Add 'LICENSE'

.drone.yml

@@ -31,35 +31,6 @@ pipeline:
       - tar -czf $FILENAME lockbox
       - sha256sum $FILENAME > $FILENAME.sha256
       - rm -r lockbox
-  build-android:
-    mem_limit: 3G
-    image: therecipe/qt:android
-    when:
-      repo: openprivacy/lockbox
-      branch: master
-      event: push
-    environment:
-      - QT_DIR=/opt/Qt
-      - QT_DOCKER='true'
-      - QT_API=5.13.0
-      - ANDROID_NDK_DIR=/home/user/android-ndk-r18b
-      - ANDROID_SDK_DIR=/home/user/android-sdk-linux
-      - GO111MODULE=on
-    commands:
-      - export PATH=$PATH:/home/user/work/bin:/media/sf_GOPATH1/bin
-      - apt-get -qq update && apt-get --no-install-recommends -qq -y install ca-certificates curl git
-      - rm -r vendor/
-      - make clean
-      - go mod download
-      - export VERSION=`git describe --tags`
-      - export BUILDDATE=`date +%G-%m-%d-%H-%M`
-      - go mod vendor
-      - qtsetup generate android
-      - qtdeploy -ldflags "-X main.buildVer=$VERSION -X main.buildDate=$BUILDDATE" build android
-      - cd deploy
-      - export FILENAME=lockbox-android-$BUILDDATE.apk
-      - cp android/build-debug.apk $FILENAME
-      - sha256sum $FILENAME > $FILENAME.sha256
   build-windows:
     mem_limit: 3G
     image: therecipe/qt:windows_64_static
@@ -83,7 +54,6 @@ pipeline:
       - go mod vendor
       - qtdeploy -ldflags "-X main.buildVer=$VERSION -X main.buildDate=$BUILDDATE" build windows
       - cp README.md deploy/windows
-      - cp -r windows/* deploy/windows
       - cd deploy
       - mv windows lockbox
       - export FILENAME=lockbox-windows-$BUILDDATE.zip

LICENSE

@@ -0,0 +1,8 @@
+MIT License
+Copyright (c) Open Privacy Research Society 2019
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1 +1,32 @@
-![](./lockbox.png)
+![](./lockbox.png)
+
+Host a submission form on an untrusted or shared host by using public-key encryption! This repository hosts the source code for the Lockbox app, which works together with the [Lockbox web app](https://git.openprivacy.ca/openprivacy/lockbox-web).
+
+Lockbox is a barebones form submission app intended to be easily adaptable for different needs. It works by capturing all submitted form data and encrypting it with a (libsodium) public key before saving it.  Saved data can only be read by decrypting it with your unique private key, which can be kept offline and protected however you like.
+
+## Installation
+
+* Use the Lockbox app or the `cmd/genkeys.php` script to generate `key.public` and `key.private` files
+* Only people with the `key.private` file can decrypt submissions -- make a backup copy of it and keep it somewhere safe! If you lose it, you won't be able to recover any submissions you haven't decrypted yet.
+* Upload the [web app files](https://git.openprivacy.ca/openprivacy/lockbox-web) and your generated `key.public` file onto a webserver that supports PHP
+* Configure the form by editing `php/form.inc.php` and `php/config.inc.php`
+* Rename admin.php to something unpredictable if you would like to use it
+
+## Usage
+
+* Submissions can only be decrypted using the `key.private` you generated earlier.
+* Download the encrypted `submissions.dat` file either directly from your server or by using the renamed `admin.php` script.
+* Use the Lockbox app or `cmd/decrypt.php` to decrypt submissions. It will output a CSV file that can be opened in any spreadsheet editor (such as Microsoft Excel or LibreOffice Calc).
+
+## Making HTML forms
+
+* We are working on attaching an HTML form generator. For now, you can write HTML by hand or use any form editor you prefer that is capable of outputting HTML.
+* The submission script will capture all form fields submitted to it.
+* Field ordering is not preserved by default. If you would like spreadsheet columns to appear in a certain order, you can give your form fields a number and an underscore, for example `01_name`, `02_address`, `03_phone` etc. The Lockbox app will remove the numeric prefix when creating the spreadsheet.
+* Do not name a form field `email` as it is used for detecting bots.
+* Submission time, submission number, and submitter IP address are all added automatically.
+
+## Threat Model
+
+* Lockbox's encryption is intended to protect against attackers that gain read-only access to the webserver where the form is hosted. Attackers that get access to encrypted data cannot decrypt it.
+* Lockbox does not and cannot protect against attackers that can modify the web app. The app can be modified so that submissions received *after* the compromise are intercepted before they are encrypted. (Submissions received *before* such a compromise would remain safely encrypted.)