1 (edited by ΙΧΘΥΣ 2019-01-04 13:27:10)

Topic: Tutanota email client

I am considering to download an use the Tutanota email client for Linux. I am a bit reluctant to do so because I have always wanted to keep my Hyperbola system free from any sofware not available in the official repositories.

When reading how to verify the downloaded file of the email client, I find that the process is different to the one that I am accustomed with gpg:


 * Utility to codesign the finished Installers.
 * This enables the App to verify the authenticity of the Updates, and
 * enables the User to verify the authenticity of their manually downloaded
 * Installer with the openssl utility.
 *
 * The installer signatures are provided as separate files:
 * https://mail.tutanota.com/desktop/tutanota-desktop-win-sig.bin (for Windows)
 * https://mail.tutanota.com/desktop/tutanota-desktop-mac-sig.bin (for Mac)
 * https://mail.tutanota.com/desktop/tutanota-desktop-linux-sig.bin (for Linux)
 *
 * They allow verifying the initial download via
 *
 *      # get public key from github
 *      wget https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem
 *          or
 *      curl https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem > tutao-pub.pem
 *      # validate the signature against public key
 *      openssl dgst -sha512 -verify tutao-pub.pem -signature signature.bin tutanota.installer.ext
 *
 * openssl should Print 'Verified OK' after the second command if the signature matches the certificate
 *
 * This prevents an attacker from getting forged Installers/updates installed/applied
 *
 * get pem cert from pfx:
 * openssl pkcs12 -in comodo-codesign.pfx -clcerts -nokeys -out tutao-cert.pem
 *
 * get private key from pfx:
 * openssl pkcs12 -in comodo-codesign.pfx -nocerts -out tutao.pem
 *
 * get public key from pem cert:
 * openssl x509 -pubkey -noout -in tutao-cert.pem > tutao-pub.pem
 * */

Honestly, I do not understand anything, Should I get the "pem cert" and private key from pfx along with the public key from cert before doing "openssl dgst -sha512 -verify ...". That is should I try the last two commands before trying the three first ones? Does anyone have any idea about this?

I wish everything was as simple as installing directly from the Hyperbola repositories as I did with the mobile app when downloading it from F-Droid but I guess it is just something personal and that there might not be a real demand for that package to be considered for being effectively uploaded to the repositories. Also another point that plays agaisnt a hypothetical inclusion would be the fact that the desktop client is still in beta version.

Anyway, I leave here my suggestion for the case than in the future there is a real demmand for it.

2

Re: Tutanota email client

ΙΧΘΥΣ wrote:

I am considering to download an use the Tutanota email client for Linux. I am a bit reluctant to do so because I have always wanted to keep my Hyperbola system free from any sofware not available in the official repositories.

When reading how to verify the downloaded file of the email client, I find that the process is different to the one that I am accustomed with gpg:


 * Utility to codesign the finished Installers.
 * This enables the App to verify the authenticity of the Updates, and
 * enables the User to verify the authenticity of their manually downloaded
 * Installer with the openssl utility.
 *
 * The installer signatures are provided as separate files:
 * https://mail.tutanota.com/desktop/tutanota-desktop-win-sig.bin (for Windows)
 * https://mail.tutanota.com/desktop/tutanota-desktop-mac-sig.bin (for Mac)
 * https://mail.tutanota.com/desktop/tutanota-desktop-linux-sig.bin (for Linux)
 *
 * They allow verifying the initial download via
 *
 *      # get public key from github
 *      wget https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem
 *          or
 *      curl https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem > tutao-pub.pem
 *      # validate the signature against public key
 *      openssl dgst -sha512 -verify tutao-pub.pem -signature signature.bin tutanota.installer.ext
 *
 * openssl should Print 'Verified OK' after the second command if the signature matches the certificate
 *
 * This prevents an attacker from getting forged Installers/updates installed/applied
 *
 * get pem cert from pfx:
 * openssl pkcs12 -in comodo-codesign.pfx -clcerts -nokeys -out tutao-cert.pem
 *
 * get private key from pfx:
 * openssl pkcs12 -in comodo-codesign.pfx -nocerts -out tutao.pem
 *
 * get public key from pem cert:
 * openssl x509 -pubkey -noout -in tutao-cert.pem > tutao-pub.pem
 * */

Honestly, I do not understand anything, Should I get the "pem cert" and private key from pfx along with the public key from cert before doing "openssl dgst -sha512 -verify ...". That is should I try the last two commands before trying the three first ones? Does anyone have any idea about this?

I wish everything was as simple as installing directly from the Hyperbola repositories as I did with the mobile app when downloading it from F-Droid but I guess it is just something personal and that there might not be a real demand for that package to be considered for being effectively uploaded to the repositories. Also another point that plays agaisnt a hypothetical inclusion would be the fact that the desktop client is still in beta version.

Anyway, I leave here my suggestion for the case than in the future there is a real demmand for it.

But I thought, that email's server was proprietary. IF you notice, its under GPL3 but not AGPL3...

Might be good for people to look into this.

Hyperbola:

The Stable Secure Libre Arch!