OMEMO signatures

This is a proof-of-concept script that takes OMEMO encryption keys from gajim to sign and verify messages. The signatures are read/written as hexadecimal (base16).

Requirements

omemo plugin from gajim-plugins is provided in this repository, because otherwise trying to import it from actual gajim plugins tries to launch too many things (and fails). It is assumed gajim with OMEMO plugin is working properly and so python-axolotl library is installed system-wide.

These scripts were tested with Gajim 1.3.1 keys. I have no idea if the format has changed lately.

Where to find your keys

As i have no idea what in the hell i'm doing with this python code and the many ways it can fail, i'd recommend using a copy of your actual keys. The Gajim keys are usually stored in ~/.local/share/gajim/in an SQLite database called youraccount@yourserver.db

Running tests

There's three tests embedded in the demo.py script:

• a good signature is properly validated
• a bad signature with a good message is properly discarded
• a "good" signature with an altered message is properly discarded

You can run the tests by running demo.py YOURKEY.db. Example run:

OK: Good signature is verified.
OK: Wrong signature is not verified.
OK: Wrong message is not verified.

Signing and verifying arbitrary messages

There is a sign.py and a verify.py script, demo:

$ ./sign.py ~/omemo.db "HELLO, WORLD!"
5bda8b40942327dad03b9c869b00d3416e9fc07f3d3df5dc694ddeae1d377889a541beada6839bfee63955c669bf33b78ef269c8087a77c40e14bb1b39fa5c8f
$ ./verify.py ~/omemo.db "HELLO, WORLD!" "5bda8b40942327dad03b9c869b00d3416e9fc07f3d3df5dc694ddeae1d377889a541beada6839bfee63955c669bf33b78ef269c8087a77c40e14bb1b39fa5c8f"
Signature OK

License

This work is too short and generic and does not have any license applied. Gajim OMEMO plugin is license GPLv3.

Contributing

I will not accept patches for this. It's a simple proof-of-concept.