Email attachments aren't encrypted at all. Unfortunately, attachments are very frequently used feature, and not having them encrypted makes the plugin not very useful :(

hey there,

is it possible to setup the checkbox behaviour (sign is always checked on new mail) by user selection in the settings, or to have this options in a config file?
atm i'm one of the rare crypt users on the system, and i don't think i will be able to remember changing js/rc_openpgpjs.js (line 69) on every update, because for none crypt users it's annoying to uncheck it everytime.

p.s. i have no idea how to set the enhancement label for posts...
p.s.s. thanks for the damn fast key_search fix 👍

If this plugin is enabled draft autosaving should be disabled.

User should be able to choose which key server to use for public key search.

Quoting Thomas Bruederli:

Pubkey selection: $("#_to").val().split(",") doesn't always work. There
might be recipient addresses like this: "Brüderli, Thomas"
[email protected]. Solution: grep for email address patterns in the
recipients list instead.

I just tried to install using the latest git with roundcube 0.7.2, and roundcube is unable to load when the plugin is enabled, I see this in the error logs:

[19-Jan-2013 11:22:11] PHP Fatal error: Class 'rcube' not found in /var/lib/roundcube/plugins/rc_openpgpjs/rc_openpgpjs.php on line 34

Make it possible to export an armored key as .asc

When activating classic skin, plugin functionality is unfortunately unusable, missing check boxes, etc.

Make labels and messages translatable.

After enabling the plugin i have access to the "Key Manager" but there are now "encrypt" and sign buttons like in your vimeo video:

http://sixinches.de/openpgp.jpeg

Any suggestions?

Verify the given passphrase in importPrivKey() by testing encryption.

Use Roundcube template system.

Abstract the crypto parts and make OpenPGP.js a separate driver as preparation for multiple driver support (#64).

When the plugin is added to the plugins-array in RCs config, an empty page is deliverd when logged in (so the login-page still works). This happens both when first logging in and then activate plugin, and when first activating plugin and then logging in.

"View source" in Firefox shows an empty result, so no single line of html is deliverd.

Running RC 0.8.4 with the Larry-skin, no other plugins are installed, en_US, Firefox 18.0.

Display OpenPGP info in message header of encrypted messages.

For examle show if it is a good signature and the corresponding name/email, key id and signing date.

http://www.youtube.com/watch?v=ZkiSYmn74os

Hi,

I have everything set up properly in the key manager, but when I send an email upon receipt of the latter I have this message:

WARNING! Signature doesn't match public key!

By generating a new key I still have this message.
Is there particular dependencies for the server?
I hope that you can easily identify and solve the problem.

Thanks.

First of all congratulations for the great plugin!
Unfortunately I currently have some issues I will enter seperately.

The first is the issue, that I cannont send an email when "Sign" is checked.
And additionally, thevalues are not saved when I uncheck them in the settings.
I am using the latest roundcube (0.9.2) and plugin versions (master from 07.07.) and the issue is reproduceable with chrome and IE.

If you want to sign a message when you have stored your passphrase and only imported your private key it fails. Line 196 of rc_openpgpjs.js will return false, but line 200 will return false since no public keys are imported. No keys error message is displayed and message is not signed.

Add a list to the key select to support multiple private keys.

Quoting Thomas Bruederli:

Decryption of encrypted messages is only possible on messages sent with
text/plain but not with multipart/encrypted. This is mainly because
Roundcube doesn't even send the encrypted body parts to the client.
Solution: there are plugin hooks in PHP available [2] to grab encrypted
parts from the message structure and make sure they're sent to the client.
Attachment decryption is also consider here.

[2] http://trac.roundcube.net/wiki/Plugin_Hooks#message_part_structure

Last commits introduce a new bug, when signing or encrypting and signing a message the message is send before signing / encryption.

Add signature verification for reading signed messages.

I recently stumbled upon the WebPG browser extension which bridges the full functionality of a locally installed gnupgp instance into the browser and makes it accessible via javascript. This has the big advantage, that the web app has access to existing keyrings and one doesn't need to import them into the browser's local storage.

It would be nice to add some sort of abstraction to the plugin code, which lets you use WebPG (if installed) instead of openpgp.js as the encryption backend.

We tried to summarize the encryption plugin development for Roundcube and how we see it in the Roundcube wiki: http://trac.roundcube.net/wiki/PluginRepository/Encryption

There, you'll also find references to the WebPG NPAPI plugin.

Add the pubkey file[1] as an attachment to signed emails.

[1] "data:asc," + encodeURIComponent(openpgp.keyring.publicKeys[i].armored)

Cookies are insecure and this was a dirty way to get a quick result. Use HTML5 web storage instead of setting a cookie.

