firstlookmedia / autocanary Goto Github PK

Autocanary.pkg Verification Failed: 153
GPGErrorKeyExpired = 153,

I've installed Gpg4win via chocolatey and it puts in the x86 directory and autocanary refuses to start at all because it can't detect it.

Would it not be a good idea to auto pull (RSS) a news headline or sports score to prove that this information has been generated now and not some time in the past?

To use the same toolchain as GPG Sync.

Just noticed that, installing AutoCanary on a brand new Debian computer, I get this error:

$ autocanary 
Traceback (most recent call last):
  File "/usr/bin/autocanary", line 2, in <module>
    import autocanary
  File "/usr/lib/python2.7/dist-packages/autocanary/__init__.py", line 18, in <module>
    from autocanary import *
  File "/usr/lib/python2.7/dist-packages/autocanary/autocanary.py", line 21, in <module>
    from headlines import Headlines
  File "/usr/lib/python2.7/dist-packages/autocanary/headlines.py", line 20, in <module>
    import feedparser
ImportError: No module named feedparser

The description in this repo contain broken link: (return "Not Found")

Makes generating machine-readable, digitally signed warrant canary statements simpler https://firstlook.org/code/autocanary

fix:
change link to:
https://code.firstlook.media/projects/autocanary.html

I just tried the OSX package from (here)[https://firstlook.org/code/project/autocanary/]. It installs fine. However, when I run it I see this pop-up:

And get the following message in Console.app

   Console[3221]: setPresentationOptions called with NSApplicationPresentationFullScreen when there is no visible fullscreen window; this call will be ignored.

Blockchains (such as Bitcoin) can be used to provide secure proof of freshness, see how&why it's implemented in QubesOS canaries:
QubesOS/qubes-secpack@23467cb
QubesOS/qubes-issues#2685 "secpack: use Bitcoin block hash in freshness proof for canaries"

1. in autocanary/_init_.py:
   https://github.com/firstlookmedia/autocanary/blob/master/autocanary/__init__.py#L452

<a href="http://gpg4win.org/">Gpg4win

fix:
change to https://gpg4win.org/

FYi, AutoCanary failed to run in OSX 10.8.5, with the following from Console:

5/27/15 2:07:37.182 PM AutoCanary[13142]: Traceback (most recent call last):
5/27/15 2:07:37.182 PM AutoCanary[13142]: File "/Applications/AutoCanary.app/Contents/Resources/boot.py", line 351, in
5/27/15 2:07:37.183 PM AutoCanary[13142]: _run()
5/27/15 2:07:37.183 PM AutoCanary[13142]: File "/Applications/AutoCanary.app/Contents/Resources/boot.py", line 336, in _run
5/27/15 2:07:37.183 PM AutoCanary[13142]: exec(compile(source, path, 'exec'), globals(), globals())
5/27/15 2:07:37.183 PM AutoCanary[13142]: File "/Applications/AutoCanary.app/Contents/Resources/autocanary.py", line 2, in
5/27/15 2:07:37.184 PM AutoCanary[13142]: autocanary.main()
5/27/15 2:07:37.184 PM AutoCanary[13142]: File "autocanary/autocanary.pyc", line 362, in main
5/27/15 2:07:37.186 PM AutoCanary[13142]: File "autocanary/gnupg.pyc", line 68, in seckeys_list
5/27/15 2:07:37.186 PM AutoCanary[13142]: IndexError: list index out of range
5/27/15 2:07:37.204 PM AutoCanary[13142]: AutoCanary Error

The settings loading use pickle.load method
https://github.com/firstlookmedia/autocanary/blob/master/autocanary/settings.py#L61

which from the documentation:
https://docs.python.org/3/library/pickle.html

The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

more information about how it can be exploited:
https://lincolnloop.com/blog/playing-pickle-security/

thus it will be better to use JSON instead for storing and loading the settings (to avoid the code injection security issue)

This is the same issue as onionshare/onionshare#75, and I believe I have fixed it by installing python from python.org instead of relying on what comes with OSX.

I use Ubuntu in Czech and month names in AutoCanary are in Czech (Qt does this), but with wrong encoding.

Installing on Windows 10 gives me a fatal error box that reads failed to execute script autocanary

The URL on the front page of the repo (https://www.firstlook.media/code/autocanary) no longer goes anywhere. Should this be removed, or pointed to an archive.org snapshot, if the webpage isn't going to be restored?

AutoCanary fails to sign message on OS X 10.10.3 with GPG Keychain 1.2b6.

