Remove protected chats #7116
Open
Remove protected chats #7116
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
link2xt
force-pushed
the
link2xt/ykltkokxntvk
branch
from
c7e6f1c to
e180d7f
Compare
link2xt
commented
Aug 16, 2025
| @@ -85,7 +96,7 @@ pub(crate) struct MimeMessage { | |||
|
|
|||
| /// The addresses for which there was a gossip header | |||
| /// and their respective gossiped keys. | |||
| pub gossiped_keys: HashMap<String, SignedPublicKey>, | |||
| pub gossiped_keys: BTreeMap<String, GossipedKey>, | |||
There was a problem hiding this comment.
Using BTreeMap so iteration is deterministic and golden tests don't accidentally change because of the order of elements in a map.
| mimeparser: &MimeMessage, | ||
| ) -> Result<()> { | ||
| if mimeparser.get_header(HeaderDef::ChatVerified).is_none() { |
There was a problem hiding this comment.
Old Chat-Verified mechanism is completely ignored here.
All the tests now work using only the new mechanism.
| @@ -34,88 +34,112 @@ Content-Transfer-Encoding: 7bit | |||
|
|
|||
| -----BEGIN PGP MESSAGE----- | |||
|
|
|||
| wU4D5tq63hTeebASAQdATHbs7R5uRADpjsyAvrozHqQ/9nSrspwbLN6XJKuR3xcg | |||
There was a problem hiding this comment.
Payload here is replaced to have no Chat-Verified header inside and have _verified=1 in gossip headers. Payload got larger likely because rsop does not do compression and I had to reencrypt the payload.
link2xt
force-pushed
the
link2xt/ykltkokxntvk
branch
4 times, most recently
from
867c2ba to
780ca50
Compare
link2xt
force-pushed
the
link2xt/ykltkokxntvk
branch
3 times, most recently
from
53d6a2d to
a6301b9
Compare
link2xt
force-pushed
the
link2xt/ykltkokxntvk
branch
11 times, most recently
from
88700f4 to
5b31b5d
Compare
link2xt
force-pushed
the
link2xt/ykltkokxntvk
branch
from
6b67844 to
6052d1a
Compare
The messages are end-to-end encrypted in encrypted group regardless of whether the group is protected or not.
This mechanism replaces `Chat-Verified` header. New parameter `_verified=1` in `Autocrypt-Gossip` header marks that the sender has the gossiped key verified. Using `_verified=1` instead of `_verified` because it is less likely to cause troubles with existing Autocrypt header parsers. This is also how https://www.rfc-editor.org/rfc/rfc2045 defines parameter syntax.
UIs now display green checkmark in a profile if the contact is verified. Chats with key-contacts cannot become unprotected, so there is no need to check 1:1 chat.
Create unprotected group in test_create_protected_grp_multidev The test is renamed accordingly. SystemMessage::ChatE2ee is added in encrypted groups regardless of whether they are protected or not. Previously new encrypted unprotected groups had no message saying that messages are end-to-end encrypted at all.
link2xt
force-pushed
the
link2xt/ykltkokxntvk
branch
from
6052d1a to
4e956bd
Compare
link2xt
force-pushed
the
link2xt/ykltkokxntvk
branch
from
f1389dd to
701dafe
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since key-contacts cannot change their keys and having "verification" is less important for contact identification than having a chat history or shared chats with a contact, UIs have stopped displaying green checkmarks everywhere (deltachat/deltachat-android#3828).
There was also a bug #7107 (closed in #7113) that resulted in updating "verified by" information for already verified contacts, so the information about "verifiers" is lost.
We also want to make "verification" more meaningful by only verifying contacts if contact QR code is scanned directly within a short period of time and not just because someone used an invite link to join the group: #7111
Because of this it makes sense to reset existing verification status for contacts and start from scratch.
We can also allow to remove verification from contacts (https://support.delta.chat/t/how-would-i-remove-the-verified-checkmarks-from-one-invite-code-in-retrospect/3403) as it will not break "protected" chats anymore, but this is out of scope for this PR.
The plan is to stop creating new "protected" chats, convert already "protected" group chats into just group chats, reset existing verifications and switch to a new mechanism for verification gossip so old verifications don't resurrect via gossip.
What this PR does:
Chat-Verified: 1header._verifiedattribute forAutocrypt-Gossipand use it to indirectly verify key-contacts when such attribute is received from a verified contact (whether directly verified or not).is_protection_brokenAPIs.is_profile_verifiedAPI.add_partsthat result in "The message was sent by non-verified contact" messages. We likely don't need to passverified_encryptionaround, it is only used to decide whether we want to accept verification gossip from the contact.Chat.is_protected()APIs.dc_contact_is_verifieddocumentation.To close #7111 we also need to:
Closes #7080 (replace verification gossip mechanism with a new one that works using Autocrypt-Gossip header and is independent of "protected chats")
Closes #7112 (removing deprecated and unneeded APIs)