Qt gpgme's sign_key function should not set a remark with an empty string
Closed, ResolvedPublic

Description

I don't understand the use case for setting a remark on a key signature with the empty string. It seems more likely that any empty strings passed into remark are just being populated from (for example) the default value of a graphical input field that the user left idle.

Applying the following patch (against master) should reduce the size of certifications made via the Qt bindings (untested, sorry!):

--- a/lang/qt/src/qgpgmesignkeyjob.cpp
+++ b/lang/qt/src/qgpgmesignkeyjob.cpp
@@ -83,7 +83,7 @@ static QGpgMESignKeyJob::result_type sign_key(Context *ctx, const Key &key, cons
         skei->setDupeOk(true);
     }
 
-    if (!remark.isNull()) {
+    if (!remark.isNull() && !remark.isEmpty()) {
         ctx->addSignatureNotation("rem@gnupg.org", remark.toUtf8().constData());
     }
dkg created this task.Nov 18 2020, 9:38 AM
werner assigned this task to ikloecker.Nov 18 2020, 10:34 AM
werner triaged this task as Normal priority.
werner added a subscriber: werner.

Ingo, can you please check? I guess we are not affected because Kleo already checks for an empty string. But dkg's suggestion sounds good to me.

I think Kleopatra is affected. It calls setRemark() on the job unconditionally with the text from the widget, and I'm pretty sure that this text is empty but not a null QString, if the user doesn't enter a remark.

ikloecker closed this task as Resolved.Nov 18 2020, 1:55 PM

Fixed. Workaround for gpgme 1.15 (and earlier) implemented in Kleopatra: Do not call setRemark() with an empty QString.