people
> want to take a look. Right now tests hang and I doubt the thing actually
> works.

I'm not a python programmer and my skills here are probably nowhere near
what is required. I certainly wouldn't be comfortable taking the lead on
any large porting project, but I would be willing to help out wherever I
can. If however you think helping to improve an alternative project is a
better use of time and effort, I'll defer to your wisdom.

> Part of the problem with monkeysign is it was written before gpgme
> gained support for signing keys and dealing with keyrings (and I'm not
> sure its support is still good enough). I also didn't find out about the
> python-gnupg python library before writing the first spike on a train,
> so I ended up rewriting my own wrapper around `gpg --status-fd`, which
> was a terrible mistake.
>
> In retrospect, I consider it's a mistake to write *anything* that talks
> with `gpg --status-fd` now. 
...
> I'm sorry about this. I know it sucks to have a piece of software you
> use on a daily basis just disappear from under you.

I feel your pain. I've been trying for the past few years to knock
together a menu-driven offline-key management interface[1] for PGP CAs,
for use in corporate environments. I therefore wanted to make the entire
process (for both users and admins) as painless as possible. Monkeysign
became a key part of that once I discovered that writing my own flaky
wrappers around the gpg command line was duplicating your work. :-) And
there is approximately zero chance that I would have developed the
camera/qrcode interface myself.

If bringing monkeysign back from the dead is too much to ask, then maybe
I can work around it using caff - although I will lose much
functionality in doing so. GNOME keysign looks to have too many
restrictions to be usable (I want to run it on Tails, how on earth does
that work?). Any suggestions for workable alternatives will be
gratefully received.

Sorry again,
Andrew.

[1] If anyone is interested you can find the barely-functional carcass
of the project at https://github.com/andrewgdotcom/frith . Beware that
it is embarrassingly amateur, with no test suite, a shamefully
monolithic structure and lots of exposed wires.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200322/4d861f74/attachment.sig>

More information about the Gnupg-users mailing list