Page MenuHome GnuPG
Create Task
Maniphest T5805

Kleopatra or GnuPG: Auto retrieve signers key
Closed, ResolvedPublic
Actions

Description

There is a flaw in our Trusted Introducer workflow with intermediate CAs.

  • Company A sets Company B Key as trusted introducer for Company B, uploads the signed certificate.
  • A user in Company A imports a key from Company B.
  • Key is shown as untrusted until the Company B singing key is imported.

This is not intuitive and a user will not know to search for this key.

The problem is that I think we need a new keylist mode for this. auto-key-retrieve is semantically the right option but I don't want that when you start Kleopatra the keyserver is bombarded with requests for all signing keys. Kleo should decide for example after import or when certificate details are opened to use this search.

That is why this might be a Kleo only issue as Kleo could do this with the current API.

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEOd310a7daaa3f Add helpers for collecting key ids of missing signer keys
rKLEOPATRA Kleopatra
rKLEOPATRA5de89b2c97e0 Skip import of missing signer keys if QGpgME is too old
rKLEOPATRAadc3a6067ae0 Add new "RetrieveSignerKeysAfterImport" setting to config dialog
rKLEOPATRA30fe9e0119cb Use the helpers that were moved to libkleo
rKLEOPATRA24b40d8ac7b1 Optionally, fetch missing signer keys after importing keys
rKLEOPATRA702f05d21dbf Try to make older and newer compilers happy
rKLEOPATRA6f32ff81de5a Allow canceling all longer running imports
rKLEOPATRAd38ca4818e07 Fix canceling of import command
rKLEOPATRA476e1af1687d Disable the "Fetch Missing Keys" button instead of the whole dialog
rKLEOPATRA1bae2b0bbeaa Fix canceling of import command
rKLEOPATRA283f75cec22e Allow canceling of long running retrieval of missing keys
rKLEOPATRA9d66f48df306 Fix check for missing certification keys
rKLEOPATRA1a17bc62f025 Allow retrieving missing signer keys from Certifications dialog
rKLEOPATRA954c8a206190 Add command for importing keys given by key ids from keyservers

Related Objects
Search...

Event Timeline

aheinecke triaged this task as Normal priority.Jan 28 2022, 9:27 AM
aheinecke created this task.
aheinecke reassigned this task from werner to ikloecker.Jan 31 2022, 10:05 AM
aheinecke raised the priority of this task from Normal to High.
aheinecke added a subscriber: werner.

As this hinders the trusted-introducer setup in Keyserver centric deployments we should treat this with high priority.

It would make sense to have it in GnuPG that after a key import through --locate-key it would retrieve the signers key if keyserver is part of the auto-key-locate options. But this would not work for a search import, a file import or as an explicit action in Kleopatra. Because I think that in Kleopatra it would be useful for all users to have this option in the certifications dialog.

So my proposal would be a new QGpgME job that does a --recv-key for all certifications of all userids. And in Kleo we could trigger this through a button in certifications. And automatically after an importjob in case "auto-key-retrieve" contains keyserver.

Similarly we could do this in GpgOL after a locate-key if auto-key-retrieve contains keyserver.

This will result in a lot more keyserver queries but it should be manageble.

Assigned to ingo for now, we can talk about this in the meeting today.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jan 31 2022, 11:58 AM
ikloecker added a commit: rKLEOPATRA954c8a206190: Add command for importing keys given by key ids from keyservers.Feb 3 2022, 3:59 PM
ikloecker added a commit: rKLEOPATRA1a17bc62f025: Allow retrieving missing signer keys from Certifications dialog.
ikloecker added a commit: rKLEOPATRA9d66f48df306: Fix check for missing certification keys.Feb 4 2022, 3:46 PM
ikloecker added a commit: rKLEOPATRA1bae2b0bbeaa: Fix canceling of import command.
ikloecker added a commit: rKLEOPATRA283f75cec22e: Allow canceling of long running retrieval of missing keys.
ikloecker added a commit: rKLEOPATRA476e1af1687d: Disable the "Fetch Missing Keys" button instead of the whole dialog.
ikloecker added a comment.Feb 4 2022, 3:50 PM

Manual retrieval of missing certification keys is now possible from the Certifications dialog.

The key 1FDF723CF462B6B1 is a good test key for this because retrieval of one of the certification keys takes ages while retrieval of the others is fast.

ikloecker closed subtask T5808: gpgme: Add support for importing keys given by key id from a keyserver as Resolved.Feb 7 2022, 9:44 AM
ikloecker added a commit: rKLEOPATRAd38ca4818e07: Fix canceling of import command.Feb 9 2022, 9:25 AM
ikloecker added a commit: rKLEOPATRA6f32ff81de5a: Allow canceling all longer running imports.
ikloecker added a commit: rKLEOPATRA702f05d21dbf: Try to make older and newer compilers happy.
ikloecker added a commit: rKLEOPATRA24b40d8ac7b1: Optionally, fetch missing signer keys after importing keys.
ikloecker added a commit: rLIBKLEOd310a7daaa3f: Add helpers for collecting key ids of missing signer keys.Feb 9 2022, 10:14 AM
ikloecker added a commit: rKLEOPATRA30fe9e0119cb: Use the helpers that were moved to libkleo.Feb 9 2022, 12:15 PM
ikloecker added a commit: rKLEOPATRA5de89b2c97e0: Skip import of missing signer keys if QGpgME is too old.
ikloecker added a commit: rKLEOPATRAadc3a6067ae0: Add new "RetrieveSignerKeysAfterImport" setting to config dialog.
ikloecker changed the task status from Open to Testing.Feb 9 2022, 12:19 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a subscriber: ikloecker.

Optional automatic retrieval after import of new OpenPGP keys is now also possible.

aheinecke closed this task as Resolved.Feb 17 2022, 10:26 AM
aheinecke claimed this task.

I have tested it. When I try it with public keyserver it has of course problematic results when vandalized keys like werners are hit but its great that even if I abort at that point I nicely see the results of the other imports.

The import view also allows me to easily remove the added keys in case I do not want to have them in my keyring.

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 5 2023, 1:54 PM