Short story about OpenPGP for iOS and OS X — ObjectivePGP
Two months ago I decided to change the status quo with regard to the access to message encryption using the OpenPGP open protocol in iPhone. I have already been working on something similar—UNNetPGP—earlier, so I thought that this will be a piece of cake, since I have some (more or less) knowledge on the subject.
I could not be more wrong.
I would like to start with the available implementations of OpenPGP for iOS or OS X. The choice is limited. There is a really good and full GnuPG implementation (including GPGME library), however, it has one non-technical flaw—the licence. While the GPL licence works great in the OpenSource environment, it does not work for programs for AppStore (iOS) or MacAppStore (OS X). There is also the previously mentioned port of the NetPGP library—UNNetPGP—but it is a project which has not been developed for a long time, and it has some issues and limitations. NetPGP is particularly limited when it comes to managing keyrings, and keys in general. There have been questions asked with regard to key management, especially with regard to the lack of possibility to import private keys into keychains—this would seem as a simple matter, it should be sufficient to check how this works in NetPGP and add the function in Objective-C. I have been searching for a whole evening and the only thing I have found, was that the function was never implemented and that it is extremely difficult to tell how the library works.
I went on from there.
I thought that I would write a small library the sole purpose of which would be managing a keyring, importing and exporting keys. So I started working. At first, the project was called PGPKeyring, It was only supposed to work on loading and saving keys in a file, so that they could be used with UNNetPGP.
Two days later I realised that this will not be enough, and I changed the project’s name into ObjectivePGP. I have started reading RFC 4880 carefully:
“It is not a step-by-step cookbook for writing an application”. (RFC 4880) — this is all true.
Today I regret that I have not made any notes during programming, so that I could now quote all my moments or doubt, all “WTF?” instances (I think that some of them are still present in source comments). Many sudden turns of events, lots of dead ends and a massive amount of uncertainty await for the person implementing this protocol. Now I understand why OpenPGP does not have many implementations—the protocol itself is simply quite difficult to implement. This is not made better by the fact the current version of the standard works with several versions and ways in which messages can be saved. I used OpenSSL as my encryption base. Today I would choose a different way to come at it, but this is only because now I know more. At that time this seemed as the best choice.
All that together was the reason why I did not have a working version of the library until two months later. The version allows signing and encrypting messages in the OpenPGP standard.
This is not a full implementation, nor is it the best implementation in the world. Now, with all I have learned during the time I spent working on it, I would have written the library in an entirely different way. I think that after some time (in version 2.0) this will actually happen. I have even made a note in my TODO “Need to rewrite the whole thing!”. This is true, but if I keep on rewriting it all the time, I will not finish anything else.
I am here today, I have the alpha version and I am very happy about it. I have learned a lot while working on this project. Firstly, I was able to practice my patience and persistence. I had my mind set on it and I did not give up until I achieved my goal.
I am not a fan of open licences since I left PLD-Linux. Nowadays, programmers are looking for (I have seen it particularly in the case of iOS programmers) ready-made controls and libraries to be used in another project for their clients. There are less and less people who think of assisting in any way in the development of the used piece of code (it is more likely that the amendment will be placed in a private fork and never find its way to the source), while it has never been as easy as it is now with GitHub. This is my personal opinion—you can agree with it or not. Still, I decided that ObjectivePGP will not be another project like that. Sorry for not being R. Stallman. I truly encourage everyone to join me so we could release it one day to the public, together.
Today I am making available the library, most people looking for it will not even notice that it does not include the source code, and if the project gets 1000 stars on GitHub, I will also add the source code (I promise, but we all know that most likely I will not have to do it though, ever).
If you want to support the project with your own work please contact me—I am waiting for you.
PS. I already started new project called CryptoSwift, you may want to contribute. Make this kind of things with Swift is a way harder actually.
News: I have used ObjectivePGP while developing my ne application called Privacy.