Page MenuHome GnuPG
Create Task
Maniphest T5903

Kleopatra: Add refresh button in certificatedetails
Closed, ResolvedPublic
Actions

Description

When certificate details are open we do an online check for S/MIME to validate the certificate. Semantically we should in that case also do a refresh-key for the OpenPGP certificate.

At least we should have a refresh button in the certificatedetails to refresh it from the server. But I would like to have this also behind a configuration setting for automatic refresh in which case the button should be invisible. I think an auto refresh would be the best solution from a usability standpoint but from a privacy standpoint an explicit action is better. That way we keep kleoptra never doing network connections if the user does not explicitly trigger them.

I think this issue should have some priority so I classified is as normal and not wishlist because an OpenPGP key refresh is important from a security standpoint.

Details

Version
master

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRAf45c652e755b Skip check if key is eligible for WKD refresh if WKD query is forced
rKLEOPATRA9645f08153cc Optionally, query WKDs for all user IDs when updating an OpenPGP key
rKLEOPATRA5f3c408b2cae Update keys with origin WKD also via WKD
rKLEOPATRA8dba6425e44f Add missing define for WKD refresh
rKLEOPATRA8105a7e3c840 Update keys with origin WKD also via WKD
rKLEOPATRA34cacfa2a6da Add missing define for WKD refresh
rKLEOPATRAa3684049dd4f Use ReceiveKeysJob for refreshing OpenPGP keys
rKLEOPATRA87d8b00d4b22 Use ReceiveKeysJob for refreshing OpenPGP keys
rKLEOPATRAdf53ad6c7847 Use RefreshOpenPGPKeysJob for OpenPGP and show detailed result
rKLEOPATRA876a5306b822 Reword UI texts for refresh command
rKLEOPATRA9e2dc6246e20 Add possibility to refresh an individual certificate

Related Objects
Search...

Event Timeline

aheinecke triaged this task as Normal priority.Mar 28 2022, 11:55 AM
aheinecke created this task.
aheinecke added a comment.Mar 28 2022, 11:58 AM

I wonder if we even should change gpgme to do a key refresh when you call it in VALIDATE mode and online? Semantically this makes sense to me as this is where CRL checks for S/MIME are done. But from a conserviative standpoint this could be considered an API change if the API then does something differently and that even does a network connection. So while I consider it I don't think this is a very good idea.

ikloecker claimed this task.Apr 27 2022, 1:59 PM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a commit: rKLEOPATRA9e2dc6246e20: Add possibility to refresh an individual certificate.May 2 2022, 6:08 PM
ikloecker added a commit: rKLEOPATRA876a5306b822: Reword UI texts for refresh command.May 5 2022, 11:24 AM
ikloecker added a commit: rKLEOPATRAdf53ad6c7847: Use RefreshOpenPGPKeysJob for OpenPGP and show detailed result.
ikloecker changed the task status from Open to Testing.May 5 2022, 3:22 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a project: Restricted Project.
ikloecker added a subscriber: ikloecker.

The Certificate Details window now has an Update button.

I don't think that it makes much sense to do an auto refresh (only) when the details are opened. If the automatic refresh is really important, then it needs to be performed in the background for all keys all of the time. If people want to encrypt a file, then they won't look at the certificate details for all recipients to make sure that all keys have been refreshed. They will expect that all keys are up-to-date without them having to care about this.

Please add a separate task for an automatic refresh.

ikloecker closed subtask T5951: gpgme: Add support for refreshing OpenPGP keys as Resolved.May 5 2022, 3:23 PM
aheinecke reopened subtask T5951: gpgme: Add support for refreshing OpenPGP keys as Open.Aug 3 2022, 2:41 PM
ikloecker added a commit: rKLEOPATRA87d8b00d4b22: Use ReceiveKeysJob for refreshing OpenPGP keys.Aug 4 2022, 12:32 PM
ikloecker added a comment.Aug 4 2022, 1:36 PM

For an OpenPGP key, Update now performs a simple "retrieve key" operation for the existing key, i.e. it refreshes the key with the public key found on the configured key server.

