1 (edited by ΙΧΘΥΣ 2019-01-04 13:27:10)

Topic: Tutanota email client

I am considering to download an use the Tutanota email client for Linux. I am a bit reluctant to do so because I have always wanted to keep my Hyperbola system free from any sofware not available in the official repositories.

When reading how to verify the downloaded file of the email client, I find that the process is different to the one that I am accustomed with gpg:


 * Utility to codesign the finished Installers.
 * This enables the App to verify the authenticity of the Updates, and
 * enables the User to verify the authenticity of their manually downloaded
 * Installer with the openssl utility.
 *
 * The installer signatures are provided as separate files:
 * https://mail.tutanota.com/desktop/tutanota-desktop-win-sig.bin (for Windows)
 * https://mail.tutanota.com/desktop/tutanota-desktop-mac-sig.bin (for Mac)
 * https://mail.tutanota.com/desktop/tutanota-desktop-linux-sig.bin (for Linux)
 *
 * They allow verifying the initial download via
 *
 *      # get public key from github
 *      wget https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem
 *          or
 *      curl https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem > tutao-pub.pem
 *      # validate the signature against public key
 *      openssl dgst -sha512 -verify tutao-pub.pem -signature signature.bin tutanota.installer.ext
 *
 * openssl should Print 'Verified OK' after the second command if the signature matches the certificate
 *
 * This prevents an attacker from getting forged Installers/updates installed/applied
 *
 * get pem cert from pfx:
 * openssl pkcs12 -in comodo-codesign.pfx -clcerts -nokeys -out tutao-cert.pem
 *
 * get private key from pfx:
 * openssl pkcs12 -in comodo-codesign.pfx -nocerts -out tutao.pem
 *
 * get public key from pem cert:
 * openssl x509 -pubkey -noout -in tutao-cert.pem > tutao-pub.pem
 * */

Honestly, I do not understand anything, Should I get the "pem cert" and private key from pfx along with the public key from cert before doing "openssl dgst -sha512 -verify ...". That is should I try the last two commands before trying the three first ones? Does anyone have any idea about this?

I wish everything was as simple as installing directly from the Hyperbola repositories as I did with the mobile app when downloading it from F-Droid but I guess it is just something personal and that there might not be a real demand for that package to be considered for being effectively uploaded to the repositories. Also another point that plays agaisnt a hypothetical inclusion would be the fact that the desktop client is still in beta version.

Anyway, I leave here my suggestion for the case than in the future there is a real demmand for it.

2

Re: Tutanota email client

ΙΧΘΥΣ wrote:

I am considering to download an use the Tutanota email client for Linux. I am a bit reluctant to do so because I have always wanted to keep my Hyperbola system free from any sofware not available in the official repositories.

When reading how to verify the downloaded file of the email client, I find that the process is different to the one that I am accustomed with gpg:


 * Utility to codesign the finished Installers.
 * This enables the App to verify the authenticity of the Updates, and
 * enables the User to verify the authenticity of their manually downloaded
 * Installer with the openssl utility.
 *
 * The installer signatures are provided as separate files:
 * https://mail.tutanota.com/desktop/tutanota-desktop-win-sig.bin (for Windows)
 * https://mail.tutanota.com/desktop/tutanota-desktop-mac-sig.bin (for Mac)
 * https://mail.tutanota.com/desktop/tutanota-desktop-linux-sig.bin (for Linux)
 *
 * They allow verifying the initial download via
 *
 *      # get public key from github
 *      wget https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem
 *          or
 *      curl https://raw.githubusercontent.com/tutao/tutanota/electron-client/tutao-pub.pem > tutao-pub.pem
 *      # validate the signature against public key
 *      openssl dgst -sha512 -verify tutao-pub.pem -signature signature.bin tutanota.installer.ext
 *
 * openssl should Print 'Verified OK' after the second command if the signature matches the certificate
 *
 * This prevents an attacker from getting forged Installers/updates installed/applied
 *
 * get pem cert from pfx:
 * openssl pkcs12 -in comodo-codesign.pfx -clcerts -nokeys -out tutao-cert.pem
 *
 * get private key from pfx:
 * openssl pkcs12 -in comodo-codesign.pfx -nocerts -out tutao.pem
 *
 * get public key from pem cert:
 * openssl x509 -pubkey -noout -in tutao-cert.pem > tutao-pub.pem
 * */

Honestly, I do not understand anything, Should I get the "pem cert" and private key from pfx along with the public key from cert before doing "openssl dgst -sha512 -verify ...". That is should I try the last two commands before trying the three first ones? Does anyone have any idea about this?

