feat: key-contacts (#6796)

This change introduces a new type of contacts
identified by their public key fingerprint
rather than an e-mail address.

Encrypted chats now stay encrypted
and unencrypted chats stay unencrypted.
For example, 1:1 chats with key-contacts
are encrypted and 1:1 chats with address-contacts
are unencrypted.
Groups that have a group ID are encrypted
and can only contain key-contacts
while groups that don't have a group ID ("adhoc groups")
are unencrypted and can only contain address-contacts.

JSON-RPC API `reset_contact_encryption` is removed.
Python API `Contact.reset_encryption` is removed.
"Group tracking plugin" in legacy Python API was removed because it
relied on parsing email addresses from system messages with regexps.

Co-authored-by: Hocuri <[email protected]>
Co-authored-by: iequidoo <[email protected]>
Co-authored-by: B. Petersen <[email protected]>

Author: 4 people

CHANGELOG.md

@@ -289,8 +289,8 @@
 
 - Use vCard in TestContext.add_or_lookup_contact().
 - Remove test_group_with_removed_message_id.
-- Use add_or_lookup_email_contact() in get_chat().
-- Use add_or_lookup_email_contact in test_setup_contact_ex.
+- Use add_or_lookup_address_contact() in get_chat().
+- Use add_or_lookup_address_contact in test_setup_contact_ex.
 - Use vCards more in Python tests.
 - Use TestContextManager in more tests.
 - Use vCards to create contacts in more Rust tests.

assets/icon-address-contact.png

@@ -0,0 +1,7 @@
+BEGIN:VCARD
+VERSION:4.0
+EMAIL:[email protected]
+FN:Statistics bot
+KEY:data:application/pgp-keys;base64,xjMEZbfBlBYJKwYBBAHaRw8BAQdABpLWS2PUIGGo4pslVt4R8sylP5wZihmhf1DTDr3oCMPNHDxzZWxmX3JlcG9ydGluZ0B0ZXN0cnVuLm9yZz7CiwQQFggAMwIZAQUCZbfBlAIbAwQLCQgHBhUICQoLAgMWAgEWIQTS2i16sHeYTckGn284K3M5Z4oohAAKCRA4K3M5Z4oohD8dAQCQV7CoH6UP4PD+NqI4kW5tbbqdh2AnDROg60qotmLExAEAxDfd3QHAK9f8b9qQUbLmHIztCLxhEuVbWPBEYeVW0gvOOARlt8GUEgorBgEEAZdVAQUBAQdAMBUhYoAAcI625vGZqnM5maPX4sGJ7qvJxPAFILPy6AcDAQgHwngEGBYIACAFAmW3wZQCGwwWIQTS2i16sHeYTckGn284K3M5Z4oohAAKCRA4K3M5Z4oohPwCAQCvzk1ObIkj2GqsuIfaULlgdnfdZY8LNary425CEfHZDQD5AblXVrlMO1frdlc/Vo9z3pEeCrfYdD7ITD3/OeVoiQ4=
+REV:20250412T195751Z
+END:VCARD

assets/icon-address-contact.svg

@@ -3838,6 +3838,21 @@ int             dc_chat_can_send              (const dc_chat_t* chat);
 int             dc_chat_is_protected         (const dc_chat_t* chat);
 
 
+/**
+ * Check if the chat is encrypted.
+ *
+ * 1:1 chats with key-contacts and group chats with key-contacts
+ * are encrypted.
+ * 1:1 chats with emails contacts and ad-hoc groups
+ * created for email threads are not encrypted.
+ *
+ * @memberof dc_chat_t
+ * @param chat The chat object.
+ * @return 1=chat is encrypted, 0=chat is not encrypted.
+ */
+int             dc_chat_is_encrypted         (const dc_chat_t *chat);
+
+
 /**
  * Checks if the chat was protected, and then an incoming message broke this protection.
  *
@@ -6886,6 +6901,7 @@ void dc_event_unref(dc_event_t* event);
 /// "End-to-end encryption preferred."
 ///
 /// Used to build the string returned by dc_get_contact_encrinfo().
+/// @deprecated 2025-06-05
 #define DC_STR_E2E_PREFERRED              34
 
 /// "%1$s verified"
@@ -6898,12 +6914,14 @@ void dc_event_unref(dc_event_t* event);
 ///
 /// Used in status messages.
 /// - %1$s will be replaced by the name of the contact that cannot be verified
+/// @deprecated 2025-06-05
 #define DC_STR_CONTACT_NOT_VERIFIED       36
 
 /// "Changed setup for %1$s."
 ///
 /// Used in status messages.
 /// - %1$s will be replaced by the name of the contact with the changed setup
+/// @deprecated 2025-06-05
 #define DC_STR_CONTACT_SETUP_CHANGED      37
 
 /// "Archived chats"
@@ -7293,6 +7311,7 @@ void dc_event_unref(dc_event_t* event);
 /// "%1$s changed their address from %2$s to %3$s"
 ///
 /// Used as an info message to chats with contacts that changed their address.
+/// @deprecated 2025-06-05
 #define DC_STR_AEAP_ADDR_CHANGED          122
 
