intrigeri | 30 Aug 20:24 2014

Making monkeysign more suitable for Tails


just so the community knows, and in case someone in here wants to give
a hand: Tails is shipping monkeysign, but it's barely usable in our
context, and we're mainly shipping it to encourage (power-)users to
experiment with it, and contribute improvements upstream.

The main blockers are:

* Being nicer with systems without a SMTP server
* Use the 'default-key' from ~/.gnupg/gpg.conf as default key
* monkeyscan should be cleaner in the absence of a local MTA

I'm sure that Antoine would happily take patches :)



Antoine Beaupré | 29 Aug 06:34 2014

monkeysign 1.2 released!

1.2 is a minor release to ship a few bugfixes that were gathering dust
in the git repository.

Monkeysign is a user-friendly tool to easily and securely exchange
OpenPGP key certifications. See [the homepage][] for more

To install monkeysign on Debian unstable, simply run:

    sudo apt-get install monkeysign

Testing and stable currently have the 1.0 release and will be updated
within 10 days to the new 1.1 release if no critical bugs are found.

For users of other Linux distributions, use:

    git clone git://
    cd monkeysign
    sudo ./ install --record=install.log

For more information, see [the homepage][].

 [the homepage]:

Detailed list of changes since [[monkeysign-1.1]]:

  * improve python 3 compatibility, partially (Closes: #725059)
  * update translation strings
  * spanish translation, thanks to lilbit
  * partial french translation
(Continue reading)

Antoine Beaupré | 29 Aug 06:22 2014

Re: QR codes with vcard info?

On 2014-08-12 17:59:40, Christian Jaeger wrote:
> PS. regarding prefixing it with X- to make it VCARD conform: perhaps
> it then makes sense to also drop the version from the field name, i.e.
> just calling it X-OPENPGPFPR, because that way apps would continue to
> work even if OpenPGP progresses to version 5 etc. If the concern is
> security against hijacking of fingerprints in older protocol versions,
> add a VERSION parameter (assuming VCARD allows X- fields to invent
> their own parameters, too, I haven't seen anything to the contrary),
> e.g.

Right, that makes sense as well. Not sure where we got that standard...


Wherever they's a fight so hungry people can eat, I'll be there.
Wherever they's a cop beatin' up a guy, I'll be there.
If Casy knowed, why, I'll be in the way guys yell when they're mad an'
I'll be in the way kids laugh when they're hungry an' they know
supper's ready. An' when our folks eat the stuff they raise an' live
in the house they build, why I'll be there.
                        - John Steinbeck, The Grapes of Wrath
Antoine Beaupré | 29 Aug 06:21 2014

Re: QR codes with vcard info?

On 2014-08-12 17:32:28, Christian Jaeger wrote:
> Hi
> I'm writing a library to produce vcard files and want to put one as a
> QR code on the back of my business card. I'd like to add info about my
> GPG key, now I've seen that monkeysign itself uses a field OPENPGP4FPR
> in what looks like part of the vcard syntax, but seems to be using it
> outside that context, probably rightly so as this field isn't
> standardized (according to my understranding, prefixing it with X-
> would make it conform to RFC2426). Anyway, monkeyscan (as of version
> 1.1) doesn't seem to parse the QR code contents strictly, so I guess
> that the approach I'm currently following will work, but I couldn't
> test as I don't have a webcam on the test machine and I didn't see a
> way to tell monkeysign to use a png or text input file. Also I don't
> know your future plans (I haven't seen a spec about what you're
> expecting).


There is some documentation in the 2.x branch with mockups of a the new
interface we are looking for. Look in the doc/ui-mockups directory.

It's also available here:

... but i really need to cleanup that doc...

The 2.x version will support parsing an image from a qrcode directly.

(Continue reading)

fr33domlover | 30 Apr 00:21 2014

Usage with mail server


This is my first post here. I run an SSH server and a web server and I'm
very interested in using a peer-to-peer decentralized natural way to
handle trust.

Moneysphere already works with HTTPS and SSH as described in your
website, but I didn't find any information about:

- XMPP server (as far as I know, none exists yet but it's WIP)
- mail server

I'm going to run a mail server (first just IMAP, later I'll add SMTP)
and I'd like to not use an SSL certificate from a centralized source
which requires a lot of my private information for spying me and
verifying my identity etc.

Does moneysphere support mail serving?

