.gitignore

@@ -7,6 +7,7 @@
 *~
 .idea
 .vscode
+.vs
 
 # Test files
 godog.test
@@ -35,6 +36,8 @@ cmd/Import-Export/deploy
 proton-bridge
 cmd/Desktop-Bridge/*.exe
 cmd/launcher/*.exe
+bin/
+obj/
 
 # Jetbrains (CLion, Golang) cmake build dirs
 cmake-build-*/

.gitlab-ci.yml

@@ -16,270 +16,35 @@
 # along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
 
 ---
-image: gitlab.protontech.ch:4567/go/bridge-internal:test-go1.20
+default:
+  tags:
+    - shared-small
 
 variables:
   GOPRIVATE: gitlab.protontech.ch
   GOMAXPROCS: $(( ${CI_TAG_CPU} / 2 ))
 
 before_script:
-  - apt update && apt-get -y install libsecret-1-dev
-  - git config --global url.https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}.insteadOf https://${CI_SERVER_HOST}
+  - |
+    if [ "$CI_JOB_NAME" != "grype-scan-code-dependencies" ]; then
+      apt update && apt-get -y install libsecret-1-dev
+      git config --global url.https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}.insteadOf https://${CI_SERVER_HOST}
+    fi
 
 stages:
+  - analyse
   - test
+  - report
   - build
 
-.rules-branch-and-MR-manual:
-  rules:
-    - if: $CI_COMMIT_BRANCH ||  $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: manual
-      allow_failure: true
-    - when: never
-
-.rules-branch-manual-MR-and-devel-always:
-  rules:
-    - if: $CI_COMMIT_BRANCH == "devel" || $CI_PIPELINE_SOURCE == "merge_request_event"
-      when: always
-      allow_failure: false
-    - if: $CI_COMMIT_BRANCH
-      when: manual
-      allow_failure: true
-    - when: never
-
-.rules-branch-manual-scheduled-and-test-branch-always:
-  rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
-      when: always
-      allow_failure: false
-    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME=~ /^test/
-      when: always
-      allow_failure: false
-    - if: $CI_COMMIT_BRANCH
-      when: manual
-      allow_failure: true
-    - when: never
-
-# ENV
-.env-windows:
-  before_script:
-    - export BRIDGE_SYNC_FORCE_MINIMUM_SPEC=1
-    - export GOROOT=/c/Go1.20/
-    - export PATH=$GOROOT/bin:$PATH
-    - export GOARCH=amd64
-    - export GOPATH=~/go1.20
-    - export GO111MODULE=on
-    - export PATH="${GOPATH}/bin:${PATH}"
-    - export MSYSTEM=
-    - export QT6DIR=/c/grrrQt/6.3.2/msvc2019_64
-    - export PATH=$PATH:${QT6DIR}/bin
-    - export PATH="/c/Program Files/Microsoft Visual Studio/2022/Community/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/bin:$PATH"
-    - $(git config --global -l | grep -o 'url.*gitlab.protontech.ch.*insteadof' | xargs -L 1 git config --global --unset &> /dev/null) || echo "nothing to remove"
-    - git config --global url.https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}.insteadOf https://${CI_SERVER_HOST}
-    - git config --global safe.directory '*'
-    - git status --porcelain
-  cache: {}
-  tags:
-    - windows-bridge
-
-.env-darwin:
-  before_script:
-    - export BRIDGE_SYNC_FORCE_MINIMUM_SPEC=1
-    - export PATH=/usr/local/bin:$PATH
-    - export PATH=/usr/local/opt/git/bin:$PATH
-    - export PATH=/usr/local/opt/make/libexec/gnubin:$PATH
-    - export PATH=/usr/local/opt/gnu-sed/libexec/gnubin:$PATH
-    - export GOROOT=~/local/opt/go@1.20
-    - export PATH="${GOROOT}/bin:$PATH"
-    - export GOPATH=~/go1.20
-    - export PATH="${GOPATH}/bin:$PATH"
-    - export QT6DIR=/opt/Qt/6.3.2/macos
-    - export PATH="${QT6DIR}/bin:$PATH"
-    - uname -a
-  cache: {}
-  tags:
-    - macos-m1-bridge
-
-.env-linux-build:
-  image: gitlab.protontech.ch:4567/go/bridge-internal:build-go1.20-qt6.3.2
-  variables:
-    VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache
-  cache:
-    key: linux-vcpkg
-    paths:
-      - .cache
-    when: 'always'
-  before_script:
-    - mkdir -p .cache/bin
-    - export BRIDGE_SYNC_FORCE_MINIMUM_SPEC=1
-    - export PATH=$(pwd)/.cache/bin:$PATH
-    - export GOPATH="$CI_PROJECT_DIR/.cache"
-    - export PATH=$PATH:$QT6DIR/bin
-    - $(git config --global -l | grep -o 'url.*gitlab.protontech.ch.*insteadof' | xargs -L 1 git config --global --unset &> /dev/null) || echo "nothing to remove"
-    - git config --global url.https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}.insteadOf https://${CI_SERVER_HOST}
-  tags:
-    - large
-
-# Stage: TEST
-
-lint:
-  stage: test
-  extends:
-    - .rules-branch-manual-MR-and-devel-always
-  script:
-    - make lint
-  tags:
-    - medium
-
-bug-report-preview:
-  stage: test
-  extends:
-    - .rules-branch-and-MR-manual
-  script:
-    - make lint-bug-report-preview
-  tags:
-    - medium
-
-.script-test:
-  stage: test
-  extends:
-    - .rules-branch-manual-MR-and-devel-always
-  script:
-    - make test
-  artifacts:
-    paths:
-      - coverage/**
-
-test-linux:
-  extends:
-    - .script-test
-  tags:
-    - large
-
-fuzz-linux:
-  stage: test
-  extends:
-    - .rules-branch-manual-MR-and-devel-always
-  script:
-    - make fuzz
-  tags:
-    - large
-
-test-linux-race:
-  extends:
-    - test-linux
-    - .rules-branch-and-MR-manual
-  script:
-    - make test-race
-
-test-integration:
-  extends:
-    - test-linux
-  script:
-    - make test-integration
-
-test-integration-race:
-  extends:
-    - test-integration
-    - .rules-branch-and-MR-manual
-  script:
-    - make test-integration-race
-
-test-integration-nightly:
-  extends:
-    - test-integration
-    - .rules-branch-manual-scheduled-and-test-branch-always
-  needs:
-    - test-integration
-  script:
-    - make test-integration-nightly
-
-test-windows:
-  extends:
-    - .env-windows
-    - .script-test
-
-test-darwin:
-  extends:
-    - .env-darwin
-    - .script-test
-
-test-coverage:
-  stage: test
-  extends:
-    - .rules-branch-manual-scheduled-and-test-branch-always
-  script:
-    - ./utils/coverage.sh
-  coverage: '/total:.*\(statements\).*\d+\.\d+%/'
-  needs:
-    - test-linux
-    - test-windows
-    - test-darwin
-    - test-integration
-    - test-integration-nightly
-  tags:
-    - small
-  artifacts:
-    paths:
-      - coverage*
-      - coverage/**
-    when: 'always'
-    reports:
-      coverage_report:
-        coverage_format: cobertura
-        path: coverage.xml
-
-# Stage: BUILD
-
-.script-build:
-  stage: build
-  needs: ["lint"]
-  extends:
-    - .rules-branch-and-MR-manual
-  script:
-    - make build
-    - git diff && git diff-index --quiet HEAD
-    - make vault-editor
-  artifacts:
-    expire_in: 1 day
-    when: always
-    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - bridge_*.tgz
-      - vault-editor
-
-build-linux:
-  extends:
-    - .script-build
-    - .env-linux-build
-
-build-linux-qa:
-  extends:
-    - build-linux
-    - .rules-branch-manual-MR-and-devel-always
-  variables:
-    BUILD_TAGS: "build_qa"
-
-build-darwin:
-  extends:
-    - .script-build
-    - .env-darwin
-
-build-darwin-qa:
-  extends:
-    - build-darwin
-  variables:
-    BUILD_TAGS: "build_qa"
-
-build-windows:
-  extends:
-    - .script-build
-    - .env-windows
-
-build-windows-qa:
-  extends:
-    - build-windows
-  variables:
-    BUILD_TAGS: "build_qa"
+include:
+  - local: ci/setup.yml
+  - local: ci/rules.yml
+  - local: ci/env.yml
+  - local: ci/test.yml
+  - local: ci/report.yml
+  - local: ci/build.yml
+  - component: gitlab.protontech.ch/proton/devops/cicd-components/kits/devsecops/go@~latest
+    inputs:
+      stage: analyse
 
-# TODO: PUT BACK ALL THE JOBS! JUST DID THIS FOR NOW TO GET CI WORKING AGAIN...

.gitlab/CODEOWNERS

@@ -0,0 +1 @@
+* inbox-desktop-approvers

.golangci.yml

@@ -2,11 +2,12 @@
 run:
   timeout: 10m
   skip-dirs:
-    - pkg/mime
-    - extern
 
 issues:
   exclude-use-default: false
+  exclude-dirs:
+    - pkg/mime
+    - extern
   exclude:
     - Using the variable on range scope `tt` in function literal
     # For now we are missing a lot of comments.
@@ -86,7 +87,7 @@ linters:
     - asciicheck        # Simple linter to check that your code does not contain non-ASCII identifiers [fast: true, auto-fix: false]
     - durationcheck     # check for two durations multiplied together [fast: false, auto-fix: false]
     - exhaustive        # check exhaustiveness of enum switch statements [fast: false, auto-fix: false]
-    - exportloopref     # checks for pointers to enclosing loop variables [fast: false, auto-fix: false]
+    - copyloopvar       # detects places where loop variables are copied.
     - forcetypeassert   # finds forced type assertions [fast: true, auto-fix: false]
     - godot             # Check if comments end in a period [fast: true, auto-fix: true]
     - goheader          # Checks is file header matches to pattern [fast: true, auto-fix: false]

.grype.yaml

@@ -0,0 +1,2 @@
+# Check out for configuration details: https://github.com/anchore/grype?tab=readme-ov-file#configuration
+fail-on-severity: "medium"

BUILDS.md

@@ -3,14 +3,14 @@
 ## Prerequisites
 * 64-bit OS:
     - the go-rfc5322 module cannot currently be compiled for 32-bit OSes
-* Go 1.20
+* Go 1.24.0
 * Bash with basic build utils: make, gcc, sed, find, grep, ...
   - For Windows, it is recommended to use MinGW 64bit shell from [MSYS2](https://www.msys2.org/)
 * GCC (Linux), msvc (Windows) or Xcode (macOS)
 * Windres (Windows)
 * libglvnd and libsecret development files (Linux)
 * pkg-config (Linux)
-* cmake, ninja-build and Qt 6 are required to build the graphical user interface. On Linux, 
+* cmake, ninja-build and Qt 6.8.2 are required to build the graphical user interface. On Linux, 
 the Mesa OpenGL development files are also needed.
 
