- Rust 84.7%
- Gleam 5.5%
- Just 4.8%
- Python 1.6%
- Nix 1.2%
- Other 2.2%
Reach
Reach is an end-to-end encrypted communication platform designed for collaborative groups who wish to let anonymous individuals reach out to them with information and/or requests. It is engineered for the unique challenges posed by the needs of organisations and collectives that want to protect themselves as much as the people who contact them.
As a project, it aims to expand usefulness of patterns commonly associated with whistleblowing systems, to which it is closely related. It's origins lie in SecureDrop's end-to-end encryption research (in which it also participated by contributing key insights), however its target audience is broader than that of GlobaLeaks but has a harder threat model than accommodated by Hush Line.
Warning
Reach is pre-alpha! Code in this repository is far from ready for deployment, and neither its underlying protocol nor its code have been independently reviewed. Documentation is currently aimed at developers. To keep an eye on the project, you can follow @reach@floss.social and read about its progress.
What's what?
Reach's architecture tries to anticipate a variety of usage scenarios, so even at an early stage it consists of many parts.
-
attestant/: Reach Attestant, a command line tool that helps with some administrative tasks including preparing deployment and onboard/offboard reachable peers. -
common/aliases/: Type aliases (and wrapper types) used by all other components. -
common/core/gleam/: Types and functions used by multiple Gleam based frontends. -
common/core/rust/: Shared data structures and functionality, used by most other crates. -
common/derive/: Derive macros, which generate code for data structures fundamental to Reach. -
common/ecdh-omr/: ECDH based Oblivious Message Retrieval implementation, a key component to the protocol used by Reach. A generic package reusable by other projects. -
common/encryption/: Encryption related functionality, used by Reach Attestant, Reaching Link, Reachable Server Node, and Reachable Secrets. -
common/harness/: Test harness used by multiple components' tests. -
common/passphrase/: Word lists from which passphrases are generated, which in turn are used for deterministic key generation. -
common/signatures/: Signing and verifying related generic trait implementations. -
common/ui/: Shared Lustre UI components used by the Reachable and Reaching Apps. -
common/visual-key-identity/: Instead of asking users to compare alpha-numeric hashes for manual verification, Reach uses an emoji mapping to make visual comparisons more user friendly. -
node/: Reachable Nodes are the central communication hub. Hosts code for Server Nodes which are exposed by Tor Onion Services and Peer Nodes which are only accessible to other onboarded reachable peers via authenticated Onion Services. -
reachable-app/: The Reachable Application is a Tauri and Lustre based desktop app for reachable peers to check and respond to messages. -
reaching-app/: A browser based single-page application powered by Gleam and Lustre and Wasm (aka. Reaching Link) which allows anonymous individuals to contact the reachable peers. -
secrets/: Reachable Secrets is a service that handles all key generation, encryption key signing, as well as encryption and decryption of envelopes/message vaults for reachable peers. -
tests/: Integration tests for the Rust portion of the project.
Development
This project uses a Nix flakes based development shell to help developers share a predictable environment with all the prerequisite tooling installed to get right to work. To use it, we recommend to install the (delicious) Lix implementation of the Nix package manager. Lix provides install and upgrade instructions for your respective configuration.
To enable flakes, add the following line to your nix.conf (found in /etc/nix/ or
~/.config/nix/):
experimental-features = nix-command flakes
The Nix flake will set up all the tools Reach relies on (in no particular order): Rust, Gleam,
just, wasm-pack, REUSE, protoc, etc.
Note
For Nix sceptics and the impatient, we also provide a container based setup (compatible with Podman and Docker) that can be used by installing
justand running$ just containerized help.
Getting Started
Once you installed Nix, you can enter the development shell by running the following command in the root directory of the repository:
$ nix develop .
It's strongly encouraged for you to run just repo-config as a next step to set up and configure
Git hooks that are also managed by the repository itself.
If you already installed just through your regular package manager, you can also run just develop from anywhere in the repository, which will trigger the repo-config recipe before
dropping you into the development shell.
Running just help will give you an overview of which recipes exist and what they do:
$ just help
Welcome to Reach's development justfile 👋
Don’t forget to read CONTRIBUTING.md before you start ✨
Available recipes:
Available recipes:
audit # 🧐 Check if any of this project's dependencies have advisories on rustsec.org
build # 🚀 Build everything
build-attestant # 🖋️ Build reach-attestant and reach-core with the attestant feature enabled
[...]
Contributing
If you would like to contribute to Reach (❤️) please refer to the CONTRIBUTING.md document to
get familiar with the conventions that are expected by the project. Thank you for taking the time!
Credits
Reach was originally derived from and contributed to research into the Next Generation End-to-End Encrypted Design of SecureDrop by Giulio B. of Freedom of the Press Foundation, @smaury and Davide @TheZero of Shielder as well as the SecureDrop Team. Additional credits go to Olivia M. for pointing out and insisting on the the inevitability of Asymmetric Forward/Backward Secrecy, and @redshiftzero for prior art, as well as countless of people who provided us with feedback. This list will expand.
Early contributors (❤️) to Reach include:
Reach was initiated by @eaon