DM me if you’d like to discuss further consulting on this project. I do think I could help you. However, reaching a proper design for this that is actually appropriate for your situation is non-trivial, goes beyond the scope of lemmy thread and would likely be paid.

I would also like these things to be easier and just be able to point you to something existing but the reality is they currently aren’t and such solution isn’t. But if you do push ahead and are open to sharing (potential security tradeoffs there too), maybe you’re in a position to be part of improving that situation.

Because it’s not something people commonly do. Because the GPG authors wanted to design for and encourage what they consider appropriate use and discourage and make difficult (but not impossible) what they consider inappropriate use. Removing a footgun for people not fully understanding the trust model of PGP or just slipping up doing that and then ending up in situations they didn’t account for. In general I could have a lot of criticism of the UI/UX of GPG but in this case I can see where they’re coming from and find this thread supporting it as working as intended so far.

That you need to have deep knowledge of obscure GPG internals to pull this off is by design. It’s not considered part of intended use. Similar thinking to why in Chromium you don’t have a button to bypass HSTS validation error but need to type in the cheat code “thisisunsafe”. It nudges users to stop and think more consciously about what’s going on.

The trust comes from the association. You can’t remove (or keep private) the association and expect to not have to separately rebuild the trust as a consequence. That what you are trying to do is made is inconvenient in GPG is quite intentional I believe. Or maybe I misunderstand your motivations, it’s a bit ambiguous and you leave a lot open for interpretation.

What I hear you say is: This would be convenient and easy for the user. Doing it differently, in a safer way that’s not problematically under scope for data protection regulations, would be more effort, not what you’re used to and “messy”. Certain useful features seem like they’d require more upfront work and the while system would be more complex and unfamiliar.

How is that relevant? None of that changes what you’re actually asking about or makes it a good approach. I don’t see how it’d make it either safer or less legally problematic?

What purpose does (certifying with) the primary key serve there if you don’t disclose it prior to rotation? What do you gain by not disclosing it when its only used in this context? It may be you haven’t thought it through fully but otherwise sounds like you can get what you want by separate primary keys which you then manually --sign-key between on demand.

The mention of Meta in the summary doesn’t fit. The article only mentions them in passing in reference to WhatsApp backups. Misleading and not relevant at all when talking about BitLocker. I think this is an editorial mistake but makes it read like subvertising, which is a shame for reporting on such a serious issue. How Google does keys for ChromeOS and Android would have been much more appropriate to compare with but for some reason this isn’t even mentioned.

There’s a lot to unpack here but just one thing:

Also potentially thinking may get some free webserver (basically like <20 api calls a days max and small dB with maybe 1000 rows) not for security of the data but more just not having open network ports to the internet without having the security infrastructure.

This sounds like the kind of data you really want to keep locally and I wouldn’t trust any free (or even affordable) webhosting business with it. I think it’s wise to keep the db and app server local and terminate the TLS locally too. You can still get a cheap VPS or two that you open a secure VPN (like wireguard) and/or SSH tunnel to. Then on the VPS you run can a second, outer, reverse proxy that forwards requests to your internal one over the gateway link. This way you get to keep the data local and safe without having to expose your home net online.

Many people enjoy Tailscale for this. There are full self-hosted options for that too but it sounds like their solution might fit your situation and requirements.

If even that feels unsafe, I really think you need to step up a bit on segregating and isolating your stuff, maybe do some homework on security, before putting sensitive stuff like this on shared infra…

I don’t want to deal with hippa or be responsible for medical data so I specifically don’t want to host the data

The only (legal) way to not deal with HIPPA is to make sure you’re not in scope for HIPPA. IANAL but it sounds like you (or worse, somebody else) will retain control and management of medical data with your intended approach no matter where you host it and how other users authorize?

You can’t architect, outsource, or encrypt your way out of that. A fully peer-to-peer solution which keeps the data on user devices and under their control and utilizes external server for signalling only but not for relaying or auth might get you there though.

So let’s say you created a PGP key & then proceeded to create 2 subkeys. Is it possible to just export the particular subkeys only. (let’s say one for encryption & the other for signing) for OTHERS to import into their keyring for authentication & encryption ?

For the private key, yes. First identify the subkey ID:

gpg --keyid=format=long -K
sec   ed25519/5810B9EFF21686DE 2026-01-23 [SC] [expires: 2029-01-22]
      C9E33D15E55A3834EE17A9755810B9EFF21686DE
uid                 [ultimate] alice <alice@localhost>
ssb   cv25519/F1806CEA56544D8D 2026-01-23 [E] [expires: 2029-01-22]

Then export it (note the !):

gpg --export-secret-subkeys -a 'F1806CEA56544D8D!'

If you want the pubkey subkey only: What’s your use-case for sharing a certified key without the certificate chain? There are reasons why exporting just the public subkey isn’t really a supported feature (outside of some ugly keyring surgery). If you want unsigned “naked” keys wouldn’t it make sense to not use subkeys at all to begin with? Or more practically, generate separate root keys with matching user/expiry but each with different set of subkeys present (like the example above with only E) ?

Update: There is now a Containerfile producing images using the prebuilt .deb if anyone wants to try the container-based approach to run Konform Browser in podman or docker or whatever. Some basic testing done using rootless podman under either Wayland and X11 on Kinoite and both ran fine.

https://codeberg.org/konform-browser/oci

If you want it to have the dark theming activate depending on your desktop theme it should work by adding -v ${HOME}/.config/gtk-3.0:/home/user/.config/gtk-3.0:ro,z. Or -v ${HOME}/.local/share/konform-browser-1:/home/user:Z for an isolated persistent homedir (similar to Tor Browser).

Can I ask why you decided to fork Librewolf?