 To enable the sending of crash reports using Sentry please set the
@@ -19,7 +19,7 @@ Otherwise, the sending of crash reports will be disabled.
 
 ## Build
 In order to build Bridge app with Qt interface we are using
-[Qt 6.3](https://doc.qt.io/qt-6/gettingstarted.html).
+[Qt 6.8.2](https://doc.qt.io/qt-6/gettingstarted.html).
 
 Please note that qmake path must be in your `PATH` to ensure Qt to be found.
 Also, before you start build **on Windows**, please unset the `MSYSTEM` variable

CONTRIBUTING.md

@@ -1,10 +1,78 @@
-# Contribution Policy
+# Contributing guidelines
+
+The following document describes how to contribute to the project. In this context, contribution does not only mean code contribution but also reporting issues, requesting new features, or just asking for help.
+
+## Reporting issues
+
+In case you experience issues while using the application, our request is to contact Proton customer support directly.
+
+The benefits of using Proton customer support are
+
+- Available 24/7/365.
+- Provides priority support based on subscription type.
+- Will escalate the issue to the developers every time it becomes too technical or they do not know the answer to a question.
+- Easier to detect systematic issues by connecting similar reports.
+- Possible to quickly derive frequency of an issue.
+- Can assist you to transfer sensitive information safely to us.
+
+To speed up the communication with customer support, consider the following:
+
+- Whenever is possible, use the in-app bug report feature. It provides an application specific guide compared to using the generic report form on web.
+- Whenever is possible, proactively attach logs to your report. Reporting an issue from the application can help you in that.
+- Check whether your system is officially supported by Proton, including the source of the installer. We cannot provide help when the application is packaged by a third party or when the application is used on systems that we do not prepare to support.
+- If your report is a feature request, see the Feature request section. In case it is an issue related to application security, see the Security vulnerabilities section.
+
+In the past, we used GitHub issue tracker for more technical issues in parallel to Proton customer support, but we run into limitations with this approach:
+
+- Monitoring GitHub issue tracker took development time as it was managed by the development team.
+- It made issue frequency tracking challenging because we did not have a single point of entry for issues.
+- Users were confused what technical issue means, and used the GitHub issue tracker for feature requests, or non-technical discussions.
+- Users sometimes shared sensitive data through the GitHub issue tracker.
+
+For the above reasons, we do not use GitHub issue tracker anymore but ask you to contact our customer support in case you run into a problem.
+
+### Security vulnerabilities
+
+Proton runs a bug bounty program for security vulnerabilities. They differ from normal bug reports in the following ways:
+
+- These reports go directly to our security team.
+- They expect deeper explanation of the issue.
+- Depending on the finding, they may be financially rewarded.
+
+More information about the program can be found [here](https://proton.me/security/bug-bounty).
+
+## Feature requests
+
+What someone considers as a bug is sometimes a feature, and sometimes, a missing feature is considered as a bug. Instead of reporting feature requests as bugs, we setup a UserVoice page to allow our users to share their preferences. UserVoice also makes it possible to vote on other feature requests, making the community preference public.
+
+Our product team frequently monitors UserVoice, and the features listed there are taken into account in our planning.
+
+Examples for UserVoice requests:
+
+- Extending the officially supported environments (e.g., operating systems, clients, or computer architectures).
+- Requesting new features.
+- Integration with non-Proton services.
+
+UserVoice is available [here](https://protonmail.uservoice.com/).
+
+## Asking for help
+
+The best ways to get answer for generic questions or to get help with setting up the system is to interact with our active community on [Reddit](https://reddit.com/r/ProtonMail/) or to contact customer support.
+
+## Code contribution
+
+We are grateful if you can contribute directly with code. In that case there is nothing else to do than to open a pull request.
+
+The following is worthwhile noting
+
+- The project is primarily developed on an internal repository, and the one on GitHub is only a mirror of it. For that reason, the merge request will not be merged on GitHub but added to the project internally. We are keeping the original author in the change set to respect the contribution.
+- The application is used on numerous platforms and by many third party clients. To have higher chance your change to be accepted, consider all supported dependencies.
+- Give detailed description of the issue, preferably with test steps to reproduce the original issue, and to verify the fix. It is even better if you also extend the automated tests.
+
+### Contribution policy
 
 By making a contribution to this project:
 
-1.  I assign any and all copyright related to the contribution to Proton AG;
-2.  I certify that the contribution was created in whole by me;
-3.  I understand and agree that this project and the contribution are public
-    and that a record of the contribution (including all personal information I
-    submit with it) is maintained indefinitely and may be redistributed with
-    this project or the open source license(s) involved.
+1. You assign any and all copyright related to the contribution to Proton AG;
+2. You certify that the contribution was created in whole by you;
+3. You understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information you submit with it) is maintained indefinitely and may be redistributed with this project or the open source license(s) involved.

COPYING_NOTES.md

@@ -40,6 +40,7 @@ Proton Mail Bridge includes the following 3rd party software:
 * [go-message](https://github.com/emersion/go-message) available under [license](https://github.com/emersion/go-message/blob/master/LICENSE) 
 * [go-sasl](https://github.com/emersion/go-sasl) available under [license](https://github.com/emersion/go-sasl/blob/master/LICENSE) 
 * [go-smtp](https://github.com/emersion/go-smtp) available under [license](https://github.com/emersion/go-smtp/blob/master/LICENSE) 
+* [go-vcard](https://github.com/emersion/go-vcard) available under [license](https://github.com/emersion/go-vcard/blob/master/LICENSE) 
 * [color](https://github.com/fatih/color) available under [license](https://github.com/fatih/color/blob/master/LICENSE) 
 * [sentry-go](https://github.com/getsentry/sentry-go) available under [license](https://github.com/getsentry/sentry-go/blob/master/LICENSE) 
 * [resty](https://github.com/go-resty/resty/v2) available under [license](https://github.com/go-resty/resty/v2/blob/master/LICENSE) 
@@ -49,6 +50,7 @@ Proton Mail Bridge includes the following 3rd party software:
 * [uuid](https://github.com/google/uuid) available under [license](https://github.com/google/uuid/blob/master/LICENSE) 
 * [go-multierror](https://github.com/hashicorp/go-multierror) available under [license](https://github.com/hashicorp/go-multierror/blob/master/LICENSE) 
 * [html2text](https://github.com/jaytaylor/html2text) available under [license](https://github.com/jaytaylor/html2text/blob/master/LICENSE) 
+* [go-locale](https://github.com/jeandeaual/go-locale) available under [license](https://github.com/jeandeaual/go-locale/blob/master/LICENSE) 
 * [go-keychain](https://github.com/keybase/go-keychain) available under [license](https://github.com/keybase/go-keychain/blob/master/LICENSE) 
 * [dns](https://github.com/miekg/dns) available under [license](https://github.com/miekg/dns/blob/master/LICENSE) 
 * [memory](https://github.com/pbnjay/memory) available under [license](https://github.com/pbnjay/memory/blob/master/LICENSE) 
@@ -61,11 +63,15 @@ Proton Mail Bridge includes the following 3rd party software:
 * [goleak](https://go.uber.org/goleak) available under [license](https://pkg.go.dev/go.uber.org/goleak?tab=licenses) 
 * [exp](https://golang.org/x/exp) available under [license](https://cs.opensource.google/go/x/exp/+/master:LICENSE) 
 * [net](https://golang.org/x/net) available under [license](https://cs.opensource.google/go/x/net/+/master:LICENSE) 
+* [oauth2](https://golang.org/x/oauth2) available under [license](https://cs.opensource.google/go/x/oauth2/+/master:LICENSE) 
 * [sys](https://golang.org/x/sys) available under [license](https://cs.opensource.google/go/x/sys/+/master:LICENSE) 
 * [text](https://golang.org/x/text) available under [license](https://cs.opensource.google/go/x/text/+/master:LICENSE) 
+* [api](https://google.golang.org/api) available under [license](https://pkg.go.dev/google.golang.org/api?tab=licenses) 
 * [grpc](https://google.golang.org/grpc) available under [license](https://github.com/grpc/grpc-go/blob/master/LICENSE) 
 * [protobuf](https://google.golang.org/protobuf) available under [license](https://github.com/protocolbuffers/protobuf/blob/main/LICENSE) 
 * [plist](https://howett.net/plist) available under [license](https://github.com/DHowett/go-plist/blob/main/LICENSE) 
+* [compute](https://cloud.google.com/go/compute) available under [license](https://pkg.go.dev/cloud.google.com/go/compute?tab=licenses) 
+* [metadata](https://cloud.google.com/go/compute/metadata) available under [license](https://pkg.go.dev/cloud.google.com/go/compute/metadata?tab=licenses) 
 * [bcrypt](https://github.com/ProtonMail/bcrypt) available under [license](https://github.com/ProtonMail/bcrypt/blob/master/LICENSE) 
 * [go-crypto](https://github.com/ProtonMail/go-crypto) available under [license](https://github.com/ProtonMail/go-crypto/blob/master/LICENSE) 
 * [go-mime](https://github.com/ProtonMail/go-mime) available under [license](https://github.com/ProtonMail/go-mime/blob/master/LICENSE) 
@@ -83,7 +89,6 @@ Proton Mail Bridge includes the following 3rd party software:
 * [go-spew](https://github.com/davecgh/go-spew) available under [license](https://github.com/davecgh/go-spew/blob/master/LICENSE) 
 * [go-windows](https://github.com/elastic/go-windows) available under [license](https://github.com/elastic/go-windows/blob/master/LICENSE) 
 * [go-textwrapper](https://github.com/emersion/go-textwrapper) available under [license](https://github.com/emersion/go-textwrapper/blob/master/LICENSE) 
-* [go-vcard](https://github.com/emersion/go-vcard) available under [license](https://github.com/emersion/go-vcard/blob/master/LICENSE) 
 * [fgprof](https://github.com/felixge/fgprof) available under [license](https://github.com/felixge/fgprof/blob/master/LICENSE) 
 * [go-shlex](https://github.com/flynn-archive/go-shlex) available under [license](https://github.com/flynn-archive/go-shlex/blob/master/LICENSE) 
 * [mimetype](https://github.com/gabriel-vasile/mimetype) available under [license](https://github.com/gabriel-vasile/mimetype/blob/master/LICENSE) 
@@ -94,8 +99,11 @@ Proton Mail Bridge includes the following 3rd party software:
 * [validator](https://github.com/go-playground/validator/v10) available under [license](https://github.com/go-playground/validator/v10/blob/master/LICENSE) 
 * [go-json](https://github.com/goccy/go-json) available under [license](https://github.com/goccy/go-json/blob/master/LICENSE) 
 * [uuid](https://github.com/gofrs/uuid) available under [license](https://github.com/gofrs/uuid/blob/master/LICENSE) 
+* [groupcache](https://github.com/golang/groupcache) available under [license](https://github.com/golang/groupcache/blob/master/LICENSE) 
 * [protobuf](https://github.com/golang/protobuf) available under [license](https://github.com/golang/protobuf/blob/master/LICENSE) 
 * [pprof](https://github.com/google/pprof) available under [license](https://github.com/google/pprof/blob/master/LICENSE) 
+* [enterprise-certificate-proxy](https://github.com/googleapis/enterprise-certificate-proxy) available under [license](https://github.com/googleapis/enterprise-certificate-proxy/blob/master/LICENSE) 
+* [gax-go](https://github.com/googleapis/gax-go/v2) available under [license](https://github.com/googleapis/gax-go/v2/blob/master/LICENSE) 
 * [errwrap](https://github.com/hashicorp/errwrap) available under [license](https://github.com/hashicorp/errwrap/blob/master/LICENSE) 
 * [go-immutable-radix](https://github.com/hashicorp/go-immutable-radix) available under [license](https://github.com/hashicorp/go-immutable-radix/blob/master/LICENSE) 
 * [go-memdb](https://github.com/hashicorp/go-memdb) available under [license](https://github.com/hashicorp/go-memdb/blob/master/LICENSE) 
@@ -119,18 +127,24 @@ Proton Mail Bridge includes the following 3rd party software:
 * [blackfriday](https://github.com/russross/blackfriday/v2) available under [license](https://github.com/russross/blackfriday/v2/blob/master/LICENSE) 
 * [pflag](https://github.com/spf13/pflag) available under [license](https://github.com/spf13/pflag/blob/master/LICENSE) 
 * [bom](https://github.com/ssor/bom) available under [license](https://github.com/ssor/bom/blob/master/LICENSE) 
+* [objx](https://github.com/stretchr/objx) available under [license](https://github.com/stretchr/objx/blob/master/LICENSE) 
 * [golang-asm](https://github.com/twitchyliquid64/golang-asm) available under [license](https://github.com/twitchyliquid64/golang-asm/blob/master/LICENSE) 
 * [codec](https://github.com/ugorji/go/codec) available under [license](https://github.com/ugorji/go/codec/blob/master/LICENSE) 
 * [tagparser](https://github.com/vmihailenco/tagparser/v2) available under [license](https://github.com/vmihailenco/tagparser/v2/blob/master/LICENSE) 
 * [smetrics](https://github.com/xrash/smetrics) available under [license](https://github.com/xrash/smetrics/blob/master/LICENSE) 
+* [go-ordered-json](https://gitlab.com/c0b/go-ordered-json) available under [license](https://gitlab.com/c0b/go-ordered-json/blob/master/LICENSE) 
+* [go.opencensus.io](https://pkg.go.dev/go.opencensus.io?tab=licenses) available under [license](https://pkg.go.dev/go.opencensus.io?tab=licenses) 
 * [arch](https://golang.org/x/arch) available under [license](https://cs.opensource.google/go/x/arch/+/master:LICENSE) 
 * [crypto](https://golang.org/x/crypto) available under [license](https://cs.opensource.google/go/x/crypto/+/master:LICENSE) 
 * [mod](https://golang.org/x/mod) available under [license](https://cs.opensource.google/go/x/mod/+/master:LICENSE) 
 * [sync](https://golang.org/x/sync) available under [license](https://cs.opensource.google/go/x/sync/+/master:LICENSE) 
 * [tools](https://golang.org/x/tools) available under [license](https://cs.opensource.google/go/x/tools/+/master:LICENSE) 
+* [appengine](https://google.golang.org/appengine) available under [license](https://pkg.go.dev/google.golang.org/appengine?tab=licenses) 
 * [genproto](https://google.golang.org/genproto) available under [license](https://pkg.go.dev/google.golang.org/genproto?tab=licenses) 
-* [yaml](https://gopkg.in/yaml.v3) available under [license](https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE) 
-* [docker-credential-helpers](https://github.com/ProtonMail/docker-credential-helpers) available under [license](https://github.com/ProtonMail/docker-credential-helpers/blob/master/LICENSE) 
+* [yaml](https://gopkg.in/yaml.v3) available under [license](https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE)  available under [license](https://github.com/go-yaml/yaml/blob/v3.0.1/LICENSE) 
+* [go-autostart](https://github.com/ElectroNafta/go-autostart) available under [license](https://github.com/ElectroNafta/go-autostart/blob/master/LICENSE) 
 * [go-message](https://github.com/ProtonMail/go-message) available under [license](https://github.com/ProtonMail/go-message/blob/master/LICENSE) 
+* [go-smtp](https://github.com/ProtonMail/go-smtp) available under [license](https://github.com/ProtonMail/go-smtp/blob/master/LICENSE) 
+* [resty](https://github.com/LBeernaertProton/resty/v2) available under [license](https://github.com/LBeernaertProton/resty/v2/blob/master/LICENSE) 
 * [go-keychain](https://github.com/cuthix/go-keychain) available under [license](https://github.com/cuthix/go-keychain/blob/master/LICENSE) 
 <!-- END AUTOGEN -->

