Hi, our integration of Okular and GnuPG (and later on GnuPG VS-Desktop) is nearly finished. Not everything is upstream yet but we see no roadblocks on the way that might cause us to abort so we would like to go ahead and announce this a bit more.
Attached is a first draft of a statement about why we started to work on this. First of I want to say a big thank you to everyone who helped with reviewing etc. and for the excellent design of Okular which allowed a very modular build. But, this is a slight problem because we are targeting a high security environment we want to limit the attack surface as much as possible. This means that we have stripped down Okular quite a lot. - It will have only the poppler generator. - Basically no optional dependencies. (No JavaScript) - No Phonon for Media (patches to cleanly make that optional are incoming, I have hacked it for now). Additionally we carry some patches which allow us to strip down framework inter dependencies and brutally hack some parts like KIO to come for example without DBus support. As such I think it would be unfair of us to call this just "Okular" and give you a possibly bad name. My suggestion is the following: - Use the name "Okular (GnuPG Edition)" in user visible strings, like the start Menu, Window Title, About Dialog etc. - Change the bug tracker URL to dev.gnupg.org for us (should be obvious). And finally to add a Message Box on the first launch and add a Text in the about dialog to promote the full featured Okular which I draft as following: ---------- Okular in general is a lightweight and highly secure document viewer for many document formats. To reduce the attack surface even further the GnuPG Edition is stripped down to only support PDF documents without any active content. For the best User Experience you can safely install the fully featured Okular from the <a href="https://apps.microsoft.com/store/detail/okular/ 9N41MSQ1WNM8">Microsoft Store</a> ---------- If this seems agreeable to you I would open a merge request regarding something like this as a build switch. I would like to have the text included upstream instead of patching it in for translation / wording support etc. I don't think that a parallel installation of two Okulars will make much sense except in very specific use cases (e.g. If you use Okular (GnuPG Edition) to open PDF's from Mails and the regular Okular as default). But it is possible and no Problem. Best Regards, Andre -- GnuPG.com - a brand of g10 Code, the GnuPG experts. g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 GF Werner Koch, USt-Id DE215605608, www.g10code.com. GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf Vorstand: W.Koch, B.Reiter, A.Heinecke Mail: bo...@gnupg.org Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702
# First draft of an announcement regarding Okular in Gpg4win # probably a bit too long for publication. Okular to be added to Gpg4win / GnuPG VS-Desktop With the Gpg4win 4.2.0 release in May, Okular will be added as an optional component to the Gpg4win installer, in preparation to a later addition to GnuPG VS-Desktop. This variant of Okular will feature direct integration with GnuPG. ---> GnuPG VS-Desktop / Company introduction. g10 Code GmbH is the company behind the matured Open Source workhorse GnuPG. Recently we were able to convert this into a commercially successful product with "GnuPG VS-Desktop", which consists mostly of GnuPG and Kleopatra as the fronted. Together with an Outlook plugin on Windows and the usual, excellent, KMail integration on Linux. Previously a recipient of donations, g10 Code is now able to start giving back to the community and recently became a patron of KDE. GnuPG VS-Desktop is not only approved for officially restricted file and mail encryption in Germany (Verschlusssachen – nur für den Dienstgebrauch), but also in Europe and across the NATO for EU/NATO RESTRICTED documents. It has a large customer base with hundreds of thousands installations already across Europe and is easily purchasable in Germany through either the large public sector IT suppliers or a framework contract with the federal government. The free of charge community versions of these packages (without the approval) are available for Windows under www.gpg4win.org and https://gnupg.org/download/ (Look for the AppImage). ---> Okular in General Okular is probably the best open source document viewer there is. Due to its modular architecture it combines the achievements of several document handling projects in a single, accessible interface. It has recently been awarded the "Blue Angel" for eco friendly software. KDE Promo -> Please expand here :) We consider Okular to have the highest security standards already, but to reduce the attack surface even further our packaging will contain a stripped down edition of Okular that only comes with PDF support and no support for any active content. [1] The fully featured Okular from the Windows Store will be promoted by the GnuPG edition and recommended to anyone seeking the best User Experience. Added Okular in GnuPG VS-Desktop will come free of charge to our customers. And enable many people in the industry and public sector to have a supported alternative to their Adobe reader installed on their systems. Gpg4win with its dominant market share for file and mail encryption should also greatly promote Okular as an alternative document viewer for Windows. ---> Why Okular with GnuPG Since 2021 Okular got support to sign PDFs with Mozilla NSS. This was great already since before we had to use a proprietary tool on a Windows VM to sign existing PDFs. And while the laws behind it took effect over the last decade [2] signing PDFs has become more and more important esp. with the increase in remote work in recent years. With GnuPG we bring support of our whole backend with all the algorithms available. Quite important in Europe as this includes support for the preferred Brainpool ECC curves in Europe as an alternative to the NIST curves. And where Mozilla might need proprietary PKCS#11 bridges to smartcards GnuPG has completely open source support for a multitude of smartcards. And of course we consider the certificate management in Kleopatra to be much nicer and that it gives users and Administrators much better control about the acceptable certificate authorities. ---> Status and plans For now we plan to include our edition of Okular in Gpg4win, marked as experimental for the first release, and we consider this more of a technical demonstration for early adopters and a basis for future work. It works, but the User Experience is not really where we think it should be. Especially the support for qualified signatures and their promotion is lacking, which we consider a core feature for business and power users. With added feedback we will continue to improve the support and integration, both in the backend and in Okular. With a strong focus of stability and reliability accross the board. While it is possible with GnuPG to create a self-signed S/MIME certificate based on an OpenPGP key you will still need an S/MIME certificate as these are the only ones considered legal. But as there can be usecases e.g. for internal signatures for OpenPGP, too we might consider to make this easier and better integrated in the future. 1: Anecdote: We have customers that redirect incoming PDFs by Mail, e.g. from Applicants to a throwaway Virtual Machine, open it there, let it make screenshots of each page and then resend the pictures instead of the PDF document to the original recipient. 2: https://en.wikipedia.org/wiki/Qualified_electronic_signature
signature.asc
Description: This is a digitally signed message part.