ikloecker changed the status of subtask T5951: gpgme: Add support for refreshing OpenPGP keys from Open to Testing.Aug 4 2022, 1:40 PM
ikloecker mentioned this in T5951: gpgme: Add support for refreshing OpenPGP keys.
ikloecker added a commit: rKLEOPATRAa3684049dd4f: Use ReceiveKeysJob for refreshing OpenPGP keys.Aug 19 2022, 1:44 PM
werner removed a project: Restricted Project.Sep 22 2022, 11:04 AM
ebo renamed this task from Kleopatra: Add refresh button in certificatedetails and an auto refresh to Kleopatra: Add refresh button in certificatedetails .Dec 5 2022, 1:07 PM
ebo mentioned this in T6299: Kleopatra: Updating key does results in "not changed" instead of "not found".Dec 5 2022, 3:09 PM
ebo mentioned this in T6301: Kleopatra: Update Button does only check on keyserver.Dec 6 2022, 9:10 AM
aheinecke changed the status of subtask T5951: gpgme: Add support for refreshing OpenPGP keys from Testing to Open.Dec 7 2022, 11:34 AM
ikloecker changed the task status from Testing to Open.Dec 7 2022, 11:42 AM
ikloecker merged a task: T6301: Kleopatra: Update Button does only check on keyserver.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a subscriber: ebo.
ikloecker added a comment.Dec 7 2022, 11:45 AM
In T5951#165848, @aheinecke wrote:

Ok. So after further discussion. It is good that you kept a WKDRefreshJob copy :)

I would suggest the following, if it is somehow possible. I think we have the API for this now that we can search for WKD keys without importing them. We should additionally check WKD, if the key from WKD has the same fingerprint, we update, if it has not, we show the user something like a search result. Give indication that a different key was found for these UserIDs and then let the user decide to import them?

ikloecker claimed this task.Dec 12 2022, 9:37 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
werner moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Dec 12 2022, 11:47 AM
ikloecker mentioned this in rKLEOPATRA1e133ad7d8c8: T5903.Dec 19 2022, 8:03 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 16 2023, 12:11 PM
ebo changed the task status from Open to Testing.Aug 10 2023, 3:47 PM
In T5903#157763, @ikloecker wrote:

Please add a separate task for an automatic refresh.

There already is one: T1235

ebo changed the task status from Testing to Open.Aug 11 2023, 8:28 AM
ikloecker closed subtask T5951: gpgme: Add support for refreshing OpenPGP keys as Resolved.Aug 11 2023, 9:21 AM
ebo raised the priority of this task from Normal to High.Aug 18 2023, 12:34 PM
ebo added a project: backport.

Backport to VSD, as leaving out WKD is a bug.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Aug 21 2023, 10:41 AM
ikloecker closed subtask T6672: gpgme: Add support for refreshing OpenPGP keys via WKD as Resolved.Aug 21 2023, 6:23 PM
ikloecker mentioned this in T6672: gpgme: Add support for refreshing OpenPGP keys via WKD.
ikloecker added a commit: rKLEOPATRA34cacfa2a6da: Add missing define for WKD refresh.Aug 21 2023, 6:31 PM
ikloecker added a commit: rKLEOPATRA8105a7e3c840: Update keys with origin WKD also via WKD.Aug 21 2023, 6:34 PM
ikloecker added a commit: rKLEOPATRA8dba6425e44f: Add missing define for WKD refresh.
ikloecker added a commit: rKLEOPATRA5f3c408b2cae: Update keys with origin WKD also via WKD.Aug 21 2023, 6:35 PM
ikloecker added a comment.Aug 21 2023, 6:45 PM

OpenPGP keys are now also updated via WKD, but only for user IDs which were originally retrieved via WKD (i.e. which have origin WKD).

Unfortunately, the origin is currently not displayed by Kleopatra (T5959: Kleopatra: Show key source in details widget if it is not unkown).

ikloecker changed the task status from Open to Testing.Aug 21 2023, 6:47 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

The changes have been backported to VSD. Note that they require today's changes in gpgme (just after the release of gpgme 1.22.0).

aheinecke changed the task status from Testing to Open.EditedAug 21 2023, 10:18 PM
aheinecke moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
In T5903#174528, @ikloecker wrote:

OpenPGP keys are now also updated via WKD, but only for user IDs which were originally retrieved via WKD (i.e. which have origin WKD).

I do not think that this is a good solution. I don't know how you came to the conclusion that only user IDs which wre originally retrieved via WKD should be considered.

It is quite common to distribute keys which are in WKD also by other means nearly no keys in my keyring have origin WKD since they were retrieved through other means like auto-key-retrieve auto-key-import, manual import etc. With very few of our customers currently implementing WKD but considering this in the future. For my personal keyring and the keyrings of our current customers this change has little use.

My takeaway from our discussion on thursday was that:

In T5903#165865, @ikloecker wrote:
In T5951#165848, @aheinecke wrote:

Ok. So after further discussion. It is good that you kept a WKDRefreshJob copy :)

I would suggest the following, if it is somehow possible. I think we have the API for this now that we can search for WKD keys without importing them. We should additionally check WKD, if the key from WKD has the same fingerprint, we update, if it has not, we show the user something like a search result. Give indication that a different key was found for these UserIDs and then let the user decide to import them?

