Do you think a Keyoxide browser extension would be useful?

I am imagining some combination of the following features:

  • detect links to PGP keys from web pages I visit (such as link rel="pgpkey" and any other possible indications of a PGP key or fingerprint)
  • indicate via an icon if a page has a linked PGP key
  • possibly act as a handler when a link to a PGP key is clicked??
  • allow me to run Keyoxide claim verifications locally in the browser
  • if possible, identify when a profile page I'm visiting on other sites contains a Keyoxide claim, and allow me to verify it / find linked profiles via the PGP key
  • ideally, allow encrypting messages to the PGP key

Personally I feel this could be very useful if Keyoxide use becomes at all widespread.

I have no experience developing browser extensions but I'd be willing to have a go at implementing it some time if anyone else thinks it would be useful.

That would be a good use case for a browser extension!

I think this ties in with https://community.keyoxide.org/d/11-look-up-keys-by-profile-name-reverse-lookup/2. It's a form of reverse lookup. Once we solve the "general" reverse lookup discussion, we can implement this.

I have once dabbled in browser extensions (both Firefox and Chrome). We could scour the Fediverse first for knowledgeable people.

    yarmo I think this ties in with https://community.keyoxide.org/d/11-look-up-keys-by-profile-name-reverse-lookup/2. It's a form of reverse lookup. Once we solve the "general" reverse lookup discussion, we can implement this.

    Definitely true for at least most of the use cases I mentioned.
    I'd argue the simple case of link rel="pgpkey" from someone's homepage is different, and useful on its own – but yeah, maybe the whole idea should wait until the general concept of reverse lookup ise resolved.

    4 months later

    That would be really nice! Maybe I could even help a bit, as I've already developed 2 Firefox addons.

    The Keyoxide addon could display a Twitter-like verification check mark next to profile names (e.g. in the Mastodon home timeline) to indicate the respective profile has got a valid Keyoxide entry.

      Pixelcode The Keyoxide addon could display a Twitter-like verification check mark next to profile names

      Oh, I always imagined an addon would show something in the menu bar. How cool would it be to show verification check marks on the pages themselves!! (making sure people can disable it)

      How difficult would it be to make a proof of concept?

        yarmo

        Oh, I always imagined an addon would show something in the menu bar.

        Well, an addon can create an icon in the menu bar (and in other places as well), optionally with a popup, but it doesn't have to. Regardless of that, it can also manipulate the content of a website (that's how uBlock Origin's cosmetic filter works).

        How difficult would it be to make a proof of concept?

        I don't know how we could identify whether the user is currently on a website supported by Keyoxide. For GitHub, Reddit or Twitter that wouldn't be difficult, but other services, such as Mastodon, are decentralised and can't be recognised just by their URL alone.

        Then we must obviously figure out a way of reverse look-ups. For Mastodon, that could be easier, since the Keyoxide link must be set as profile metadata item and Mastodon itself displays a green check mark if the link is verified.

        When viewing the Mastodon home timeline, the addon could, for example, simply iterate over all .display-name__account elements and fetch the metadata information via some Mastodon server's API.

        I've never done something like this before and it could easily become overwhelming, but I think it may be worth it.

          Pixelcode Then we must obviously figure out a way of reverse look-ups

          This makes sense, and could be up to the Keyoxide/doip API to do. This has been discussed before on the forum [0] but it's waiting to be responsibly implemented until after we have hashing of the proofs (to prevent reverse lookups for those that don't want it!).

          [0] https://community.keyoxide.org/d/11-look-up-keys-by-profile-name-reverse-lookup

          I have had to shift priorities the last few months but I'm dedicating more time to Keyoxide right now and I will get on this ASAP.

          I've just created a not-very-functional-yet alpha of the Mastodon check-mark addon. My current approach is to fetch the profile meta tags from e.g. https://social.tchncs.de/@pixelcode.json and to extract any Keyoxide link, whereby the HKP is retrieved by simply removing https://keyoxide.org/hkp/ from the link (yeah, I know).