System log

5/27/15 5:45:32.782 PM AutoCanary[96859]: WARNING: The Gestalt selector gestaltSystemVersion is returning 10.9.3 instead of 10.10.3. Use NSProcessInfo's operatingSystemVersion property to get correct system version number.
Call location:
5/27/15 5:45:32.782 PM AutoCanary[96859]: 0   CarbonCore                          0x00007fff920d02b7 ___Gestalt_SystemVersion_block_invoke + 113
5/27/15 5:45:32.782 PM AutoCanary[96859]: 1   libdispatch.dylib                   0x00007fff963bac13 _dispatch_client_callout + 8
5/27/15 5:45:32.782 PM AutoCanary[96859]: 2   libdispatch.dylib                   0x00007fff963bab26 dispatch_once_f + 117
5/27/15 5:45:32.782 PM AutoCanary[96859]: 3   CarbonCore                          0x00007fff92059456 _Gestalt_SystemVersion + 987
5/27/15 5:45:32.782 PM AutoCanary[96859]: 4   CarbonCore                          0x00007fff920586e3 Gestalt + 144
5/27/15 5:45:32.782 PM AutoCanary[96859]: 5   QtCore                              0x0000000107f52f46 _ZN9QInternal12callFunctionENS_16InternalFunctionEPPv + 2190
5/27/15 5:45:32.782 PM AutoCanary[96859]: 6   ???                                 0x00007fff6eb41ceb 0x0 + 140735050685675
5/27/15 5:45:36.961 PM AutoCanary[96859]: QPixmap::scaled: Pixmap is a null pixmap

5/27/15 5:46:39.866 PM AutoCanary[96859]: gpg: problem with the agent: Timeout
5/27/15 5:46:39.866 PM AutoCanary[96859]: gpg: no default secret key: Operation cancelled
5/27/15 5:46:39.866 PM AutoCanary[96859]: gpg: /var/folders/_d/gz7_v74n1jb3jpq158gr88sc0000gn/T/tmppALvLE/message: clearsign failed: Operation cancelled
5/27/15 5:46:39.875 PM AutoCanary[96859]: QPixmap::scaled: Pixmap is a null pixmap
5/27/15 5:46:46.264 PM AutoCanary[96859]: modalSession has been exited prematurely - check for a reentrant call to endModalSession:
5/27/15 5:46:46.265 PM AutoCanary[96859]: 2015-05-27 17:46:46.264 AutoCanary[96859:12844231] modalSession has been exited prematurely - check for a reentrant call to endModalSession:

Diagnostic log

5/27/15 5:38:58.558 PM syspolicyd[13826]: assessment denied for AutoCanary.pkg but overridden
com.apple.message.domain: com.apple.security.assessment.outcome2
com.apple.message.signature2: bundle:UNBUNDLED
com.apple.message.signature3: AutoCanary.pkg
com.apple.message.signature5: UNKNOWN
com.apple.message.signature4: 2
com.apple.message.signature: defeated:Developer ID
SenderMachUUID: 730F2AA1-75F5-362E-A3C5-9424449D7498

Command:         AutoCanary
Path:            /Applications/AutoCanary.app/Contents/MacOS/AutoCanary
  11  start + 52 (AutoCanary + 3044) [0x100000be4]
  11  main + 650 (AutoCanary + 4474) [0x10000117a]
  11  ??? (AutoCanary + 10075) [0x10000275b]
Process:         AutoCanary [93719]
Path:            /Applications/AutoCanary.app/Contents/MacOS/AutoCanary
  11  start + 52 (AutoCanary + 3044) [0x100000be4] 1-11
    11  main + 650 (AutoCanary + 4474) [0x10000117a] 1-11
      11  ??? (AutoCanary + 10075) [0x10000275b] 1-11
         0x100000000 -        0x100009fff  org.pythonmac.unspecified.AutoCanary 0.1 (0.1) <FFD751CA-37B6-3FAC-9CF0-413E01DAA81D>  /Applications/AutoCanary.app/Contents/MacOS/AutoCanary
Parent:          AutoCanary [93719]
Responsible:     AutoCanary [93719]

The macOS installer package is not signed like your other apps and can't be opened on Catalina:

Consider adding optional functionality to include 'today's headlines' from a news site in canary generation in order to prove current date.

This could be done by incorporating the rss feed of a popular news site.

Hey, after Reddit case, maybe you should update the disclaimer?

"This is the big murky legal question. Frankly, nobody really knows how this would go down in court."

On line 41 of install/autocanary.nsi, the installer references an HTTP address: http://timestamp.globalsign.com/scripts/timstamp.dll.

Beyond the security risk an insecure request constitutes, the page itself redirects to https://www.globalsign.com/en/timestamp-service/, which does not seem like a timestamp. (It's a marketing page.) Perhaps the intended URL has changed?

Screenshot of the page that http://timestamp.globalsign.com/scripts/timstamp.dll redirects to (https://www.globalsign.com/en/timestamp-service/).

This is potentially the underlying issue behind #30?

I would submit a fix as a PR, but have no way of properly testing the changes because I am not running a Windows machine.

Thanks!

BUILD.md tells you how to build AutoCanary.app, which is great for releasing, but not developing.

For development, if you want to run the app locally, you can run python autocanary.py (I imagine... I currently have the issue in #6).

Can you add a note about that in BUILD.md (or maybe make a CONTRIBUTING.md)? I'm not sure of the wording, or how it'd work on Windows, which I why I didn't open PR.

u2019 and U+2026 so far prevent signing from completion. There may be more.

UnicodeEncodeError: 'ascii' codec can't encode character u'\u2026' in position 833: ordinal not in range(128)
UnicodeEncodeError: 'ascii' codec can't encode character u'\u2019' in position 575: ordinal not in range(128)

Canary Watch is an warrant canary tracking website - https://canarywatch.org/

Consider adding language to suggest signing up for Canary Watch or adding a field in the application to do this.