I can imagine it may work for sending mail to the user, but what happens
if an SMTP server wants to send email to my IMAP server? How does the
SMTP server send me encrypted data if it cannot recognize my OpenPGP
based "certificate"?

If there's any approach waiting to be implemented or used, I don't mind
pioneering. Just tell me please how it works. Also, maybe I can help add
monkeysphere support to dovecot if it's not too difficult.

Thanks in advance!
(Continue reading)

micah | 21 Apr 01:41 2014

Re: Archlinux Package

Profpatsch <mail <at>> writes:

> On 14-04-10 06:21pm, Profpatsch wrote:
>> Since you are linking to a git package which is broken atm:
>> There is a package using the official releases at
> And I just became maintainer, so it’s up-to-date now, too.

If you would like to update the link on the page, the site is running
ikiwiki, a patch or a git remote would make the update real easy!

Gabriel Pérez-Cerezo | 30 Mar 13:23 2014

Monkeysphere integration in Links2


I have changed my plans. I have stopped working on w3m and now I'm working on Links2,
as it has much more features and is more widely used. I will write you when it is

Best wishes,


Gabriel Pérez-Cerezo Flohr
Website:  E-mail: gabriel <at>
GPG Key: D353EC69 (get it from

Gabriel Pérez-Cerezo | 23 Mar 17:47 2014

libmsv licensing


as you may know, I'm working on a fork of the w3m browser which includes monkeysphere support. I have now got a
problem with the licensing. Libmsv is licensed under the GPLv3 and w3m under the MIT license, but as it is
linked to OpenSSL, it would need a linking exception, so I have to either link the GPL code from GPL+Linking
exception code or rewrite the entire SSL code using GNUtls.

Do you think that it is better to ask someone for a linking exception or rewrite the SSL code using GNUtls?


Gabriel Pérez-Cerezo Flohr
Website:  E-mail: gabriel <at>
GPG Key: D353EC69 (get it from

isis agora lovecruft | 3 Jul 16:50 2013

gnupg-1.1.7, a Python GnuPG wrapper, is released on PyPI

Announcing the release of a more secure Python wrapper for GnuPG on PyPI.

About this release

This is the first stable release of a module (named 'gnupg' on PyPI)[0], which
originated as a fork of python-gnupg.[1] Several problems were found with the
upstream version, including a security vulnerability triggered by unvalidated
user input, and when used within networked code, can lead to remote arbitrary
code execution. Full notes of the audit can be found in the docs/ directory of
the git repo [2] and as orgmode→html [3] in the online documentation.

The new version [4] is incompatible with the old version, though the changes
required to upgrade for software depending on the old version should be
slight. Not to mention, the module is now extensively documented,[5] and
developed openly. It was downloaded nearly 1000 times on the first day it was
uploaded to PyPI.

To install:
$ [sudo] pip install gnupg


(Continue reading)

intrigeri | 8 Feb 10:14 2013

Bug#677565: [monkeysphere] Bug#682518: Bug#677565: RC bugs in msva-perl


Daniel Kahn Gillmor wrote (08 Feb 2013 05:48:55 GMT) :
> I've just pushed a proposed upstream msva-perl/0.8.1 targetted bugfix
> tag to git://, and a "wheezy"
> branch that uses that and targets testing-proposed-updates.

Excellent! Thanks a lot.

> I've tested 0.8.1-1 on a wheezy system and it works for me.

I'm going to test it during a few days.

> I plan to upload it to t-p-u sometime tomorrow or the next day
> unless i hear from anyone that it didn't work for them.

Looks like a good plan, but I suggest waiting a bit longer for:

  1. You and someone else (I volunteer) to try the proposed package
     for a few days: given t-p-u uploads have no time to be tested in
     sid, we should be extra careful about them.
  2. A pre-approval from the release team, which is required by the
     current freeze policy before uploading to t-p-u.


  | GnuPG key  <at>
  | OTR fingerprint  <at>

(Continue reading)

Jameson Graef Rollins | 23 Jan 03:15 2012

update of xul-ext-monkeysphere package

Hey, folks.  I have just tagged/pushed version 0.6.1 of
xul-ext-monkeysphere, and 0.6.1-1 to Debian unstable.  This fixes the RC
bug related to iceweasel incompatibility [0].  The package should be
usable in testing/unstable again as soon as it falls through.

There are some other issues that we're going to need to sort out, so
hopefully we can push 0.7 soon.

Sorry for the delay getting to this.  Please report any issues to the
Debian BTS, or our upstream issue tracker [1].