I wrote a bit of the "why"s already in the OP. Could expand further for you but what do you have in mind? “Why did you choose librewolf as upstream”, “why fork and not another approach”, “why bother with any of this at all”, …?

Flatpak

Flatpak is something we want and have been looking at already. See here for what’s holding that back. There is already an (untested) repo for it.

Appimage.

While AppImages can be very convenient, we are ambivalent on some their security aspects among other things. Currently not prioritizing it until we have what we consider generally more solid options covered but will consider outside contributions if anyone feels motivated and puts in the effort to makes it happen.

Issue thread for new distribution targets where interested Codeberg users can follow up: https://codeberg.org/konform-browser/source/issues/9

for us atomic users

I see why users prefer flatpaks or appimages but just for consideration some ways I can think of one could run it on an atomic distro today:

• toolbx style running the browser in a rootless podman container ¹
  • Haven’t tried straight up installing it in an actual toolbox container so not sure how well that works but maybe it’s worth a try if that’s something you already use?
• For the Fedora family, should be straightforward to install an .rpm in your overlay
• Run the app from the binary tarball directly on the host, installing it on a user mount somewhere ²
• Use the source, Luke. Build it. ³

¹: Would anyone actually use it if there was a Containerfile for it? We currently don’t have a public one but I can attest this works fine in general and if people indicate interest for it I think it’s a neat idea that Konform Browser could provide that as an option.

²: I think this is fine for testing and short-lived installations but unless you are technical enough to reason about the trust involved and automate for verified updates (or at least getting notifications for them), I wouldn’t recommend it for long-term (>= months) installations so that you don’t get stuck on unpatched versions without thinking about it. This is the least secure way to run it. Not generally recommended for non-technical users.

³: Something I recommend becoming more familiar with in general if one has the time, resources, and patience. The catch with updates applies here too if this is for production use.

If only… What does fox say?

I’m so glad you want to try!

The problem with both that and Flathub is that I can’t seem to pass Githubs signup CAPTCHA whatever I tried (and yes I tried other browsers too lol). Besides, having my old account there arbitrarily blocked on phone number verification in the past, not feeling super keen on having users rely on them for updates, even putting aside whatever I feel about Microsofts and GitHubs role in the ecosystem in general…

However, if anyone would be up for the literal push-part of pushing it up and wouldn’t mind collaborating a bit in the process, would be happy to make that happen together (or use your privilege if you’re motivated; it’s free software yo, just heed the license ;)). There is an Issue thread for coordinating if this is you.

I don’t think it should be too involved as the source repo and source tarballs are built in pretty much the same way as LW, which already has a derivation in nixpkgs. Didn’t look closer at that derivation but hopefully shouldn’t be much more than copying pkgs/applications/networking/browsers/librewolf and replacing some strings.

There is a longer discussion to be had about both what RFP does, how effective it is, and the relative impact on entropy of this particular feature.

For now I will just say that this: Providing configuration for this serves the projects goal of user control and freedom. It should be up to the user to make that call. Us as developer shouldn’t unilaterally decide on behalf of everyone. We can’t think of everything and we don’t always know best. Of course we can still provide guidance and put what we believe is sensible as defaults. I find it odd to criticize empowering users in this way, in particular considering the status quo.

Were it up to me, everyone should have Letterboxing on by default, probably with similar reasoning. I don’t see why you wouldn’t use it. Everyone enabling it would make us all (ever so little) less fingerprintable. Arguably more meaningful impact than dark/light-theme. And less of an accessibility issue. Even so, we still leave this configurable in the same way as the dynamic theming.

You can also see this way of thinking reflected in allowing loading of your own add-ons from file and allowing userChrome customization. Probably niche power-user features with risks involved and sharp edges exposed but we are developers and maintainers of software, not your sysadmins¹ or caretakers².

If you fundamentally disagree, well, not all software has to be for everyone. Probably there is already something else (like Tor Browser) that serves your needs and aligns with your philosophy better?

¹: …xcept… you want us to be your sysadmin? 👉👈 Call me when you close that seed round bb 😘

²: Nope.

LibreWolf is a great project but was killing my eyes at night by not being able to follow dark-theme preferences in Private Mode. So it was forked into what is now Konform Browser. Besides unlocking theming and some other privacy-related tweaks on the preferences pane, it goes even further than LW in disabling built-in remote connections, snoopware, and AI integrations.

If you are a Linux user who haven’t yet found the right Firefox fork for you I hope you will consider it <3

fedi thread

Konform Browser is more recent Firefox (actually LibreWolf) fork which goes even further in debloating, removing “AI” functionality and disabling remote connections. It’s based on Firefox ESR (like GNUZilla IceCat).

fedi thread

If you have concerns about the telemetry and browser metadata privacy parts of AI integrations, I think Konform, IceCat, Waterfox and Mullvad Browser are a lot more relevant than Zen…

Also consider Konform Browser! :3

https://codeberg.org/konform-browser/source/releases

Note: It doesn’t have auto-updates enabled so if you are currently getting security fixes installed automatically for Waterfox/Librewolf and won’t manage to keep the browser up to date yourself, then it may still be a bit early for casual users as an online daily surfboard

Update: Pre-built packages for Debian/Ubuntu (.deb), Fedora/SUSE (.rpm) and others (tarball) are now built and published by Codeberg CI for each release:

https://codeberg.org/konform-browser/source/releases

Update: Pre-built packages for Debian/Ubuntu (.deb), Fedora/SUSE (.rpm) and others (tarball) are now built and published by Codeberg CI for each release:

https://codeberg.org/konform-browser/source/releases

senpai noticed me *^^*

Cheers and thank you for the work!

Red Hat’s out for us I tell you. Hide your display servers and hide your CPU architectures because they be deprecating e’rybody out here.