Page MenuHome GnuPG

Kleopatra or GnuPG: Auto retrieve signers key
Closed, ResolvedPublic

Description

There is a flaw in our Trusted Introducer workflow with intermediate CAs.

  • Company A sets Company B Key as trusted introducer for Company B, uploads the signed certificate.
  • A user in Company A imports a key from Company B.
  • Key is shown as untrusted until the Company B singing key is imported.

This is not intuitive and a user will not know to search for this key.

The problem is that I think we need a new keylist mode for this. auto-key-retrieve is semantically the right option but I don't want that when you start Kleopatra the keyserver is bombarded with requests for all signing keys. Kleo should decide for example after import or when certificate details are opened to use this search.

That is why this might be a Kleo only issue as Kleo could do this with the current API.

Event Timeline

aheinecke triaged this task as Normal priority.Jan 28 2022, 9:27 AM
aheinecke created this task.
aheinecke raised the priority of this task from Normal to High.
aheinecke added a subscriber: werner.

As this hinders the trusted-introducer setup in Keyserver centric deployments we should treat this with high priority.

It would make sense to have it in GnuPG that after a key import through --locate-key it would retrieve the signers key if keyserver is part of the auto-key-locate options. But this would not work for a search import, a file import or as an explicit action in Kleopatra. Because I think that in Kleopatra it would be useful for all users to have this option in the certifications dialog.

So my proposal would be a new QGpgME job that does a --recv-key for all certifications of all userids. And in Kleo we could trigger this through a button in certifications. And automatically after an importjob in case "auto-key-retrieve" contains keyserver.

Similarly we could do this in GpgOL after a locate-key if auto-key-retrieve contains keyserver.

This will result in a lot more keyserver queries but it should be manageble.

Assigned to ingo for now, we can talk about this in the meeting today.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jan 31 2022, 11:58 AM

Manual retrieval of missing certification keys is now possible from the Certifications dialog.

The key 1FDF723CF462B6B1 is a good test key for this because retrieval of one of the certification keys takes ages while retrieval of the others is fast.

ikloecker changed the task status from Open to Testing.Feb 9 2022, 12:19 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a subscriber: ikloecker.

Optional automatic retrieval after import of new OpenPGP keys is now also possible.

aheinecke claimed this task.

I have tested it. When I try it with public keyserver it has of course problematic results when vandalized keys like werners are hit but its great that even if I abort at that point I nicely see the results of the other imports.

The import view also allows me to easily remove the added keys in case I do not want to have them in my keyring.