saltpack.org makes it difficult to understand how to decrypt messages

[kevinburke]

My friend send me a message on Slack with a BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE prelude. I typed this phrase into Google, landed on saltpack.org and have been trying to figure out how to decrypt the message.

I've scanned the sidebar, read the intro, read the homepage, read https://saltpack.org/signing-format, read https://saltpack.org/implementations. I ran go get github.com/keybase/saltpack and expected to find a saltpack binary on my $PATH - I could then call saltpack -h and maybe learn about decryption options, but that also failed. I'd rather not write a Go main function to decrypt the message.

I expected to find something like this:

Decrypting messages with Saltpack

To decrypt messages, save the encrypted message to a file, then run keybase decrypt foo.bar or call saltpack decrypt file.name

or whatever other instructions I need.

Or a list item in the sidebar that says "decrypting messages", or something.

[maxtaco]

The real issue here is how to deal with key management, which as you might guess, is thorny...

[kevinburke]

I'm not so sure; I had (and have) a valid key, I just had no clue how to decrypt the message.

[maxtaco]

We can make an issue for this; it seems reasonable, but it's probably not going to get much attention in the short term. In the mean time, can you try the python version?

[maxtaco]

(or the full keybase binary)

[kevinburke]

The instruction I needed was keybase decrypt --infile <file>. I guess it would be nice if this instruction was more prominent or had a heading somewhere on the page.

[edent]

I can't find any way to verify a Saltpack message online.

The first Google result is this issue https://www.google.co.uk/search?q=saltpack+decode

I just want a box people can paste a signed message into, which will then show the contents and verify the signer.

[oconnor663]

Updating the PGP verification box into a PGP/Saltpack verification box is one of our TODO's, yes. (In the other direction, it should be possible to encrypt anonymous messages from the browser too. Unfortunately, not being able to decrypt them in the browser is kind of inherently confusing, and we'll need to figure out how to present that to people gracefully.)

[totedati]

I can't find any way to verify a Saltpack message online.
Well, first you need to install keybase. Then in your terminal:
keybase verify -m "copy-paste your saltpack encrypted message"
If sender message is unknown you will get some error message like this

ERROR Verification failed: For user blablabla : sender key revoked
Then you need to force decryption with
keybase verify -f -m "saltpack encrypted message"