 /// "You changed your email address from %1$s to %2$s.
@@ -7599,6 +7618,7 @@ void dc_event_unref(dc_event_t* event);
 /// "The contact must be online to proceed. This process will continue automatically in background."
 ///
 /// Used as info message.
+/// @deprecated 2025-06-05
 #define DC_STR_SECUREJOIN_TAKES_LONGER 192
 
 /// "Contact". Deprecated, currently unused.

assets/self-reporting-bot.vcf

@@ -3153,6 +3153,18 @@ pub unsafe extern "C" fn dc_chat_is_protected(chat: *mut dc_chat_t) -> libc::c_i
     ffi_chat.chat.is_protected() as libc::c_int
 }
 
+#[no_mangle]
+pub unsafe extern "C" fn dc_chat_is_encrypted(chat: *mut dc_chat_t) -> libc::c_int {
+    if chat.is_null() {
+        eprintln!("ignoring careless call to dc_chat_is_encrypted()");
+        return 0;
+    }
+    let ffi_chat = &*chat;
+
+    block_on(ffi_chat.chat.is_encrypted(&ffi_chat.context))
+        .unwrap_or_log_default(&ffi_chat.context, "Failed dc_chat_is_encrypted") as libc::c_int
+}
+
 #[no_mangle]
 pub unsafe extern "C" fn dc_chat_is_protection_broken(chat: *mut dc_chat_t) -> libc::c_int {
     if chat.is_null() {
@@ -4303,6 +4315,7 @@ pub unsafe extern "C" fn dc_contact_get_verifier_id(contact: *mut dc_contact_t)
         .context("failed to get verifier")
         .log_err(ctx)
         .unwrap_or_default()
+        .unwrap_or_default()
         .unwrap_or_default();
 
     verifier_contact_id.to_u32()

deltachat-ffi/deltachat.h

@@ -354,6 +354,20 @@ impl CommandApi {
         Ok(ctx.get_blobdir().to_str().map(|s| s.to_owned()))
     }
 
+    /// If there was an error while the account was opened
+    /// and migrated to the current version,
+    /// then this function returns it.
+    ///
+    /// This function is useful because the key-contacts migration could fail due to bugs
+    /// and then the account will not work properly.
+    ///
+    /// After opening an account, the UI should call this function
+    /// and show the error string if one is returned.
+    async fn get_migration_error(&self, account_id: u32) -> Result<Option<String>> {
+        let ctx = self.get_context(account_id).await?;
+        Ok(ctx.get_migration_error())
+    }
+
     /// Copy file to blob dir.
     async fn copy_to_blob_dir(&self, account_id: u32, path: String) -> Result<PathBuf> {
         let ctx = self.get_context(account_id).await?;
@@ -1542,15 +1556,6 @@ impl CommandApi {
         Ok(())
     }
 
-    /// Resets contact encryption.
-    async fn reset_contact_encryption(&self, account_id: u32, contact_id: u32) -> Result<()> {
-        let ctx = self.get_context(account_id).await?;
-        let contact_id = ContactId::new(contact_id);
-
-        contact_id.reset_encryption(&ctx).await?;
-        Ok(())
-    }
-
     /// Sets display name for existing contact.
     async fn change_contact_name(
         &self,

deltachat-ffi/src/lib.rs

@@ -30,6 +30,29 @@ pub struct FullChat {
     /// in the contact profile
     /// if 1:1 chat with this contact exists and is protected.
     is_protected: bool,
+    /// True if the chat is encrypted.
+    /// This means that all messages in the chat are encrypted,
+    /// and all contacts in the chat are "key-contacts",
+    /// i.e. identified by the PGP key fingerprint.
+    ///
+    /// False if the chat is unencrypted.
+    /// This means that all messages in the chat are unencrypted,
+    /// and all contacts in the chat are "address-contacts",
+    /// i.e. identified by the email address.
+    /// The UI should mark this chat e.g. with a mail-letter icon.
+    ///
+    /// Unencrypted groups are called "ad-hoc groups"
+    /// and the user can't add/remove members,
+    /// create a QR invite code,
+    /// or set an avatar.
+    /// These options should therefore be disabled in the UI.
+    ///
+    /// Note that it can happen that an encrypted chat
+    /// contains unencrypted messages that were received in core <= v1.159.*
+    /// and vice versa.
+    ///
+    /// See also `is_key_contact` on `Contact`.
+    is_encrypted: bool,
     profile_image: Option<String>, //BLOBS ?
     archived: bool,
     pinned: bool,
@@ -108,6 +131,7 @@ impl FullChat {
             id: chat_id,
             name: chat.name.clone(),
             is_protected: chat.is_protected(),
+            is_encrypted: chat.is_encrypted(context).await?,
             profile_image, //BLOBS ?
             archived: chat.get_visibility() == chat::ChatVisibility::Archived,
             pinned: chat.get_visibility() == chat::ChatVisibility::Pinned,
@@ -159,6 +183,30 @@ pub struct BasicChat {
     /// in the contact profile
     /// if 1:1 chat with this contact exists and is protected.
     is_protected: bool,
+
+    /// True if the chat is encrypted.
+    /// This means that all messages in the chat are encrypted,
+    /// and all contacts in the chat are "key-contacts",
+    /// i.e. identified by the PGP key fingerprint.
+    ///
+    /// False if the chat is unencrypted.
+    /// This means that all messages in the chat are unencrypted,
+    /// and all contacts in the chat are "address-contacts",
+    /// i.e. identified by the email address.
+    /// The UI should mark this chat e.g. with a mail-letter icon.
+    ///
+    /// Unencrypted groups are called "ad-hoc groups"
+    /// and the user can't add/remove members,
+    /// create a QR invite code,
+    /// or set an avatar.
+    /// These options should therefore be disabled in the UI.
+    ///
+    /// Note that it can happen that an encrypted chat
+    /// contains unencrypted messages that were received in core <= v1.159.*
+    /// and vice versa.
+    ///
+    /// See also `is_key_contact` on `Contact`.
+    is_encrypted: bool,
     profile_image: Option<String>, //BLOBS ?
     archived: bool,
     pinned: bool,
@@ -187,6 +235,7 @@ impl BasicChat {
             id: chat_id,
             name: chat.name.clone(),
             is_protected: chat.is_protected(),
+            is_encrypted: chat.is_encrypted(context).await?,
             profile_image, //BLOBS ?
             archived: chat.get_visibility() == chat::ChatVisibility::Archived,
             pinned: chat.get_visibility() == chat::ChatVisibility::Pinned,