Makefile

@@ -1,26 +1,27 @@
 export GO111MODULE=on
+export CGO_ENABLED=1
 
 # By default, the target OS is the same as the host OS,
 # but this can be overridden by setting TARGET_OS to "windows"/"darwin"/"linux".
 GOOS:=$(shell go env GOOS)
 TARGET_CMD?=Desktop-Bridge
 TARGET_OS?=${GOOS}
-ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+ROOT_DIR:=$(realpath .)
 
 ## Build
 .PHONY: build build-gui build-nogui build-launcher versioner hasher
 
 # Keep version hardcoded so app build works also without Git repository.
-BRIDGE_APP_VERSION?=3.5.2+git
+BRIDGE_APP_VERSION?=3.21.2+git
 APP_VERSION:=${BRIDGE_APP_VERSION}
 APP_FULL_NAME:=Proton Mail Bridge
 APP_VENDOR:=Proton AG
 SRC_ICO:=bridge.ico
 SRC_ICNS:=Bridge.icns
 SRC_SVG:=bridge.svg
 EXE_NAME:=proton-bridge
-REVISION:=$(shell ./utils/get_revision.sh)
-TAG:=$(shell ./utils/get_revision.sh tag)
+REVISION:=$(shell "${ROOT_DIR}/utils/get_revision.sh" rev)
+TAG:=$(shell "${ROOT_DIR}/utils/get_revision.sh" tag)
 BUILD_TIME:=$(shell date +%FT%T%z)
 MACOS_MIN_VERSION_ARM64=11.0
 MACOS_MIN_VERSION_AMD64=10.15
@@ -101,9 +102,9 @@ endif
 
 ifeq "${GOOS}" "windows"
 	go-build-finalize= \
-		$(if $(4),powershell Copy-Item ${ROOT_DIR}/${RESOURCE_FILE} ${4}  &&,) \
+		$(if $(4),cp "${ROOT_DIR}/${RESOURCE_FILE}" ${4}  &&,) \
 		$(call go-build,$(1),$(2),$(3)) \
-		$(if $(4), && powershell Remove-Item ${4} -Force,)
+		$(if $(4), && rm -f ${4},)
 endif
 
 ${EXE_NAME}: gofiles  ${RESOURCE_FILE}
@@ -117,7 +118,10 @@ versioner:
 	go build ${BUILD_FLAGS} -o versioner utils/versioner/main.go
 
 vault-editor:
-	$(call go-build-finalize,"-tags=debug","vault-editor","./utils/vault-editor/main.go")
+	$(call go-build-finalize,-tags=debug,"vault-editor","./utils/vault-editor/main.go")
+
+bridge-rollout:
+	$(call go-build-finalize,, "bridge-rollout","./utils/bridge-rollout/bridge-rollout.go")
 
 hasher:
 	go build -o hasher utils/hasher/main.go
@@ -164,7 +168,7 @@ ${EXE_TARGET}: check-build-essentials ${EXE_NAME}
  		BRIDGE_BUILD_TIME=${BUILD_TIME} \
 		BRIDGE_GUI_BUILD_CONFIG=Release \
 		BRIDGE_BUILD_ENV=${BUILD_ENV} \
-		BRIDGE_INSTALL_PATH=${ROOT_DIR}/${DEPLOY_DIR}/${GOOS} \
+		BRIDGE_INSTALL_PATH="${ROOT_DIR}/${DEPLOY_DIR}/${GOOS}" \
 		./build.sh install
 	mv "${ROOT_DIR}/${BRIDGE_EXE}" "$(ROOT_DIR)/${EXE_TARGET}"
 
@@ -185,7 +189,7 @@ ${RESOURCE_FILE}: ./dist/info.rc ./dist/${SRC_ICO} .FORCE
 
 ## Dev dependencies
 .PHONY: install-devel-tools install-linter install-go-mod-outdated install-git-hooks
-LINTVER:="v1.52.2"
+LINTVER:="v1.64.6"
 LINTSRC:="https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh"
 
 install-dev-dependencies: install-devel-tools install-linter install-go-mod-outdated
@@ -260,7 +264,8 @@ test-integration-race: gofiles
 
 test-integration-nightly: gofiles
 	mkdir -p coverage/integration
-	go test \
+	gotestsum \
+		--junitfile tests/result/feature-tests.xml -- \
 		-v -timeout=90m -p=1 -count=1 -tags=test_integration \
 		${GOCOVERAGE} \
 		github.com/ProtonMail/proton-bridge/v3/tests \
@@ -328,13 +333,6 @@ lint-bug-report:
 lint-bug-report-preview:
 	python3 utils/validate_bug_report_file.py --file "internal/frontend/bridge-gui/bridge-gui/qml/Resources/bug_report_flow.json" --preview
 
-gobinsec: gobinsec-cache.yml build
-	gobinsec -wait -cache -config utils/gobinsec_conf.yml ${EXE_TARGET} ${DEPLOY_DIR}/${TARGET_OS}/${LAUNCHER_EXE}
-
-gobinsec-cache.yml:
-	./utils/gobinsec_update.sh
-	cp ./utils/gobinsec_update/gobinsec-cache-valid.yml ./gobinsec-cache.yml
-
 updates: install-go-mod-outdated
 	# Uncomment the "-ci" to fail the job if something can be updated.
 	go list -u -m -json all | go-mod-outdated -update -direct #-ci

README.md

@@ -1,7 +1,7 @@
-# Proton Mail Bridge and Import Export app
-Copyright (c) 2023 Proton AG
+# Proton Mail Bridge
+Copyright (c) 2025 Proton AG
 
-This repository holds the Proton Mail Bridge and the Proton Mail Import-Export applications.
+This repository holds the Proton Mail Bridge application.
 For a detailed build information see [BUILDS](./BUILDS.md).
 The license can be found in [LICENSE](./LICENSE) file, for more licensing information see [COPYING_NOTES](./COPYING_NOTES.md).
 For contribution policy see [CONTRIBUTING](./CONTRIBUTING.md).
@@ -13,7 +13,7 @@ Proton Mail Bridge for e-mail clients.
 When launched, Bridge will initialize local IMAP/SMTP servers and render 
 its GUI.
 
-To configure an e-mail client, firstly log in using your Proton Mail credentials. 
+To configure an e-mail client, first log in using your Proton Mail credentials. 
 Open your e-mail client and add a new account using the settings which are 
 located in the Bridge GUI. The client will only be able to sync with 
 your Proton Mail account when the Bridge is running, thus the option 
@@ -24,10 +24,10 @@ background.
 
 More details [on the public website](https://proton.me/mail/bridge).
 
-## Launchers
-Launchers are binaries used to run the Proton Mail Bridge or Import-Export apps.
+## Launcher
+The launcher is a binary used to run the Proton Mail Bridge.
 
-Official distributions of the Proton Mail Bridge and Import-Export apps contain
+The Official distribution of the Proton Mail Bridge application contains
 both a launcher and the app itself. The launcher is installed in a protected
 area of the system (i.e. an area accessible only with admin privileges) and is
 used to run the app. The launcher ensures that nobody tampered with the app's
@@ -37,7 +37,7 @@ feature enables the app to securely update itself automatically without asking
 the user for a password.
 
 ## Keychain
-You need to have a keychain in order to run the Proton Mail Bridge. On Mac or
+You need to have a keychain in order to run Proton Mail Bridge. On Mac or
 Windows, Bridge uses native credential managers. On Linux, use `secret-service` freedesktop.org API
 (e.g. [Gnome keyring](https://wiki.gnome.org/Projects/GnomeKeyring/))
 or

ci/build.yml

@@ -0,0 +1,72 @@
+---
+
+.script-build:
+  stage: build
+  needs: ["lint"]
+  extends:
+    - .rules-branch-and-MR-manual
+  script:
+    - which go && go version
+    - which gcc && gcc --version
+    - which qmake && qmake --version
+    - git rev-parse --short=10 HEAD
+    - make build
+    - git diff && git diff-index --quiet HEAD
+    - make vault-editor
+    - make bridge-rollout
+  artifacts:
+    expire_in: 1 day
+    when: always
+    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
+    paths:
+      - bridge_*.tgz
+      - vault-editor
+      - bridge-rollout
+build-linux:
+  extends:
+    - .script-build
+    - .env-linux-build
+
+build-linux-qa:
+  extends:
+    - build-linux
+    - .rules-branch-manual-MR-and-devel-always
+  variables:
+    BUILD_TAGS: "build_qa"
+
+build-darwin:
+  extends:
+    - .script-build
+    - .env-darwin
+
+build-darwin-qa:
+  extends:
+    - build-darwin
+  variables:
+    BUILD_TAGS: "build_qa"
+
+build-windows:
+  extends:
+    - .script-build
+    - .env-windows
+
+build-windows-qa:
+  extends:
+    - build-windows
+  variables:
+    BUILD_TAGS: "build_qa"
+
+trigger-qa-installer:
+  stage: build
+  needs: ["lint"]
+  extends:
+    - .rules-br-tag-always-branch-and-MR-manual
+  variables:
+    APP: bridge
+    WORKFLOW: build-all
+    SRC_TAG: $CI_COMMIT_BRANCH
+    TAG: $CI_COMMIT_TAG
+    SRC_HASH: $CI_COMMIT_SHA
+  trigger:
+    project: "jcuth/bridge-release"
+    branch: master

ci/env.yml

@@ -0,0 +1,59 @@
+
+---
+
+.env-windows:
+  extends:
+    - .image-windows-virt-build
+  before_script:
+    - !reference [.before-script-windows-virt-build, before_script]
+    - !reference [.before-script-git-config, before_script]
+    - mkdir -p .cache/bin
+    - export PATH=$(pwd)/.cache/bin:$PATH
+    - export GOPATH="$CI_PROJECT_DIR/.cache"
+  variables:
+    GOARCH: amd64
+    BRIDGE_SYNC_FORCE_MINIMUM_SPEC: 1
+    VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache
+  cache:
+    key: windows-vcpkg-go-0
+    paths:
+      - .cache
+    when: 'always'
+
+.env-darwin:
+  extends:
+    - .image-darwin-build
+  before_script:
+    - !reference [.before-script-darwin-tart-build, before_script]
+    - !reference [.before-script-git-config, before_script]
+    - mkdir -p .cache/bin
+    - export PATH=$(pwd)/.cache/bin:$PATH
+    - export GOPATH="$CI_PROJECT_DIR/.cache"
+  variables:
+    BRIDGE_SYNC_FORCE_MINIMUM_SPEC: 1
+    VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache
+  cache:
+    key: darwin-go-and-vcpkg
+    paths:
+      - .cache
+    when: 'always'
+
+.env-linux-build:
+  extends:
+    - .image-linux-build
+  variables:
+    VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache
+  cache:
+    key: linux-vcpkg
+    paths:
+      - .cache
+    when: 'always'
+  before_script:
+    - export BRIDGE_SYNC_FORCE_MINIMUM_SPEC=1
+    - !reference [.before-script-git-config, before_script]
+    - mkdir -p .cache/bin
+    - export PATH=$(pwd)/.cache/bin:$PATH
+    - export GOPATH="$CI_PROJECT_DIR/.cache"
+  tags:
+    - shared-large
+

ci/report.yml

@@ -0,0 +1,25 @@
+
+---
+
+include:
+  - project: 'tpe/testmo-reporter'
+    ref: master
+    file: '/scenarios/testmo-script.yml'
+
+testmo-upload:
+    stage: report
+    extends:
+      - .testmo-upload
+      - .rules-branch-manual-scheduled-and-test-branch-always
+    needs:
+      - test-integration-nightly
+    before_script: []
+    variables:
+      TESTMO_TOKEN: "$TESTMO_TOKEN"
+      TESTMO_URL: "https://proton.testmo.net"
+      PROJECT_ID: "9"
+      NAME: "Nightly integration tests"
+      MILESTONE: "Nightly integration tests"
+      SOURCE: "test-integration-nightly"
+      TAGS: "$CI_COMMIT_REF_SLUG"
+      RESULT_FOLDER: "tests/result/*.xml"

ci/rules.yml

@@ -0,0 +1,58 @@
+
+---
+
+.rules-branch-and-MR-manual:
+  rules:
+    - if: $CI_COMMIT_BRANCH ||  $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: manual
+      allow_failure: true
+    - when: never
+
+.rules-branch-manual-MR-and-devel-always:
+  rules:
+    - if: $CI_COMMIT_BRANCH == "devel" || $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: always
+      allow_failure: false
+    - if: $CI_COMMIT_BRANCH
+      when: manual
+      allow_failure: true
+    - when: never
+
+.rules-branch-manual-br-tag-and-MR-and-devel-always:
+  rules:
+    - if: $CI_COMMIT_BRANCH == "devel" || $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: always
+      allow_failure: false
+    - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^br-\d+/
+      when: always
+      allow_failure: false
+    - if: $CI_COMMIT_BRANCH
+      when: manual
+      allow_failure: true
+    - when: never
+
+.rules-branch-manual-scheduled-and-test-branch-always:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+      when: always
+      allow_failure: false
+    - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME=~ /^test/
+      when: always
+      allow_failure: false
+    - if: $CI_COMMIT_BRANCH
+      when: manual
+      allow_failure: true
+    - when: never
+
+.rules-br-tag-always-branch-and-MR-manual:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH
+      when: manual
+      allow_failure: true
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      when: manual
+      allow_failure: true
+    - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_TAG =~ /^br-\d+/
+      when: always
+    - when: never
+

ci/setup.yml

@@ -0,0 +1,7 @@
+---
+
+include:
+  - project: 'go/bridge-internal'
+    ref: 'master'
+    file: 'ci/runners-setup.yml'
+

ci/test.yml

@@ -0,0 +1,153 @@
+
+---
+
+lint:
+  stage: test
+  extends:
+    - .image-linux-test
+    - .rules-branch-manual-br-tag-and-MR-and-devel-always
+  script:
+    - make lint
+  tags:
+    - shared-medium
+
+lint-bug-report-preview:
+  stage: test
+  extends:
+    - .image-linux-test
+    - .rules-branch-and-MR-manual
+  script:
+    - make lint-bug-report-preview
+  tags:
+    - shared-medium
+
+.script-test:
+  stage: test
+  extends:
+    - .rules-branch-manual-MR-and-devel-always
+  script:
+    - which go && go version
+    - which gcc && gcc --version
+    - make test
+  artifacts:
+    paths:
+      - coverage/**
+
+
+
+test-linux:
+  extends:
+    - .image-linux-test
+    - .script-test
+  tags:
+    - shared-large
+
+test-windows:
+  extends:
+    - .env-windows
+    - .script-test
+
+test-darwin:
+  extends:
+    - .env-darwin
+    - .script-test
+
+fuzz-linux:
+  stage: test
+  extends:
+    - .image-linux-test
+    - .rules-branch-manual-MR-and-devel-always
+  script:
+    - make fuzz
+  tags:
+    - shared-large
+
+test-linux-race:
+  extends:
+    - test-linux
+    - .rules-branch-and-MR-manual
+  script:
+    - make test-race
+
+test-integration:
+  extends:
+    - test-linux
+  script:
+    - make test-integration | tee -a integration-job.log
+  after_script:
+    - |
+      grep "Error: " integration-job.log
+  artifacts:
+    when: always
+    paths:
+      - integration-job.log
+
+test-integration-race:
+  extends:
+    - test-integration
+    - .rules-branch-and-MR-manual
+  script:
+    - make test-integration-race | tee -a integration-race-job.log
+  artifacts:
+    when: always
+    paths:
+      - integration-race-job.log
+
+
+test-integration-nightly:
+  extends:
+    - test-integration
+    - .rules-branch-manual-scheduled-and-test-branch-always
+  needs:
+    - test-integration
+  script:
+    - make test-integration-nightly | tee -a nightly-job.log
+  after_script:
+    - |
+      grep "Error: " nightly-job.log
+  artifacts:
+    when: always
+    paths:
+      - tests/result/feature-tests.xml
+      - nightly-job.log
+
+test-coverage:
+  stage: test
+  extends:
+    - .image-linux-test
+    - .rules-branch-manual-scheduled-and-test-branch-always
+  script:
+    - ./utils/coverage.sh
+  coverage: '/total:.*\(statements\).*\d+\.\d+%/'
+  needs:
+    - test-linux
+    - test-windows
+    - test-darwin
+    - test-integration
+    - test-integration-nightly
+  tags:
+    - shared-small
+  artifacts:
+    paths:
+      - coverage*
+      - coverage/**
+    when: 'always'
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage.xml
+
+go-vuln-check:
+  extends:
+    - .image-linux-test
+    - .rules-branch-manual-MR-and-devel-always
+  stage: test
+  tags:
+    - shared-medium
+  script:
+    - ./utils/govulncheck.sh
+  artifacts:
+    when: always
+    paths:
+      - vulns*
+

cmd/Desktop-Bridge/main.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -19,11 +19,17 @@ package main
 
 import (
 	"os"
+	"runtime"
 	"strings"
 
+	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
+	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
+	"github.com/ProtonMail/proton-bridge/v3/internal/sentry"
+	"github.com/sirupsen/logrus"
+
 	"github.com/ProtonMail/proton-bridge/v3/internal/app"
 	"github.com/bradenaw/juniper/xslices"
-	"github.com/sirupsen/logrus"
 )
 
