Closed ppar closed 4 days ago
I just got done with an attempt to setup alphapapa/ement.el.
I had to get the inital verivications using panctl
with trial-and-error but the process was like this
panctl
start-verification @user:domain.tld @user:domain.tld device_id
where the device_id is found in the privacy settings in the Element settingsconfirm-verification @user:domain.tld @user:domain.tld device_id
And I still have the issue where Emacs has Unable to decrypt: The sender's device has not sent us the keys for this message
everywhere although I connected as document in the ement.el documentation.
Also sending requires you to run send-anyways @user:domain.tld !STUFF:matrix.org
and I only managed to do this by hitting tab.
@adham-omran Did you ever get this working? Trying to setup right now and start-verification
is doing nothing.
And I still have the issue where Emacs has
Unable to decrypt: The sender's device has not sent us the keys for this message
everywhere although I connected as document in the ement.el documentation.
I don't use Pantalaimon myself, but from what I've gathered, verification is only one of the required steps. You also need to send/receive the appropriate keys.
And we really, really need these procedures to be documented, correctly, in one place, for all users. I've watched so many users stumble through the process, but it seems that none of them will take a few moments to write down what they did to save the next person the trouble.
I just set it up. Here are the steps for Linux, as of 2024-02-18, using pantalaimon-0.10.5
installed from pip:
Ensure you have an OS keyring installed. In my case I installed gnome-keyring
. You may also want a GUI like seahorse
to inspect the keyring. (pantalaimon will work without a keyring but your client will have to log in with the password every time pantalaimon
is restarted, instead of being able to reuse the access token from the previous successful login.)
Create ~/.config/pantalaimon/pantalaimon.conf
as the README says, except that the Homeserver =
URL should use port 443, not port 8448 as the README says. (Pantalaimon is a client, not a federating server, so 443 is the correct port.)
In case you have prior attempts, clean the slate by deleting the ~/.local/share/pantalaimon
directory.
Start pantalaimon
.
Connect a client to the ListenAddress:ListenPort
you specified in pantalaimon.conf
, eg to 127.0.0.1:8009
, using the same username and password you would've used to login to your homeserver directly.
The login should succeed, but at this point all encrypted messages will fail to decrypt. This is fine.
Start another client that you were already using for your encrypted chats previously. In my case this was app.element.io
, so the rest of the steps here assume that.
Run panctl
. At the prompt, run start-verification <user ID> <user ID> <Element's device ID>
. <user ID>
here is the full user ID like @arnavion:arnavion.dev
. If you only have the one Element session, panctl
will show you the device ID as an autocomplete hint so you don't have to look it up. If you do need to look it up, go to Element -> profile icon -> All Settings -> Sessions, expand the "Current session" item, and the "Session ID" is the device ID.
In Element you will see a popup "Incoming Verification Request". Click "Continue". It will change to a popup containing some emojis, and panctl
will print the same emojis. Click the "They match" button. It will now change to a popup like "Waiting for other client to confirm..."
In panctl
, run confirm-verification <user ID> <user ID> <Element's device ID>
, ie the same command as before but with confirm-verification
instead of start-verification
.
At this point, if you look at all your sessions in Element (profile icon -> All Settings -> Sessions), you should see "pantalaimon" in the "Other sessions" list as a "Verified" session.
Export the E2E room keys that Element was using via profile icon -> Security & Privacy -> Export E2E room keys. Pick any password and then save the file to some path.
Back in panctl
, run import-keys <user ID> <path of file> <password you used to encrypt the file>
. After a few seconds, in the output of pantalaimon
, you should see a log like INFO: pantalaimon: Successfully imported keys for <user ID> from <path of file>
Close and restart the client you had used in step 5, ie the one you want to connect to pantalaimon
. Now, finally, you should be able to see the encrypted chats be decrypted.
Delete the E2E room keys backup file from step 12. You don't need it any more.
If in step 11 you had other unverified sessions from pantalaimon from your prior attempts, you can sign out of them too.
You will probably have to repeat steps 12-15 any time you start a new encrypted chat in Element.
@Arnavion Thanks, that's a very concise step-by-step guide!
This is fixed thanks to @Arnavion's comment which has now been added to the README.
This is a bind long-winded, but I decided to roll these thoughts into a single ticket since they mostly address the same point from different angles.
I'm happy to provide some documentation PRs if/when I get pantalaimon working for myself and understand these missing bits.
Also related: https://github.com/matrix-org/pantalaimon/issues/155
TL/DR
As a Matrix end user (not familiar with Matrix internals, but able to run a UNIX daemon in general), the steps to take after installing Pantalaimon and creating my config file are not very clear.
How do I get to a point where pantalaimon is en/decrypting my messages, and my encrypted message history is visible in my client?
Missing step-by-step instructions
The "Usage" chapter in the README and/or the man pages should answer questions like:
panctl
- if so, what and in which order?The animated gif at the top or the README alludes to some kind of workflow, but obviously an animation like this is impossible to follow.
DBUS / UI?
This paragraph in README.md is confusing:
pantalaimon[ui]
makes pantalaimon expose a DBUS service that panctl can connect to? Then it's not a UI, it's an API.What does the "If user interaction is required pantalaimon will send out OS notifications which the user can react to." part in the pantalaimon(8) man page mean in practice?
panctl man page
The man page for
panctl
only covers syntax, not semantics or purpose: