gpg --delete-secret-keys: excessive and unclear prompting, surprising outcomes
Open, LowPublic


If i do gpg --delete-secret-keys, i get four different confirmation prompts in total. This seems excessive.

i understand that two of them are from gpg itself, and two are from gpg-agentbut most users won't understand. Also, all four prompts are different, with very slightly different semantics.

  • (console): Delete this key from the keyring? (presumably "this is a deletion, deletions are scary" double-check)
  • (console): This is a secret key! - really delete? (shouldn't this be part of the original prompt? now it feels like nagging)
  • (gui): prompt looks like:
│ Do you really want to permanently delete the OpenPGP secret key:  │      
│ "xxx"                                                             │      
│ 3072-bit RSA key, ID BE726F321E39CA16,                            │      
│ created 2019-08-03.                                               │      
│ ?                                                                 │      
│                                                                   │      
│     <Delete key>                                     <No>         │      
  • (gui): second prompt looks like:
│ Do you really want to permanently delete the OpenPGP secret subkey key:  │  
│ "xxx"                                                                    │  
│ 3072-bit RSA key, ID BD8362436A594803,                                   │  
│ created 2019-08-03 (main key ID BE726F321E39CA16).                       │  
│ ?                                                                        │  
│                                                                          │  
│       <Delete key>                                        <No>           │  

Note that most users will have a hard time differentiating between the two GUI prompts, and they won't understand why those prompts are distinct (we don't want most users to have to think about those details).

Furthermore, if i say "no" to any of the first three prompts, then i am left without any changes being made. But if i say "yes" to the first three, but "no" to the fourth, i end up in a state where the secret primary key is deleted but the secret subkey is *not* deleted. This is perhaps something that some people want to do sometimes, but it's a very idiosyncratic way of arriving at the end result. That is, the "no" to the final prompt means something very different than "no" to any of the first three prompts, despite them being largely indistinguishable from one another for normal users.

If prompting is required at all for this operation, there should be a single prompt to the user that describes the full outcome of the operation, and allows them to accept or decline it in one piece.


dkg created this task.Aug 3 2019, 7:05 PM
dkg added a comment.Aug 3 2019, 7:10 PM

I also observe that the text in the GUI prompts is remarkably unclear on its own. setting aside the grammar, punctuation, and wording, the prompts don't expose the usage flags set for the secret keys, which is possibly the only detail that a user with a single OpenPGP certificate would care about: "am i deleting my signing-capable subkey or my decryption-capable subkey?"

I should also be clear: I understand why the architecture of GnuPG has resulted in this state of affairs; but from a usability perspective, it's just not acceptable.

werner triaged this task as Low priority.Aug 5 2019, 7:53 PM
werner edited projects, added gnupg (gpg23); removed gnupg (gpg22).