 /*
@@ -44,7 +50,72 @@ import (
 */
 
 func main() {
-	if err := app.New().Run(xslices.Filter(os.Args, func(arg string) bool { return !strings.Contains(arg, "-psn_") })); err != nil {
-		logrus.Fatal(err)
+	appErr := app.New().Run(xslices.Filter(os.Args, func(arg string) bool { return !strings.Contains(arg, "-psn_") }))
+	if appErr != nil {
+		_ = app.WithLocations(func(l *locations.Locations) error {
+			logsPath, err := l.ProvideLogsPath()
+			if err != nil {
+				return err
+			}
+
+			// Get the session ID if its specified
+			var sessionID logging.SessionID
+			if flagVal, found := getFlagValue(os.Args, app.FlagSessionID); found {
+				sessionID = logging.SessionID(flagVal)
+			} else {
+				sessionID = logging.NewSessionID()
+			}
+
+			closer, err := logging.Init(
+				logsPath,
+				sessionID,
+				logging.BridgeShortAppName,
+				logging.DefaultMaxLogFileSize,
+				logging.DefaultPruningSize,
+				"",
+			)
+			if err != nil {
+				return err
+			}
+
+			defer func() {
+				_ = logging.Close(closer)
+			}()
+
+			logrus.
+				WithField("appName", constants.FullAppName).
+				WithField("version", constants.Version).
+				WithField("revision", constants.Revision).
+				WithField("tag", constants.Tag).
+				WithField("build", constants.BuildTime).
+				WithField("runtime", runtime.GOOS).
+				WithField("args", os.Args).
+				WithField("SentryID", sentry.GetProtectedHostname()).WithError(appErr).Error("Failed to initialize bridge")
+			return nil
+		})
+	}
+}
+
+// getFlagValue - obtains the value of a specified tag
+// The flag can be of the following form `-flag value`, `--flag value`, `-flag=value` or `--flags=value`.
+func getFlagValue(argList []string, flag string) (string, bool) {
+	eqPrefix1 := "-" + flag + "="
+	eqPrefix2 := "--" + flag + "="
+
+	for i := 0; i < len(argList); i++ {
+		arg := argList[i]
+		if strings.HasPrefix(arg, eqPrefix1) {
+			val := strings.TrimPrefix(arg, eqPrefix1)
+			return val, len(val) > 0
+		}
+		if strings.HasPrefix(arg, eqPrefix2) {
+			val := strings.TrimPrefix(arg, eqPrefix2)
+			return val, len(val) > 0
+		}
+		if (arg == "-"+flag || arg == "--"+flag) && i+1 < len(argList) {
+			return argList[i+1], true
+		}
 	}
+
+	return "", false
 }

cmd/Desktop-Bridge/main_test.go

@@ -0,0 +1,47 @@
+// Copyright (c) 2025 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetFlagValue(t *testing.T) {
+	tests := []struct {
+		args     []string
+		flag     string
+		expected string
+	}{
+		{[]string{"session-id", ""}, "session-id", ""},
+		{[]string{"-session-id", ""}, "session-id", ""},
+		{[]string{"--session-id", ""}, "session-id", ""},
+		{[]string{"session-id", "test"}, "session-id", ""},
+		{[]string{"-session-id", "test"}, "session-id", "test"},
+		{[]string{"--session-id", "test"}, "session-id", "test"},
+		{[]string{"session-id=test"}, "session-id", ""},
+		{[]string{"-session-id=test"}, "session-id", "test"},
+		{[]string{"--session-id=test"}, "session-id", "test"},
+	}
+
+	for _, tt := range tests {
+		val, _ := getFlagValue(tt.args, tt.flag)
+		require.Equal(t, val, tt.expected)
+	}
+}

cmd/launcher/main.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -40,6 +40,7 @@ import (
 	"github.com/elastic/go-sysinfo/types"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sys/execabs"
 )
 
@@ -53,9 +54,12 @@ const (
 	FlagCLIShort            = "c"
 	FlagNonInteractive      = "noninteractive"
 	FlagNonInteractiveShort = "n"
-	FlagLauncher            = "--launcher"
-	FlagWait                = "--wait"
-	FlagSessionID           = "--session-id"
+	FlagLauncher            = "launcher"
+	FlagWait                = "wait"
+	FlagSessionID           = "session-id"
+	HyphenatedFlagLauncher  = "--" + FlagLauncher
+	HyphenatedFlagWait      = "--" + FlagWait
+	HyphenatedFlagSessionID = "--" + FlagSessionID
 )
 
 func main() { //nolint:funlen
@@ -151,7 +155,7 @@ func main() { //nolint:funlen
 		}
 	}
 
-	cmd := execabs.Command(exe, appendLauncherPath(launcher, append(args, FlagSessionID, string(sessionID)))...) //nolint:gosec
+	cmd := execabs.Command(exe, appendLauncherPath(launcher, appendOrModifySessionID(args, string(sessionID)))...) //nolint:gosec
 
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
@@ -173,27 +177,27 @@ func main() { //nolint:funlen
 
 // appendLauncherPath add launcher path if missing.
 func appendLauncherPath(path string, args []string) []string {
-	if !sliceContains(args, FlagLauncher) {
+	if !slices.Contains(args, HyphenatedFlagLauncher) {
 		res := append([]string{}, args...)
-		res = append(res, FlagLauncher, path)
+		res = append(res, HyphenatedFlagLauncher, path)
 		return res
 	}
 	return args
 }
 
-// sliceContains checks if a value is present in a list.
-func sliceContains[T comparable](list []T, s T) bool {
-	return xslices.Any(list, func(arg T) bool { return arg == s })
-}
-
 // inCLIMode detect if CLI mode is asked.
 func inCLIMode(args []string) bool {
 	return hasFlag(args, FlagCLI) || hasFlag(args, FlagCLIShort) || hasFlag(args, FlagNonInteractive) || hasFlag(args, FlagNonInteractiveShort)
 }
 
 // hasFlag checks if a flag is present in a list.
 func hasFlag(args []string, flag string) bool {
-	return xslices.Any(args, func(arg string) bool { return (arg == "-"+flag) || (arg == "--"+flag) })
+	return flagIndex(args, flag) >= 0
+}
+
+// flagIndex returns the position of the first occurrence of a flag int args, or -1 if the flag is not present.
+func flagIndex(args []string, flag string) int {
+	return slices.IndexFunc(args, func(arg string) bool { return (arg == "-"+flag) || (arg == "--"+flag) })
 }
 
 // findAndStrip check if a value is present in s list and remove all occurrences of the value from this list.
@@ -211,7 +215,7 @@ func findAndStripWait(args []string) ([]string, bool, []string) {
 	hasFlag := false
 	values := make([]string, 0)
 	for k, v := range res {
-		if v != FlagWait {
+		if v != HyphenatedFlagWait {
 			continue
 		}
 		if k+1 >= len(res) {
@@ -222,14 +226,31 @@ func findAndStripWait(args []string) ([]string, bool, []string) {
 	}
 
 	if hasFlag {
-		res, _ = findAndStrip(res, FlagWait)
+		res, _ = findAndStrip(res, HyphenatedFlagWait)
 		for _, v := range values {
 			res, _ = findAndStrip(res, v)
 		}
 	}
 	return res, hasFlag, values
 }
 
+// return args with the sessionID flag and value added or modified. The original slice is not modified.
+func appendOrModifySessionID(args []string, sessionID string) []string {
+	index := flagIndex(args, FlagSessionID)
+	if index < 0 {
+		return append(args, HyphenatedFlagSessionID, sessionID)
+	}
+
+	if index == len(args)-1 {
+		return append(args, sessionID)
+	}
+
+	res := slices.Clone(args)
+	res[index+1] = sessionID
+
+	return res
+}
+
 func getPathToUpdatedExecutable(
 	name string,
 	ver *versioner.Versioner,

cmd/launcher/main_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -20,61 +20,62 @@ package main
 import (
 	"testing"
 
-	"github.com/bradenaw/juniper/xslices"
+	"github.com/ProtonMail/proton-bridge/v3/internal/logging"
 	"github.com/stretchr/testify/assert"
 )
 
-func TestSliceContains(t *testing.T) {
-	assert.True(t, sliceContains([]string{"a", "b", "c"}, "a"))
-	assert.True(t, sliceContains([]int{1, 2, 3}, 2))
-	assert.False(t, sliceContains([]string{"a", "b", "c"}, "A"))
-	assert.False(t, sliceContains([]int{1, 2, 3}, 4))
-	assert.False(t, sliceContains([]string{}, "a"))
-	assert.True(t, sliceContains([]string{"a", "a"}, "a"))
-}
-
 func TestFindAndStrip(t *testing.T) {
 	list := []string{"a", "b", "c", "c", "b", "c"}
 
 	result, found := findAndStrip(list, "a")
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{"b", "c", "c", "b", "c"}))
+	assert.Equal(t, result, []string{"b", "c", "c", "b", "c"})
 
 	result, found = findAndStrip(list, "c")
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{"a", "b", "b"}))
+	assert.Equal(t, result, []string{"a", "b", "b"})
 
 	result, found = findAndStrip([]string{"c", "c", "c"}, "c")
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{}))
+	assert.Equal(t, result, []string{})
 
 	result, found = findAndStrip(list, "A")
 	assert.False(t, found)
-	assert.True(t, xslices.Equal(result, list))
+	assert.Equal(t, result, list)
 
 	result, found = findAndStrip([]string{}, "a")
 	assert.False(t, found)
-	assert.True(t, xslices.Equal(result, []string{}))
+	assert.Equal(t, result, []string{})
 }
 
 func TestFindAndStripWait(t *testing.T) {
 	result, found, values := findAndStripWait([]string{"a", "b", "c"})
 	assert.False(t, found)
-	assert.True(t, xslices.Equal(result, []string{"a", "b", "c"}))
-	assert.True(t, xslices.Equal(values, []string{}))
+	assert.Equal(t, result, []string{"a", "b", "c"})
+	assert.Equal(t, values, []string{})
 
 	result, found, values = findAndStripWait([]string{"a", "--wait", "b"})
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{"a"}))
-	assert.True(t, xslices.Equal(values, []string{"b"}))
+	assert.Equal(t, result, []string{"a"})
+	assert.Equal(t, values, []string{"b"})
 
 	result, found, values = findAndStripWait([]string{"a", "--wait", "b", "--wait", "c"})
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{"a"}))
-	assert.True(t, xslices.Equal(values, []string{"b", "c"}))
+	assert.Equal(t, result, []string{"a"})
+	assert.Equal(t, values, []string{"b", "c"})
 
 	result, found, values = findAndStripWait([]string{"a", "--wait", "b", "--wait", "c", "--wait", "d"})
 	assert.True(t, found)
-	assert.True(t, xslices.Equal(result, []string{"a"}))
-	assert.True(t, xslices.Equal(values, []string{"b", "c", "d"}))
+	assert.Equal(t, result, []string{"a"})
+	assert.Equal(t, values, []string{"b", "c", "d"})
+}
+
+func TestAppendOrModifySessionID(t *testing.T) {
+	sessionID := string(logging.NewSessionID())
+	assert.Equal(t, appendOrModifySessionID(nil, sessionID), []string{"--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{}, sessionID), []string{"--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{"--cli"}, sessionID), []string{"--cli", "--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{"--cli", "--session-id"}, sessionID), []string{"--cli", "--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{"--cli", "--session-id"}, sessionID), []string{"--cli", "--session-id", sessionID})
+	assert.Equal(t, appendOrModifySessionID([]string{"--session-id", "<oldID>", "--cli"}, sessionID), []string{"--session-id", sessionID, "--cli"})
 }