Perform heavy calculations asynchronously so the browser doesn't freeze. HTML5 web workers don't have access to the window object so that won't work -- OpenPGP.js requires access to the window.crypto obj.

Quoting Thomas Bruederli:

You bind events to UI buttons by using their object IDs. This doesn't
work reliably because these are internal IDs and they can vary with
different skins. With the new Larry skin, the plugin doesn't work because

rcmbtn114 isn't the send button (but the CC+ button of the address book

widget). Solution: there are generic events triggered by the Roundcube core
script, which you can bind on [1]. In your case, binding to the 'send'
command would look like this:

rcmail.addEventListener('beforesend', function(e){ /* do your magic */ });

[1] http://trac.roundcube.net/wiki/Plugin_Events#beforeandafter

May require patching OpenPGP.js, did the last time I checked.

Add sign feature to encryptAndSend()

The plugin doesn't work in message preview frame.

When trying to import public key from form, fails with

Cannot call method 'match' of undefined" @ rc_openpgpjs.crypto.js:276

Roundcube Webmail 0.9.1

Import via search works however.

Current case:

1. Sign is checked
2. Send is clicked
3. Key select pops up asking for passphrase
4. Message is only sent when Send is clicked again

Desired case:

1. Sign is checked
2. Send is clicked
3. Key select pops up asking for passphrase
4. Message is sent automatically after being signed

please add to the documentation a section about where keyrings are stored. serverside? clientside?

can existing keyrings be imported? or do you have to (or are you able to) create a new keyring?

if you provide the information here i'd volunteer to update the readme and file a pull request.

Key is generated without the 'Person' info if generated from Inbox -> More -> Key Manger.

If you go to Compose - Key manager then the key is generated with the correct Person info.

Allow the user to choose the passphrase to be remembered for 5 idle minutes. Currently a cookie expires after 5 min.

Add signature verification to decrypt(). Requires the public key to be accessible or a lookup feature.

Depends on #5

There's some fishy business in the use of openpgp.write_signed_and_encrypted_message(); both read and write. Investigate and fix.

The button in message view page doesn't match larry skin style. Also I propose to move Key management action to "More actions..." menu.

Hey,

when i try to import a public key nothing happens.
I copy/paste a Key Block and hit the "import" button but then nothing happens.

Importing a private Key works like a charm.

Any suggestions?

PS: Thanks for your great work!

rc_openpgpjs.php includes on line 85 /templates/key_search.html, but the file is missing atm.

Unfortunately, the plugin doesn't work on many popular browsers (i.e. safari, firefox, didn't test others) due to the lack of windows.crypto.getRandomValues function. There is a bug about it already on opengpg.js (openpgpjs/openpgpjs#22) but at least a workaround would be good until they implement a real solution, as the issue is there for more than a year already.

first: thanks for the fast options feature! sadly hadn't found the time to check until yet.

another enhancement request:
would it be possible to keep the default settings like they are now and have additional temp changes inside the "new mail" window like bevor?
the problem now ist that you have to make changes in the options if you want something to be encrypted.

Currently encryption and signing can only be done individually, add support for both at the same time.

"#_to" isn't alone to hold recipients, treat CC/BCC fields as well.

Create PKS db tables in RC DB for the backend PKS to query against. Public keys received from remote PKS' should be stored in the local RC DB tbl for future lookups and the PKS should only search in remote PKS when specifically asked to do so. Grant users the option to send their public keys to the plugin backend which puts it into the PKS tbl.

The reason is because PKS', even modern ones like SKS, deliver keys over plaintext HTTP. As far as I know there is not a single PKS or even SKS serving keys over HTTPS causing the link between RC and PKS to be directly vulnerable to MITM and sniffing. RC over HTTPS is opt-in only, but at least it's better protecting HTTPS enabled RC installations all the way than leaving vulnerable links due to faulty HKP design.

Another reason is that once a key is entered into a PKS/SKS there is no way of removing it. For this reason the plugin will never support adding public keys to remote PKS/SKS but only the local RC tbl where it can be revoked by the RC admin or the user itself through future functionality.

If the recipients pubkey is missing: do a lookup. If the pubkey is in shared storage: import, else: lookup. If lookup fails: alert user.

Don't allow the creation of 1024-bits keys, since they are not strong enough any more (http://csrc.nist.gov/groups/ST/hash/statement.html).

set_passphrase() and encryptAndSend() currently statically use the keyid from openpgp.keyring.privateKeys[0]. The ID should be selected from the (future) list in key select (#2).

When this is finished multiple key support is completed.

a nice security feature would be to remove the private key export if the key was not createt by rc_openpgpjs / openpgpjs.

reason: to prevent a 3rd party to fast export your private when you left your pc without locking it.

possible solution: check for "openpgpjs.org" in the private key comment.