deltachat-jsonrpc/src/api.rs

@@ -30,6 +30,30 @@ pub enum ChatListItemFetchResult {
         /// showing preview if last chat message is image
         summary_preview_image: Option<String>,
         is_protected: bool,
+
+        /// True if the chat is encrypted.
+        /// This means that all messages in the chat are encrypted,
+        /// and all contacts in the chat are "key-contacts",
+        /// i.e. identified by the PGP key fingerprint.
+        ///
+        /// False if the chat is unencrypted.
+        /// This means that all messages in the chat are unencrypted,
+        /// and all contacts in the chat are "address-contacts",
+        /// i.e. identified by the email address.
+        /// The UI should mark this chat e.g. with a mail-letter icon.
+        ///
+        /// Unencrypted groups are called "ad-hoc groups"
+        /// and the user can't add/remove members,
+        /// create a QR invite code,
+        /// or set an avatar.
+        /// These options should therefore be disabled in the UI.
+        ///
+        /// Note that it can happen that an encrypted chat
+        /// contains unencrypted messages that were received in core <= v1.159.*
+        /// and vice versa.
+        ///
+        /// See also `is_key_contact` on `Contact`.
+        is_encrypted: bool,
         is_group: bool,
         fresh_message_counter: usize,
         is_self_talk: bool,
@@ -137,6 +161,7 @@ pub(crate) async fn get_chat_list_item_by_id(
         summary_status: summary.state.to_u32().expect("impossible"), // idea and a function to transform the constant to strings? or return string enum
         summary_preview_image,
         is_protected: chat.is_protected(),
+        is_encrypted: chat.is_encrypted(ctx).await?,
         is_group: chat.get_type() == Chattype::Group,
         fresh_message_counter,
         is_self_talk: chat.is_self_talk(),

deltachat-jsonrpc/src/api/types/chat.rs

@@ -19,6 +19,16 @@ pub struct ContactObject {
     profile_image: Option<String>, // BLOBS
     name_and_addr: String,
     is_blocked: bool,
+
+    /// Is the contact a key contact.
+    is_key_contact: bool,
+
+    /// Is encryption available for this contact.
+    ///
+    /// This can only be true for key-contacts.
+    /// However, it is possible to have a key-contact
+    /// for which encryption is not available because we don't have a key yet,
+    /// e.g. if we just scanned the fingerprint from a QR code.
     e2ee_avail: bool,
 
     /// True if the contact can be added to verified groups.
@@ -67,6 +77,7 @@ impl ContactObject {
         let verifier_id = contact
             .get_verifier_id(context)
             .await?
+            .flatten()
             .map(|contact_id| contact_id.to_u32());
 
         Ok(ContactObject {
@@ -80,6 +91,7 @@ impl ContactObject {
             profile_image, //BLOBS
             name_and_addr: contact.get_name_n_addr(),
             is_blocked: contact.is_blocked(),
+            is_key_contact: contact.is_key_contact(),
             e2ee_avail: contact.e2ee_avail(context).await?,
             is_verified,
             is_profile_verified,

deltachat-jsonrpc/src/api/types/chat_list.rs

@@ -59,6 +59,13 @@ pub struct MessageObject {
 
     // summary - use/create another function if you need it
     subject: String,
+
+    /// True if the message was correctly encrypted&signed, false otherwise.
+    /// Historically, UIs showed a small padlock on the message then.
+    ///
+    /// Today, the UIs should instead show a small email-icon on the message
+    /// if `show_padlock` is `false`,
+    /// and nothing if it is `true`.
     show_padlock: bool,
     is_setupmessage: bool,
     is_info: bool,