go.mod

@@ -1,74 +1,81 @@
 module github.com/ProtonMail/proton-bridge/v3
 
-go 1.20
+go 1.24
+
+toolchain go1.24.2
 
 require (
 	github.com/0xAX/notificator v0.0.0-20220220101646-ee9b8921e557
 	github.com/Masterminds/semver/v3 v3.2.0
-	github.com/ProtonMail/gluon v0.17.1-0.20231009084701-3af0474b0b3c
+	github.com/ProtonMail/gluon v0.17.1-0.20250611120816-05167d499f8d
 	github.com/ProtonMail/go-autostart v0.0.0-20210130080809-00ed301c8e9a
-	github.com/ProtonMail/go-proton-api v0.4.1-0.20230831064234-0e3a549b3f36
-	github.com/ProtonMail/gopenpgp/v2 v2.7.1-proton
+	github.com/ProtonMail/go-proton-api v0.4.1-0.20250417134000-e624a080f7ba
+	github.com/ProtonMail/gopenpgp/v2 v2.8.2-proton
 	github.com/PuerkitoBio/goquery v1.8.1
 	github.com/abiosoft/ishell v2.0.0+incompatible
 	github.com/allan-simon/go-singleinstance v0.0.0-20210120080615-d0997106ab37
 	github.com/bradenaw/juniper v0.12.0
 	github.com/cucumber/godog v0.12.5
 	github.com/cucumber/messages-go/v16 v16.0.1
-	github.com/docker/docker-credential-helpers v0.6.3
-	github.com/elastic/go-sysinfo v1.8.1
+	github.com/docker/docker-credential-helpers v0.8.1
+	github.com/elastic/go-sysinfo v1.11.2-0.20231129083954-35e55cd2a542
 	github.com/emersion/go-imap v1.2.1
 	github.com/emersion/go-imap-id v0.0.0-20190926060100-f94a56b9ecde
 	github.com/emersion/go-message v0.16.0
 	github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead
 	github.com/emersion/go-smtp v0.15.1-0.20221021114529-49b17434419d
+	github.com/emersion/go-vcard v0.0.0-20230331202150-f3d26859ccd3
 	github.com/fatih/color v1.13.0
 	github.com/getsentry/sentry-go v0.15.0
 	github.com/go-resty/resty/v2 v2.7.0
 	github.com/godbus/dbus v4.1.0+incompatible
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.5.9
+	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/jaytaylor/html2text v0.0.0-20211105163654-bc68cce691ba
+	github.com/jeandeaual/go-locale v0.0.0-20220711133428-7de61946b173
 	github.com/keybase/go-keychain v0.0.0
 	github.com/miekg/dns v1.1.50
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/profile v1.7.0
 	github.com/sirupsen/logrus v1.9.2
-	github.com/stretchr/testify v1.8.3
+	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli/v2 v2.24.4
 	github.com/vmihailenco/msgpack/v5 v5.3.5
 	go.uber.org/goleak v1.2.1
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
-	golang.org/x/net v0.10.0
-	golang.org/x/sys v0.8.0
-	golang.org/x/text v0.9.0
-	google.golang.org/grpc v1.53.0
-	google.golang.org/protobuf v1.30.0
+	golang.org/x/net v0.38.0
+	golang.org/x/oauth2 v0.7.0
+	golang.org/x/sys v0.31.0
+	golang.org/x/text v0.23.0
+	google.golang.org/api v0.114.0
+	google.golang.org/grpc v1.56.3
+	google.golang.org/protobuf v1.33.0
 	howett.net/plist v1.0.0
 )
 
 require (
+	cloud.google.com/go/compute v1.19.1 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/ProtonMail/bcrypt v0.0.0-20211005172633-e235017c1baf // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect
+	github.com/ProtonMail/go-crypto v1.1.4-proton // indirect
 	github.com/ProtonMail/go-mime v0.0.0-20230322103455-7d82a3887f2f // indirect
 	github.com/ProtonMail/go-srp v0.0.7 // indirect
 	github.com/abiosoft/readline v0.0.0-20180607040430-155bce2042db // indirect
 	github.com/andybalholm/cascadia v1.3.2 // indirect
 	github.com/bytedance/sonic v1.9.1 // indirect
 	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
 	github.com/chzyer/test v1.0.0 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cloudflare/circl v1.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/cronokirby/saferith v0.33.0 // indirect
 	github.com/cucumber/gherkin-go/v19 v19.0.3 // indirect
-	github.com/danieljoos/wincred v1.1.2 // indirect
+	github.com/danieljoos/wincred v1.2.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elastic/go-windows v1.0.1 // indirect
 	github.com/emersion/go-textwrapper v0.0.0-20200911093747-65d896831594 // indirect
-	github.com/emersion/go-vcard v0.0.0-20230331202150-f3d26859ccd3 // indirect
 	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/flynn-archive/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
@@ -79,8 +86,11 @@ require (
 	github.com/go-playground/validator/v10 v10.14.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gofrs/uuid v4.3.0+incompatible // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/pprof v0.0.0-20211214055906-6f57359322fd // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
+	github.com/googleapis/gax-go/v2 v2.7.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-memdb v1.3.3 // indirect
@@ -92,33 +102,39 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
-	github.com/mattn/go-sqlite3 v1.14.17 // indirect
+	github.com/mattn/go-sqlite3 v1.14.22 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/pierrec/lz4/v4 v4.1.17 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/rivo/uniseg v0.4.2 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	gitlab.com/c0b/go-ordered-json v0.0.0-20201030195603-febf46534d5a // indirect
+	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/arch v0.3.0 // indirect
-	golang.org/x/crypto v0.9.0 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
-	google.golang.org/genproto v0.0.0-20230221151758-ace64dc21148 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 replace (
-	github.com/docker/docker-credential-helpers => github.com/ProtonMail/docker-credential-helpers v1.1.0
-	github.com/emersion/go-message => github.com/ProtonMail/go-message v0.13.1-0.20230526094639-b62c999c85b7
-	github.com/keybase/go-keychain => github.com/cuthix/go-keychain v0.0.0-20230517073537-fc1740a83768
+	github.com/ProtonMail/go-autostart => github.com/ElectroNafta/go-autostart v0.0.0-20250402094843-326608c16033
+	github.com/emersion/go-message => github.com/ProtonMail/go-message v0.13.1-0.20240919135104-3bc88e6a9423
+	github.com/emersion/go-smtp => github.com/ProtonMail/go-smtp v0.0.0-20231109081432-2b3d50599865
+	github.com/go-resty/resty/v2 => github.com/LBeernaertProton/resty/v2 v2.0.0-20231129100320-dddf8030d93a
+	github.com/keybase/go-keychain => github.com/cuthix/go-keychain v0.0.0-20240103134243-0b6a41580b77
 )

internal/app/app.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -26,6 +26,7 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"time"
 
 	"github.com/Masterminds/semver/v3"
 	"github.com/ProtonMail/gluon/async"
@@ -41,7 +42,9 @@ import (
 	"github.com/ProtonMail/proton-bridge/v3/internal/sentry"
 	"github.com/ProtonMail/proton-bridge/v3/internal/useragent"
 	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
 	"github.com/ProtonMail/proton-bridge/v3/pkg/restarter"
+	"github.com/elastic/go-sysinfo"
 	"github.com/pkg/profile"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
@@ -72,22 +75,45 @@ const (
 
 	flagLogIMAP = "log-imap"
 	flagLogSMTP = "log-smtp"
+
+	flagEnableKeychainTest  = "enable-keychain-test"
+	flagDisableKeychainTest = "disable-keychain-test"
+
+	flagSoftwareRenderer    = "software-renderer"
+	flagSetSoftwareRenderer = "set-software-renderer"
+	flagSetHardwareRenderer = "set-hardware-renderer"
 )
 
 // Hidden flags.
 const (
-	flagLauncher         = "launcher"
-	flagNoWindow         = "no-window"
-	flagParentPID        = "parent-pid"
-	flagSoftwareRenderer = "software-renderer"
-	flagSessionID        = "session-id"
+	flagLauncher  = "launcher"
+	flagNoWindow  = "no-window"
+	flagParentPID = "parent-pid"
+	FlagSessionID = "session-id"
 )
 
 const (
 	appUsage     = "Proton Mail IMAP and SMTP Bridge"
 	appShortName = "bridge"
 )
 
+// the two flags below have been deprecated by BRIDGE-281. We however keep them so that bridge does not error if they are passed on startup.
+var cliFlagEnableKeychainTest = &cli.BoolFlag{ //nolint:gochecknoglobals
+	Name:               flagEnableKeychainTest,
+	Usage:              "This flag is deprecated and does nothing",
+	Value:              false,
+	DisableDefaultText: true,
+	Hidden:             true,
+}
+
+var cliFlagDisableKeychainTest = &cli.BoolFlag{ //nolint:gochecknoglobals
+	Name:               flagDisableKeychainTest,
+	Usage:              "This flag is deprecated and does nothing",
+	Value:              false,
+	DisableDefaultText: true,
+	Hidden:             true,
+}
+
 func New() *cli.App {
 	app := cli.NewApp()
 
@@ -137,6 +163,24 @@ func New() *cli.App {
 			Name:  flagLogSMTP,
 			Usage: "Enable logging of SMTP communications (may contain decrypted data!)",
 		},
+		&cli.BoolFlag{
+			Name:               flagSoftwareRenderer, // This flag is ignored by bridge, but should be passed to launcher in case of restart, so it need to be accepted by the CLI parser.
+			Usage:              "Use software rendering of the GUI for the current execution of the application",
+			Value:              false,
+			DisableDefaultText: true,
+		},
+		&cli.BoolFlag{
+			Name:               flagSetSoftwareRenderer, // This flag is ignored by bridge, we just want it to be shown in the help (BRIDGE-217).
+			Usage:              "Toggle software rendering of the GUI for the current and future executions of the application",
+			Value:              false,
+			DisableDefaultText: true,
+		},
+		&cli.BoolFlag{
+			Name:               flagSetHardwareRenderer, // This flag is ignored by bridge, we just want it to be shown in the help (BRIDGE-217).
+			Usage:              "Toggle hardware rendering of the GUI for the current and future executions of the application",
+			Value:              false,
+			DisableDefaultText: true,
+		},
 
