Please re-publish on App Store

[zobo]

I changed phones and the app is not available for download anymore.
What would it take to recompile and republish the app?

I do some iOS/Flutter development lately and can assist.

[wisq]

Push notifications also seem broken.

My Mac can still wake up my phone to SSH / sign things, but only because it has bluetooth to the phone. Turn that off, or run SSH/codesign on a remote server, and I have to actually manually foreground the app to use it.

Of course, my first reaction to "push notifications are broken" would be to delete and reinstall the app, but a) that would require generating a new key and updating it everywhere, b) it might not solve anything, and c) it sounds like I wouldn't even be able to reinstall the app because of this issue.

If Kryptco is not interested in maintaining Krypton any more, can we complete the transition and make Krypton an open-source, community-run app? There's still a bunch of us who have been using this for years and would like to continue doing so.

[zobo]

I had this way back #129

I can tell you removing and installing the iOS app did NOT cause it to generate a new key. It was kept in the security enclave.

Of course, if you remove it now, where will you install it from?

The problem with OSS model is that somebody needs to own and pay for the Apple Developer account, the AWS account, Google Play. All these also require some form of legal entity...

I'd gladly put some effort into this, but does anyone know a model or a similar project where this works?

[wisq]

Worth noting that only some keys end up in the secure enclave. See #73.

Ed25519 and RSA keys (for SSH / git) are not stored in the secure enclave, as far as I can tell from the source code — according to the linked bug, it was impossible to do so at the time, owing to the enclave's limited cipher support. It's possible that enclave support was added since that bug was posted, but since Krypton hasn't been updated for years, well …

Also, even if they properly open-sourced the client-side code (i.e. gave it a proper license so someone could pick it up), I'm fairly certain there's additional back-end code that they haven't published whatsoever. So yeah, if someone's looking to make an OSS iOS authenticator, Krypton may be a difficult place to start.

In case Krypton never re-publishes their app, I've done some research into Krypton alternatives:

• Chiff looks like basically a drop-in replacement. It's OSS in pretty much exactly the same way that Krypton is — the front-end code is all available (but "all rights reserved", no ability to fork it), the command-line code (a la kr) is GPLed, the back-end code is completely unavailable. So while it seems like a clean migration path from Krypton, you're still locking yourself in to an effectively proprietary solution that only lasts as long as they feel like maintaining it.
• secretive does something similar for MacOS's Secure Enclave. You don't get the extra safety of having your key on a more locked-down device like an iPhone, but you do get the benefit of access control & non-exportability.
• 1Password also offers SSH agent functionality using SSH keys stored in your 1Password vault, and can git-sign using those keys. Non-free (in both senses of the word), but for those who already use it as their password manager (like myself), it may be a reasonable migration path — especially since their paid subscription model gives them much more incentive to continue maintaining their software longer than a free-for-personal-use service like Krypton or Chiff. But of course, "put your keys on 1PW's servers" is pretty much the exact opposite of using the secure enclave, so it's only a replacement in the "ease of use" sense, rather than the "maximum security" sense.

[zobo]

I did some work on the kr part back then and made it work on windows, but it never got merged. There is no "secret" backend. It uses AWS's SQS to exchange messages between phones and clients (kr, browser).

I tried to compile the iPhone client, but iOS development is soo messed up I'd need to change all bundle ids, buy myself a different account not to mess up my company profile... ugh...

I'll try to send a mail, but I not sure how owns this thing now - I'm afraid Amazon...