Page MenuHome GnuPG

Kleopatra: Add refresh button in certificatedetails
Closed, ResolvedPublic

Description

When certificate details are open we do an online check for S/MIME to validate the certificate. Semantically we should in that case also do a refresh-key for the OpenPGP certificate.

At least we should have a refresh button in the certificatedetails to refresh it from the server. But I would like to have this also behind a configuration setting for automatic refresh in which case the button should be invisible. I think an auto refresh would be the best solution from a usability standpoint but from a privacy standpoint an explicit action is better. That way we keep kleoptra never doing network connections if the user does not explicitly trigger them.

I think this issue should have some priority so I classified is as normal and not wishlist because an OpenPGP key refresh is important from a security standpoint.

Details

Version
master

Event Timeline

aheinecke created this task.

I wonder if we even should change gpgme to do a key refresh when you call it in VALIDATE mode and online? Semantically this makes sense to me as this is where CRL checks for S/MIME are done. But from a conserviative standpoint this could be considered an API change if the API then does something differently and that even does a network connection. So while I consider it I don't think this is a very good idea.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker changed the task status from Open to Testing.May 5 2022, 3:22 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a project: Restricted Project.
ikloecker added a subscriber: ikloecker.

The Certificate Details window now has an Update button.

I don't think that it makes much sense to do an auto refresh (only) when the details are opened. If the automatic refresh is really important, then it needs to be performed in the background for all keys all of the time. If people want to encrypt a file, then they won't look at the certificate details for all recipients to make sure that all keys have been refreshed. They will expect that all keys are up-to-date without them having to care about this.

Please add a separate task for an automatic refresh.

For an OpenPGP key, Update now performs a simple "retrieve key" operation for the existing key, i.e. it refreshes the key with the public key found on the configured key server.

werner removed a project: Restricted Project.Sep 22 2022, 11:04 AM
ebo renamed this task from Kleopatra: Add refresh button in certificatedetails and an auto refresh to Kleopatra: Add refresh button in certificatedetails .Dec 5 2022, 1:07 PM
ikloecker changed the task status from Testing to Open.Dec 7 2022, 11:42 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a subscriber: ebo.

Ok. So after further discussion. It is good that you kept a WKDRefreshJob copy :)

I would suggest the following, if it is somehow possible. I think we have the API for this now that we can search for WKD keys without importing them. We should additionally check WKD, if the key from WKD has the same fingerprint, we update, if it has not, we show the user something like a search result. Give indication that a different key was found for these UserIDs and then let the user decide to import them?

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Dec 12 2022, 11:47 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 16 2023, 12:11 PM
ebo changed the task status from Open to Testing.Aug 10 2023, 3:47 PM

Please add a separate task for an automatic refresh.

There already is one: T1235

ebo changed the task status from Testing to Open.Aug 11 2023, 8:28 AM
ebo raised the priority of this task from Normal to High.Aug 18 2023, 12:34 PM
ebo added a project: backport.

Backport to VSD, as leaving out WKD is a bug.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 21 2023, 10:41 AM

OpenPGP keys are now also updated via WKD, but only for user IDs which were originally retrieved via WKD (i.e. which have origin WKD).

Unfortunately, the origin is currently not displayed by Kleopatra (T5959: Kleopatra: Show key source in details widget if it is not unkown).

ikloecker changed the task status from Open to Testing.Aug 21 2023, 6:47 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

The changes have been backported to VSD. Note that they require today's changes in gpgme (just after the release of gpgme 1.22.0).

aheinecke changed the task status from Testing to Open.EditedAug 21 2023, 10:18 PM
aheinecke moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

OpenPGP keys are now also updated via WKD, but only for user IDs which were originally retrieved via WKD (i.e. which have origin WKD).

I do not think that this is a good solution. I don't know how you came to the conclusion that only user IDs which wre originally retrieved via WKD should be considered.