 		// Hidden flags
 		&cli.BoolFlag{
@@ -155,18 +199,26 @@ func New() *cli.App {
 			Hidden: true,
 			Value:  -1,
 		},
-		&cli.BoolFlag{
-			Name:   flagSoftwareRenderer, // This flag is ignored by bridge, but should be passed to launcher in case of restart, so it need to be accepted by the CLI parser.
-			Usage:  "GUI is using software renderer",
-			Hidden: true,
-			Value:  false,
-		},
 		&cli.StringFlag{
-			Name:   flagSessionID,
+			Name:   FlagSessionID,
 			Hidden: true,
 		},
 	}
 
+	// We override the default help value because we want "Show" to be capitalized
+	cli.HelpFlag = &cli.BoolFlag{
+		Name:               "help",
+		Aliases:            []string{"h"},
+		Usage:              "Show help",
+		DisableDefaultText: true,
+	}
+
+	if onMacOS() {
+		// The two flags below were introduced for BRIDGE-116, and are available only on macOS.
+		// They have been later removed fro BRIDGE-281.
+		app.Flags = append(app.Flags, cliFlagEnableKeychainTest, cliFlagDisableKeychainTest)
+	}
+
 	app.Action = run
 
 	return app
@@ -204,7 +256,7 @@ func run(c *cli.Context) error {
 	}()
 
 	// Restart the app if requested.
-	return withRestarter(exe, func(restarter *restarter.Restarter) error {
+	err = withRestarter(exe, func(restarter *restarter.Restarter) error {
 		// Handle crashes with various actions.
 		return withCrashHandler(restarter, reporter, func(crashHandler *crash.Handler, quitCh <-chan struct{}) error {
 			migrationErr := migrateOldVersions()
@@ -234,53 +286,56 @@ func run(c *cli.Context) error {
 						}
 
 						return withSingleInstance(settings, locations.GetLockFile(), version, func() error {
-							// Unlock the encrypted vault.
-							return WithVault(locations, crashHandler, func(v *vault.Vault, insecure, corrupt bool) error {
-								if !v.Migrated() {
-									// Migrate old settings into the vault.
-									if err := migrateOldSettings(v); err != nil {
-										logrus.WithError(err).Error("Failed to migrate old settings")
-									}
-
-									// Migrate old accounts into the vault.
-									if err := migrateOldAccounts(locations, v); err != nil {
-										logrus.WithError(err).Error("Failed to migrate old accounts")
-									}
-
-									// The vault has been migrated.
-									if err := v.SetMigrated(); err != nil {
-										logrus.WithError(err).Error("Failed to mark vault as migrated")
-									}
-								}
-
-								logrus.WithFields(logrus.Fields{
-									"lastVersion": v.GetLastVersion().String(),
-									"showAllMail": v.GetShowAllMail(),
-									"updateCh":    v.GetUpdateChannel(),
-									"autoUpdate":  v.GetAutoUpdate(),
-									"rollout":     v.GetUpdateRollout(),
-									"DoH":         v.GetProxyAllowed(),
-								}).Info("Vault loaded")
-
-								// Load the cookies from the vault.
-								return withCookieJar(v, func(cookieJar http.CookieJar) error {
-									// Create a new bridge instance.
-									return withBridge(c, exe, locations, version, identifier, crashHandler, reporter, v, cookieJar, func(b *bridge.Bridge, eventCh <-chan events.Event) error {
-										if insecure {
-											logrus.Warn("The vault key could not be retrieved; the vault will not be encrypted")
-											b.PushError(bridge.ErrVaultInsecure)
+							// Look for available keychains
+							return WithKeychainList(crashHandler, func(keychains *keychain.List) error {
+								// Unlock the encrypted vault.
+								return WithVault(reporter, locations, keychains, crashHandler, func(v *vault.Vault, insecure, corrupt bool) error {
+									if !v.Migrated() {
+										// Migrate old settings into the vault.
+										if err := migrateOldSettings(v); err != nil {
+											logrus.WithError(err).Error("Failed to migrate old settings")
 										}
 
-										if corrupt {
-											logrus.Warn("The vault is corrupt and has been wiped")
-											b.PushError(bridge.ErrVaultCorrupt)
+										// Migrate old accounts into the vault.
+										if err := migrateOldAccounts(locations, keychains, v); err != nil {
+											logrus.WithError(err).Error("Failed to migrate old accounts")
 										}
 
-										// Start telemetry heartbeat process
-										b.StartHeartbeat(b)
+										// The vault has been migrated.
+										if err := v.SetMigrated(); err != nil {
+											logrus.WithError(err).Error("Failed to mark vault as migrated")
+										}
+									}
 
-										// Run the frontend.
-										return runFrontend(c, crashHandler, restarter, locations, b, eventCh, quitCh, c.Int(flagParentPID))
+									logrus.WithFields(logrus.Fields{
+										"lastVersion": v.GetLastVersion().String(),
+										"showAllMail": v.GetShowAllMail(),
+										"updateCh":    v.GetUpdateChannel(),
+										"autoUpdate":  v.GetAutoUpdate(),
+										"rollout":     v.GetUpdateRollout(),
+										"DoH":         v.GetProxyAllowed(),
+									}).Info("Vault loaded")
+
+									// Load the cookies from the vault.
+									return withCookieJar(v, func(cookieJar http.CookieJar) error {
+										// Create a new bridge instance.
+										return withBridge(c, exe, locations, version, identifier, crashHandler, reporter, v, cookieJar, keychains, func(b *bridge.Bridge, eventCh <-chan events.Event) error {
+											if insecure {
+												logrus.Warn("The vault key could not be retrieved; the vault will not be encrypted")
+												b.PushError(bridge.ErrVaultInsecure)
+											}
+
+											if corrupt {
+												logrus.Warn("The vault is corrupt and has been wiped")
+												b.PushError(bridge.ErrVaultCorrupt)
+											}
+
+											// Remove old updates files
+											b.RemoveOldUpdates()
+
+											// Run the frontend.
+											return runFrontend(c, crashHandler, restarter, locations, b, eventCh, quitCh, c.Int(flagParentPID))
+										})
 									})
 								})
 							})
@@ -290,6 +345,13 @@ func run(c *cli.Context) error {
 			})
 		})
 	})
+
+	// if an error occurs, it must be logged now because we're about to close the log file.
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	return err
 }
 
 // If there's another instance already running, try to raise it and exit.
@@ -333,7 +395,7 @@ func withLogging(c *cli.Context, crashHandler *crash.Handler, locations *locatio
 	logrus.WithField("path", logsPath).Debug("Received logs path")
 
 	// Initialize logging.
-	sessionID := logging.NewSessionIDFromString(c.String(flagSessionID))
+	sessionID := logging.NewSessionIDFromString(c.String(FlagSessionID))
 	var closer io.Closer
 	if closer, err = logging.Init(
 		logsPath,
@@ -360,6 +422,24 @@ func withLogging(c *cli.Context, crashHandler *crash.Handler, locations *locatio
 		WithField("SentryID", sentry.GetProtectedHostname()).
 		Info("Run app")
 
+	now := time.Now()
+	logrus.
+		WithField("timeZone", now.Format("MST")).
+		WithField("offset", now.Format("-07:00:00")).
+		Info("Time zone info")
+
+	host, err := sysinfo.Host()
+	if err != nil {
+		logrus.WithError(err).Error("Could not retrieve operating system info")
+	} else {
+		osInfo := host.Info().OS
+		logrus.
+			WithField("name", osInfo.Name).
+			WithField("version", osInfo.Version).
+			WithField("build", osInfo.Build).
+			Info("Operating system info")
+	}
+
 	return fn(closer)
 }
 
@@ -470,6 +550,14 @@ func withCookieJar(vault *vault.Vault, fn func(http.CookieJar) error) error {
 	return fn(persister)
 }
 
+// WithKeychainList init the list of usable keychains.
+func WithKeychainList(panicHandler async.PanicHandler, fn func(*keychain.List) error) error {
+	logrus.Debug("Creating keychain list")
+	defer logrus.Debug("Keychain list stop")
+	defer async.HandlePanic(panicHandler)
+	return fn(keychain.NewList())
+}
+
 func setDeviceCookies(jar *cookies.Jar) error {
 	url, err := url.Parse(constants.APIHost)
 	if err != nil {
@@ -487,3 +575,7 @@ func setDeviceCookies(jar *cookies.Jar) error {
 
 	return nil
 }
+
+func onMacOS() bool {
+	return runtime.GOOS == "darwin"
+}

internal/app/bridge.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -37,6 +37,7 @@ import (
 	"github.com/ProtonMail/proton-bridge/v3/internal/useragent"
 	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
 	"github.com/ProtonMail/proton-bridge/v3/internal/versioner"
+	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
 )
@@ -55,6 +56,7 @@ func withBridge(
 	reporter *sentry.Reporter,
 	vault *vault.Vault,
 	cookieJar http.CookieJar,
+	keychains *keychain.List,
 	fn func(*bridge.Bridge, <-chan events.Event) error,
 ) error {
 	logrus.Debug("Creating bridge")
@@ -97,6 +99,7 @@ func withBridge(
 		autostarter,
 		updater,
 		version,
+		keychains,
 
 		// The API stuff.
 		constants.APIHost,
@@ -110,6 +113,7 @@ func withBridge(
 		crashHandler,
 		reporter,
 		imap.DefaultEpochUIDValidityGenerator(),
+		nil,
 
 		// The logging stuff.
 		c.String(flagLogIMAP) == "client" || c.String(flagLogIMAP) == "all",
@@ -155,7 +159,7 @@ func newUpdater(locations *locations.Locations) (*updater.Updater, error) {
 	}
 
 	return updater.NewUpdater(
-		updater.NewInstaller(versioner.New(updatesDir)),
+		versioner.New(updatesDir),
 		verifier,
 		constants.UpdateName,
 		runtime.GOOS,

internal/app/frontend.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //

internal/app/migration.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -43,7 +43,7 @@ import (
 
 // nolint:gosec
 func migrateKeychainHelper(locations *locations.Locations) error {
-	logrus.Info("Migrating keychain helper")
+	logrus.Trace("Checking if keychain helper needs to be migrated")
 
 	settings, err := locations.ProvideSettingsPath()
 	if err != nil {
@@ -75,7 +75,11 @@ func migrateKeychainHelper(locations *locations.Locations) error {
 		return fmt.Errorf("failed to unmarshal old prefs file: %w", err)
 	}
 
-	return vault.SetHelper(settings, prefs.Helper)
+	err = vault.SetHelper(settings, prefs.Helper)
+	if err == nil {
+		logrus.Info("Keychain helper has been migrated")
+	}
+	return err
 }
 
 // nolint:gosec
@@ -122,7 +126,7 @@ func migrateOldSettingsWithDir(configDir string, v *vault.Vault) error {
 	return v.SetBridgeTLSCertKey(certPEM, keyPEM)
 }
 