          Now, I'm currently trying to figure out how to check whether the PGP key belonging to the HKP has got a claim for the Mastodon profile in question. I tried using doip.js but I haven't quite understood how it works yet.

          Here's my current code:

          const verifyIdentity = async (url, fp) => {
              const claim = new doip.Claim(url, fp);
              claim.match();
              await claim.verify();
              console.log(claim.result);
          }
          
          verifyIdentity(profileURL, hkp);
          verifyIdentity("https://mstdn.social/@pixelcodeapps", "aeef8cdb5adf2f28016f39e1fbfc237daf98d402");

          Both function calls return undefined for some reason. What did I do wrong?

          Nice! The snippet works fine, you're just logging the wrong thing — that is, big mistakes were made when I first wrote the library and now we have to make do until the v2 rewrite.

          So you want to log as such:

          console.log(claim._verification.result);
          console.log(claim); // to see all the fields

          I just uploaded the addon's source code to Codeberg. It basically works in the sense that it is able to iterate over Mastodon users' profile names in the home timeline and add a check mark if a valid Keyoxide link was found.

          However, the “verification” only happens once – after the page was loaded. That's why it ignores any new posts that Mastodon adds dynamically to the timeline. That's a major issue that prevents the addon from being actually usable yet, and I have no clue how to fix it.

          Maybe it would be useful to migrate the repo to the Keyoxide organisation?

            Project looks cool! I followed the instructions but I couldn't get it work just yet, it did not show any checkmarks, will need to fiddle with it more. Maybe because I tried it in the local timeline? No one in my home timeline had Keyoxide profiles when testing.

            Pixelcode However, the “verification” only happens once – after the page was loaded

            As I mentioned in the issue [1], we could maybe use the MutationObserver [2] to track changes in the DOM.

            [1] https://codeberg.org/pixelcode/Keyoxide-Checkify/issues/1
            [2] https://developer.mozilla.org/en-US/docs/Web/API/MutationObserver

            Pixelcode Maybe it would be useful to migrate the repo to the Keyoxide organisation?

            Yeah, I am down for that! Would you like to make a few more changes in your own repo? Or just migrate and get elevated permissions?

              In fact, on least on Mastodon 3.5.3, the feed is empty at page load so the add-on never stands a chance to look for profiles.

              I am currently trying:

              if (isMastodon()) {
                  const targetNode = document.querySelector('[role="feed"]');
                  console.log(targetNode);
              
                  // Options for the observer (which mutations to observe)
                  const config = { attributes: false, childList: true, subtree: true };
              
                  // Callback function to execute when mutations are observed
                  const callback = (mutationList, observer) => {
                    for (const mutation of mutationList) {
                      if (mutation.type === 'childList') {
                        console.log(mutation);
                        // Now do something with this new article
                      }
                    }
                  };
              
                  // Create an observer instance linked to the callback function
                  const observer = new MutationObserver(callback);
              
                  // Start observing the target node for configured mutations
                  observer.observe(targetNode, config);
                }

              and it neatly logs all new posts when they are dynamically added! From here on, we can process the posts individually

              yarmo

              Yeah, I am down for that! Would you like to make a few more changes in your own repo? Or just migrate and get elevated permissions?

              Great! I've just added you as an administrator to the repo, so you can migrate the repo if you want to. I'll quickly try to intergrate your code snippet into the code.

              I won't be able to work on it this weekend. But I think we should also cache the results of the verifications, so that different posts by the same author won't trigger another verification.

              We should also look into recognizable but distinct icons. If we use the same icons as those available for people to put into their username, they could potentially fool users of the add-on.

                yarmo Caching is another topic that I'm absolutely not familiar with. 😅

                I'm currently working on removing custom “verified” emojis if the respective user isn't actually verified.

                12 days later

                If you want to migrate the repo, I'd be ready for that. ☺️

                5 days later

                Yeah, let's do that. Cannot guarantee I can dedicate much time to the extension right now but I will as soon as possible, when I finish a few other keyoxide subprojects...