It is quite common to distribute keys which are in WKD also by other means nearly no keys in my keyring have origin WKD since they were retrieved through other means like auto-key-retrieve auto-key-import, manual import etc. With very few of our customers currently implementing WKD but considering this in the future. For my personal keyring and the keyrings of our current customers this change has little use.

My takeaway from our discussion on thursday was that:

Ok. So after further discussion. It is good that you kept a WKDRefreshJob copy :)

I would suggest the following, if it is somehow possible. I think we have the API for this now that we can search for WKD keys without importing them. We should additionally check WKD, if the key from WKD has the same fingerprint, we update, if it has not, we show the user something like a search result. Give indication that a different key was found for these UserIDs and then let the user decide to import them?

But that instead of giving the user a choice we would inform the user that additional keys were retrieved. So basically what you originally did but just with an added explanation to avoid the confusing behavior which still exists with this change that when you hit update on a key, that key is not updated but a completely different key is imported.

We decided to keep the current behavior as default (privacy by default), but to add an option to enable WKD lookups for all user IDs.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker changed the task status from Open to Testing.Aug 24 2023, 11:55 AM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

Optionally, (configurable on the Directory Services page) Kleopatra now queries WKDs for all user IDs when updating an OpenPGP certificate.

Tested at first with GnuPG-VS-Desktop-3.2.0.0-beta178 from 2023-08-29

Debug output shows, that -- for a WKD retrieved key -- keyserver etc as well as WKD is queried.

Information for user looks like this:

I'll have to update the translation. What I don't like in the message is, that It says for keyserver that the key was unchanged although no key could be retrieved via AD. But we have T6299 for that.

With keys from unknown origin you get:

The config option is not included in the GnuPG-VS-Desktop-3.2.0.0-beta178 build, but it is in Gpg4win-4.2.1-beta31 from 2023-09-06.
But there it seems to have no effect. No WKD lookup occurs for keys of unknown origin.

Opening the configuration page show in debugview:

[5328] org.kde.pim.kleo_ui: Configuration groups order is not defined for  "keyboxd"
[5328] org.kde.pim.kleopatra: open_or_raise showing window
[5328] org.kde.pim.kleopatra: Module changed:  true  mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Client changed:   mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Using config entry dirmngr / keyserver
[5328] org.kde.pim.kleopatra: Module changed:  true  mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Module changed:  false  mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Client changed:   mod  DirectoryServicesConfigurationPage(0x535e900)

And when you then toggle the option "Query certificate directories of providers for all user IDs" plus hit "Apply":

[5328] org.kde.pim.kleopatra: Module changed:  true  mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Client changed:   mod  DirectoryServicesConfigurationPage(0x535e900)
[3920] Invalid parameter passed to C runtime function.

Why do you think that no WKD lookup occurs for keys of unknown origin? gpg and therefore Kleopatra doesn't report any import results for certificates that are not published via WKD when doing --locate-external-keys --auto-key-locate clear,wkd.

Please re-run with gpg.qgpgme.debug=True in your qtlogging.ini to see for which email addresses WKD is queried.

I'm late on the train, but (talking about Kleopatra) there is a menu entry to refresh all keys, but I miss a RMB (right mouse button) context menu for the list of certificates to refresh just the current one (much similar like the feature requested, but "one UI level higher").

For the German UI the context menu looks like this (in 4.2.0):

In T5903#176175, @uwi wrote:

I'm late on the train, but (talking about Kleopatra) there is a menu entry to refresh all keys, but I miss a RMB (right mouse button) context menu for the list of certificates to refresh just the current one (much similar like the feature requested, but "one UI level higher").

Please submit a separate feature request for this.

Please submit a separate feature request for this.

I thought it would be rather trivial to add once a routine to refresh a single key is available, but will do. The feature request is https://dev.gnupg.org/T6739

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

Yes, works now ( VS-Desktop-3.2.0.0-beta from today):

Now the only thing missing here would be to replace the text "The key is unchanged" with "No key matching the search criteria was found." if the key was not found, as is the case with my testkey. But see T6493, Improvements on search window, for that.