-func migrateOldAccounts(locations *locations.Locations, v *vault.Vault) error {
+func migrateOldAccounts(locations *locations.Locations, keychains *keychain.List, v *vault.Vault) error {
 	logrus.Info("Migrating accounts")
 
 	settings, err := locations.ProvideSettingsPath()
@@ -134,8 +138,7 @@ func migrateOldAccounts(locations *locations.Locations, v *vault.Vault) error {
 	if err != nil {
 		return fmt.Errorf("failed to get helper: %w", err)
 	}
-
-	keychain, err := keychain.NewKeychain(helper, "bridge")
+	keychain, _, err := keychain.NewKeychain(helper, "bridge", keychains.GetHelpers(), keychains.GetDefaultHelper())
 	if err != nil {
 		return fmt.Errorf("failed to create keychain: %w", err)
 	}

internal/app/migration_test.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -35,15 +35,14 @@ import (
 	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
 	"github.com/ProtonMail/proton-bridge/v3/pkg/algo"
 	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
-	dockerCredentials "github.com/docker/docker-credential-helpers/credentials"
 	"github.com/stretchr/testify/require"
 )
 
 func TestMigratePrefsToVaultWithKeys(t *testing.T) {
 	// Create a new vault.
 	vault, corrupt, err := vault.New(t.TempDir(), t.TempDir(), []byte("my secret key"), async.NoopPanicHandler{})
 	require.NoError(t, err)
-	require.False(t, corrupt)
+	require.NoError(t, corrupt)
 
 	// load the old prefs file.
 	configDir := filepath.Join("testdata", "with_keys")
@@ -64,7 +63,7 @@ func TestMigratePrefsToVaultWithoutKeys(t *testing.T) {
 	// Create a new vault.
 	vault, corrupt, err := vault.New(t.TempDir(), t.TempDir(), []byte("my secret key"), async.NoopPanicHandler{})
 	require.NoError(t, err)
-	require.False(t, corrupt)
+	require.NoError(t, corrupt)
 
 	// load the old prefs file.
 	configDir := filepath.Join("testdata", "without_keys")
@@ -133,11 +132,9 @@ func TestKeychainMigration(t *testing.T) {
 }
 
 func TestUserMigration(t *testing.T) {
-	keychainHelper := keychain.NewTestHelper()
+	kcl := keychain.NewTestKeychainsList()
 
-	keychain.Helpers["mock"] = func(string) (dockerCredentials.Helper, error) { return keychainHelper, nil }
-
-	kc, err := keychain.NewKeychain("mock", "bridge")
+	kc, _, err := keychain.NewKeychain("mock", "bridge", kcl.GetHelpers(), kcl.GetDefaultHelper())
 	require.NoError(t, err)
 
 	require.NoError(t, kc.Put("brokenID", "broken"))
@@ -176,9 +173,9 @@ func TestUserMigration(t *testing.T) {
 
 	v, corrupt, err := vault.New(settingsFolder, settingsFolder, token, async.NoopPanicHandler{})
 	require.NoError(t, err)
-	require.False(t, corrupt)
+	require.NoError(t, corrupt)
 
-	require.NoError(t, migrateOldAccounts(locations, v))
+	require.NoError(t, migrateOldAccounts(locations, kcl, v))
 	require.Equal(t, []string{wantCredentials.UserID}, v.GetUserIDs())
 
 	require.NoError(t, v.GetUser(wantCredentials.UserID, func(u *vault.User) {

internal/app/singleinstance.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //

internal/app/vault.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -18,110 +18,130 @@
 package app
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
 	"path"
 
 	"github.com/ProtonMail/gluon/async"
 	"github.com/ProtonMail/proton-bridge/v3/internal/certs"
 	"github.com/ProtonMail/proton-bridge/v3/internal/constants"
 	"github.com/ProtonMail/proton-bridge/v3/internal/locations"
+	"github.com/ProtonMail/proton-bridge/v3/internal/sentry"
 	"github.com/ProtonMail/proton-bridge/v3/internal/vault"
 	"github.com/ProtonMail/proton-bridge/v3/pkg/keychain"
 	"github.com/sirupsen/logrus"
 )
 
-func WithVault(locations *locations.Locations, panicHandler async.PanicHandler, fn func(*vault.Vault, bool, bool) error) error {
+func WithVault(reporter *sentry.Reporter, locations *locations.Locations, keychains *keychain.List, panicHandler async.PanicHandler, fn func(*vault.Vault, bool, bool) error) error {
 	logrus.Debug("Creating vault")
 	defer logrus.Debug("Vault stopped")
 
 	// Create the encVault.
-	encVault, insecure, corrupt, err := newVault(locations, panicHandler)
+	encVault, insecure, corrupt, err := newVault(reporter, locations, keychains, panicHandler)
 	if err != nil {
 		return fmt.Errorf("could not create vault: %w", err)
 	}
 
 	logrus.WithFields(logrus.Fields{
 		"insecure": insecure,
-		"corrupt":  corrupt,
+		"corrupt":  corrupt != nil,
 	}).Debug("Vault created")
 
-	// Install the certificates if needed.
-	if installed := encVault.GetCertsInstalled(); !installed {
-		logrus.Debug("Installing certificates")
-
-		certPEM, _ := encVault.GetBridgeTLSCert()
-
-		if err := certs.NewInstaller().InstallCert(certPEM); err != nil {
-			return fmt.Errorf("failed to install certs: %w", err)
-		}
-
-		if err := encVault.SetCertsInstalled(true); err != nil {
-			return fmt.Errorf("failed to set certs installed: %w", err)
-		}
-
-		logrus.Debug("Certificates successfully installed")
+	if corrupt != nil {
+		logrus.WithError(corrupt).Warn("Failed to load existing vault, vault has been reset")
 	}
 
+	cert, _ := encVault.GetBridgeTLSCert()
+	certs.NewInstaller().LogCertInstallStatus(cert)
+
 	// GODT-1950: Add teardown actions (e.g. to close the vault).
 
-	return fn(encVault, insecure, corrupt)
+	return fn(encVault, insecure, corrupt != nil)
 }
 
-func newVault(locations *locations.Locations, panicHandler async.PanicHandler) (*vault.Vault, bool, bool, error) {
+func newVault(reporter *sentry.Reporter, locations *locations.Locations, keychains *keychain.List, panicHandler async.PanicHandler) (*vault.Vault, bool, error, error) {
 	vaultDir, err := locations.ProvideSettingsPath()
 	if err != nil {
-		return nil, false, false, fmt.Errorf("could not get vault dir: %w", err)
+		return nil, false, nil, fmt.Errorf("could not get vault dir: %w", err)
 	}
 
 	logrus.WithField("vaultDir", vaultDir).Debug("Loading vault from directory")
 
 	var (
-		vaultKey []byte
-		insecure bool
+		vaultKey       []byte
+		insecure       bool
+		lastUsedHelper string
 	)
 
-	if key, err := loadVaultKey(vaultDir); err != nil {
+	if key, helper, err := loadVaultKey(vaultDir, keychains); err != nil {
+		if reporter != nil {
+			if rerr := reporter.ReportMessageWithContext("Could not load/create vault key", map[string]any{
+				"keychainDefaultHelper":       keychains.GetDefaultHelper(),
+				"keychainUsableHelpersLength": len(keychains.GetHelpers()),
+				"error":                       err.Error(),
+			}); rerr != nil {
+				logrus.WithError(err).Info("Failed to report keychain issue to Sentry")
+			}
+		}
+
 		logrus.WithError(err).Error("Could not load/create vault key")
 		insecure = true
 
 		// We store the insecure vault in a separate directory
 		vaultDir = path.Join(vaultDir, "insecure")
 	} else {
 		vaultKey = key
+		lastUsedHelper = helper
+		logHashedVaultKey(vaultKey) // Log a hash of the vault key.
 	}
 
 	gluonCacheDir, err := locations.ProvideGluonCachePath()
 	if err != nil {
-		return nil, false, false, fmt.Errorf("could not provide gluon path: %w", err)
+		return nil, false, nil, fmt.Errorf("could not provide gluon path: %w", err)
 	}
 
-	vault, corrupt, err := vault.New(vaultDir, gluonCacheDir, vaultKey, panicHandler)
+	userVault, corrupt, err := vault.New(vaultDir, gluonCacheDir, vaultKey, panicHandler)
 	if err != nil {
-		return nil, false, false, fmt.Errorf("could not create vault: %w", err)
+		return nil, false, corrupt, fmt.Errorf("could not create vault: %w", err)
+	}
+
+	// Remember the last successfully used keychain and store that as the user preference.
+	if err := vault.SetHelper(vaultDir, lastUsedHelper); err != nil {
+		logrus.WithError(err).Error("Could not store last used keychain helper")
 	}
 
-	return vault, insecure, corrupt, nil
+	return userVault, insecure, corrupt, nil
 }
 
-func loadVaultKey(vaultDir string) ([]byte, error) {
-	helper, err := vault.GetHelper(vaultDir)
+// loadVaultKey - loads the key used to encrypt the vault alongside the keychain helper used to access it.
+func loadVaultKey(vaultDir string, keychains *keychain.List) (key []byte, keychainHelper string, err error) {
+	keychainHelper, err = vault.GetHelper(vaultDir)
 	if err != nil {
-		return nil, fmt.Errorf("could not get keychain helper: %w", err)
+		return nil, keychainHelper, fmt.Errorf("could not get keychain helper: %w", err)
 	}
 
-	kc, err := keychain.NewKeychain(helper, constants.KeyChainName)
+	kc, keychainHelper, err := keychain.NewKeychain(keychainHelper, constants.KeyChainName, keychains.GetHelpers(), keychains.GetDefaultHelper())
 	if err != nil {
-		return nil, fmt.Errorf("could not create keychain: %w", err)
+		return nil, keychainHelper, fmt.Errorf("could not create keychain: %w", err)
 	}
 
-	has, err := vault.HasVaultKey(kc)
+	key, err = vault.GetVaultKey(kc)
 	if err != nil {
-		return nil, fmt.Errorf("could not check for vault key: %w", err)
-	}
+		if keychain.IsErrKeychainNoItem(err) {
+			logrus.WithError(err).Warn("no vault key found, generating new")
+			key, err := vault.NewVaultKey(kc)
+			return key, keychainHelper, err
+		}
 
-	if has {
-		return vault.GetVaultKey(kc)
+		return nil, keychainHelper, fmt.Errorf("could not check for vault key: %w", err)
 	}
 
-	return vault.NewVaultKey(kc)
+	return key, keychainHelper, nil
+}
+
+// logHashedVaultKey - computes a sha256 hash and encodes it to base 64. The resulting string is logged.
+func logHashedVaultKey(vaultKey []byte) {
+	hashedKey := sha256.Sum256(vaultKey)
+	logrus.WithField("hashedKey", hex.EncodeToString(hashedKey[:])).Info("Found vault key")
 }

internal/bridge/api.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //
@@ -40,7 +40,7 @@ func defaultAPIOptions(
 		proton.WithAppVersion(constants.AppVersion(version.Original())),
 		proton.WithCookieJar(cookieJar),
 		proton.WithTransport(transport),
-		proton.WithLogger(logrus.StandardLogger()),
+		proton.WithLogger(logrus.WithField("pkg", "gpa/client")),
 		proton.WithPanicHandler(panicHandler),
 	}
 }

internal/bridge/api_default.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //

internal/bridge/api_qa.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2023 Proton AG
+// Copyright (c) 2025 Proton AG
 //
 // This file is part of Proton Mail Bridge.
 //