I wish everything was as simple as installing directly from the Hyperbola repositories as I did with the mobile app when downloading it from F-Droid but I guess it is just something personal and that there might not be a real demand for that package to be considered for being effectively uploaded to the repositories. Also another point that plays agaisnt a hypothetical inclusion would be the fact that the desktop client is still in beta version.

Anyway, I leave here my suggestion for the case than in the future there is a real demmand for it.

But I thought, that email's server was proprietary. IF you notice, its under GPL3 but not AGPL3...

Might be good for people to look into this.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

3

Re: Tutanota email client

You can install it from the Arch User Repository (AUR) by downloading the PKGBUILD (an installation script) and running "makepkg -s" (you need to ensure the license of each package you install from AUR is free if you want to keep your system exempt from proprietary software as the AUR is not part of Hyperbola - you can always add a task on Hyperbola's platform to include software from the AUR that is freely licensed). You can find the PKGBUILD here:

https://aur.archlinux.org/packages/?O=0 … _Search=Go

4

Re: Tutanota email client

aloniv wrote:

You can install it from the Arch User Repository (AUR) by downloading the PKGBUILD (an installation script) and running "makepkg -s" (you need to ensure the license of each package you install from AUR is free if you want to keep your system exempt from proprietary software as the AUR is not part of Hyperbola - you can always add a task on Hyperbola's platform to include software from the AUR that is freely licensed). You can find the PKGBUILD here:

https://aur.archlinux.org/packages/?O=0 … _Search=Go

Hmm... I just hope that for your sake, it doesn't connect to a non-free server. If so, I doubt you will see it in the Hyperbola repo.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

5 (edited by koszko 2019-02-18 19:55:21)

Re: Tutanota email client

zapper wrote:
aloniv wrote:

You can install it from the Arch User Repository (AUR) by downloading the PKGBUILD (an installation script) and running "makepkg -s" (you need to ensure the license of each package you install from AUR is free if you want to keep your system exempt from proprietary software as the AUR is not part of Hyperbola - you can always add a task on Hyperbola's platform to include software from the AUR that is freely licensed). You can find the PKGBUILD here:

https://aur.archlinux.org/packages/?O=0 … _Search=Go

Hmm... I just hope that for your sake, it doesn't connect to a non-free server. If so, I doubt you will see it in the Hyperbola repo.

Why so? If they ran nonfree code on their servers, it would be their problem, not yours. Take a look at an interview with RMS where he said "If you connect to a server that runs nonfree software, you're not the one whose freedom is harmed.".
From what i see searching the web, Tutanota hasn't released it's server side code. But even if it did, you wouldn't be able to check, whether the code used for processing your emails is really the same code, that was released. Not even if Tutanota released it under AGPL3, since when someone puts license on their code, they don't have to obey it themselves - they're just telling others what they can (not) do.
While we can't help with the issue of logging, email usage can be made saner if we apply email self defence, which unfortunately seems impossible with Tutanota (just as with protonmail I use - made wrong choice over a year ago and I'm stuck with it, 'cause I don't wanna change my address again) because of lack of POP3/IMAP support.
And you know what Tutanota devs say? That they don't allow you to use these protocols and regular PGP because they consider those "insecure". That's hilarious! Even tho they provide automatic end-to-end encryption btween their own users, you can't encrypt emails to external recipients using standard enigmail method whatsoever. That's dumb if you ask me... At least they provide some sort of temporary accounts for users of other mail services you send something to...
Despite all that crap, the "app" seems to be fully libre, under GPLv3... yet they failed to provide installation instructions for the desktop version ;_; just android and webmail. You'll have to find someone knowledgeable in node.js to package it, since AUR PKGBUILD just downloads a prebuilt version from tutanota.com while Hyberbola only packages software from source...

Edit: Btw, it should be possible to use Tutanota and Protonmail clients' code to make some kind of proxy that would serve mail as POP3 and IMAP on localhost. Another approach would be to make it an extension to icedove - it'd be a bit of effort tho