But that instead of giving the user a choice we would inform the user that additional keys were retrieved. So basically what you originally did but just with an added explanation to avoid the confusing behavior which still exists with this change that when you hit update on a key, that key is not updated but a completely different key is imported.

ikloecker added a comment.Aug 22 2023, 9:49 AM

We decided to keep the current behavior as default (privacy by default), but to add an option to enable WKD lookups for all user IDs.

ikloecker claimed this task.Aug 24 2023, 10:14 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a commit: rKLEOPATRA9645f08153cc: Optionally, query WKDs for all user IDs when updating an OpenPGP key.Aug 24 2023, 11:14 AM
ikloecker changed the task status from Open to Testing.Aug 24 2023, 11:55 AM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

Optionally, (configurable on the Directory Services page) Kleopatra now queries WKDs for all user IDs when updating an OpenPGP certificate.

ebo assigned this task to ikloecker.Sep 7 2023, 2:15 PM

Tested at first with GnuPG-VS-Desktop-3.2.0.0-beta178 from 2023-08-29

Debug output shows, that -- for a WKD retrieved key -- keyserver etc as well as WKD is queried.

Information for user looks like this:

I'll have to update the translation. What I don't like in the message is, that It says for keyserver that the key was unchanged although no key could be retrieved via AD. But we have T6299 for that.

With keys from unknown origin you get:

The config option is not included in the GnuPG-VS-Desktop-3.2.0.0-beta178 build, but it is in Gpg4win-4.2.1-beta31 from 2023-09-06.
But there it seems to have no effect. No WKD lookup occurs for keys of unknown origin.

Opening the configuration page show in debugview:

[5328] org.kde.pim.kleo_ui: Configuration groups order is not defined for  "keyboxd"
[5328] org.kde.pim.kleopatra: open_or_raise showing window
[5328] org.kde.pim.kleopatra: Module changed:  true  mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Client changed:   mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Using config entry dirmngr / keyserver
[5328] org.kde.pim.kleopatra: Module changed:  true  mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Module changed:  false  mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Client changed:   mod  DirectoryServicesConfigurationPage(0x535e900)

And when you then toggle the option "Query certificate directories of providers for all user IDs" plus hit "Apply":

[5328] org.kde.pim.kleopatra: Module changed:  true  mod  DirectoryServicesConfigurationPage(0x535e900)
[5328] org.kde.pim.kleopatra: Client changed:   mod  DirectoryServicesConfigurationPage(0x535e900)
[3920] Invalid parameter passed to C runtime function.
ikloecker reassigned this task from ikloecker to ebo.Sep 11 2023, 9:48 AM

Why do you think that no WKD lookup occurs for keys of unknown origin? gpg and therefore Kleopatra doesn't report any import results for certificates that are not published via WKD when doing --locate-external-keys --auto-key-locate clear,wkd.

Please re-run with gpg.qgpgme.debug=True in your qtlogging.ini to see for which email addresses WKD is queried.

ikloecker added a commit: rKLEOPATRAf45c652e755b: Skip check if key is eligible for WKD refresh if WKD query is forced.Sep 11 2023, 4:19 PM
ebo mentioned this in T6708: Allow to inhibit the use of a default PGP keyserver.Sep 25 2023, 1:18 PM
uwi added a subscriber: uwi.Sep 27 2023, 11:49 AM

I'm late on the train, but (talking about Kleopatra) there is a menu entry to refresh all keys, but I miss a RMB (right mouse button) context menu for the list of certificates to refresh just the current one (much similar like the feature requested, but "one UI level higher").

For the German UI the context menu looks like this (in 4.2.0):

ikloecker added a comment.Sep 27 2023, 11:53 AM
In T5903#176175, @uwi wrote:

I'm late on the train, but (talking about Kleopatra) there is a menu entry to refresh all keys, but I miss a RMB (right mouse button) context menu for the list of certificates to refresh just the current one (much similar like the feature requested, but "one UI level higher").

Please submit a separate feature request for this.

uwi added a comment.EditedSep 27 2023, 12:20 PM
In T5903#176176, @ikloecker wrote:

Please submit a separate feature request for this.

I thought it would be rather trivial to add once a routine to refresh a single key is available, but will do. The feature request is https://dev.gnupg.org/T6739

uwi mentioned this in T6739: Allow "refresh key/signatures" from key's context menu (from key list).Sep 27 2023, 12:30 PM
ebo closed this task as Resolved.Sep 29 2023, 2:20 PM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

Yes, works now ( VS-Desktop-3.2.0.0-beta from today):

Now the only thing missing here would be to replace the text "The key is unchanged" with "No key matching the search criteria was found." if the key was not found, as is the case with my testkey. But see T6493, Improvements on search window, for that.