Maniphest T6094

Kleopatra: Make prefilled name and email address for new certificates configurable
Open, NormalPublic
Actions

Assigned To
ikloecker
Authored By
aheinecke
Jul 20 2022, 11:47 AM
Tags
Subscribers
aheinecke
alexk
ikloecker

Description

Some customers have the problem that the NameUserPrincipal we query over GetUserNameEx does not match the real email address of the user. The display name does not always give the desired result for the name, either.

Optionally, Kleopatra should query AD for the full name (or first name and surname) and the email address. dirmngr can be used to query AD.

Event Timeline

aheinecke triaged this task as Wishlist priority.Jul 20 2022, 11:47 AM
aheinecke created this task.
aheinecke added a comment.Aug 15 2022, 2:11 PM

Thinking about this, the best way to avoid AD code in Kleopatra would probably be to just create a QProcess that executes Powershell or WMIC to query the AD.

Here are more examples:
https://stackoverflow.com/questions/10184052/get-a-users-email-address-from-the-username-via-powershell-and-wmi

ebo renamed this task from Kleopatra: Take windows user email Address from Active Directory if available to Draft: Kleopatra: Make prefilled name and email address for new certificates configurable.Sep 16 2025, 2:33 PM
ebo removed aheinecke as the assignee of this task.
ebo raised the priority of this task from Wishlist to Normal.
ebo updated the task description. (Show Details)
ebo changed the edit policy from "All Users" to "Contributor (Project)".
ebo edited projects, added gpd5x; removed Restricted Project.
ebo added a subscriber: ikloecker.
alexk added a subscriber: alexk.Sep 16 2025, 2:49 PM
ikloecker updated the task description. (Show Details)Sep 16 2025, 3:02 PM
ikloecker updated the task description. (Show Details)
alexk added a comment.EditedSep 16 2025, 3:17 PM

To query the AD I used the GPGME function gpgme_op_assuan_transact_ext with an query string like this:

ad_query --subst --attr=dn,userAccountControl (&(objectcategory=person)(objectclass=user) (|(userPrincipalName={{email}}) (mail={{email}})))

Of course {{email}} must be replaced with the mail address queried, this might probably also be the UserPrincipalName.

ikloecker updated the task description. (Show Details)Sep 16 2025, 3:51 PM
ikloecker claimed this task.Oct 15 2025, 10:56 AM
ikloecker added a comment.Oct 15 2025, 4:16 PM

Note: QGpgMEWKDLookupJob uses an Assuan transaction with dirmngr.

ikloecker renamed this task from Draft: Kleopatra: Make prefilled name and email address for new certificates configurable to Kleopatra: Make prefilled name and email address for new certificates configurable.Oct 15 2025, 4:18 PM
ebo added a project: vsd.Dec 12 2025, 11:32 AM
ikloecker mentioned this in Unknown Object (Maniphest Task).Mon, May 18, 9:14 AM
ikloecker moved this task from Backlog to WIP on the gpd5x board.Tue, May 26, 9:14 AM
ikloecker added a comment.Wed, May 27, 10:20 AM

I finished a first implementation.

Questions:

  1. Which attributes shall we query for the Name and the Email of a new certificate? (I started with displayName and sn (aka surname) for Name and mail for Email.)
  2. More importantly, what shall we use as email in the query mentioned by @alexk in T6094#205422 to look up the user in the AD? (For now I'm using NameUserPrincipal retrieved via GetUserNameExW.)

It turns out that checking for a running dirmngr and then starting it takes a lot of time.

gpgme logs of check for running dirmngr by doing gpgme_op_assuan_transact("GETINFO version", ...):

2026-05-27 09:02:48 gpgme[5376.10d4] assuan_socket_connect (ctx=0x000001b1ccae0e90): call: name=C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.dirmngr, flags=0x0\n
2026-05-27 09:02:48 gpgme[5376.10d4] _assuan_socket (ctx=0x000001b1ccae0e90): enter: namespace=2,style=1,protocol=0\n
2026-05-27 09:02:48 gpgme[5376.10d4]   _gpgme_io_socket: enter: domain=0x0000000000000002 type=1, protp=0
2026-05-27 09:02:48 gpgme[5376.10d4]   _gpgme_io_socket: leave: hdd=0x000001b1cc862810, fd=0, sock=0x0000000000000c44
2026-05-27 09:02:48 gpgme[5376.10d4] _assuan_socket (ctx=0x000001b1ccae0e90): leave: result=0\n
2026-05-27 09:02:48 gpgme[5376.10d4] _assuan_connect (ctx=0x000001b1ccae0e90): enter: socket=0,addr=0x00000041227fb560,length=16\n
2026-05-27 09:02:48 gpgme[5376.10d4]   _gpgme_io_connect: enter: fd=0x0000000000000000 addr=0x00000041227fb560, addrlen=16
2026-05-27 09:02:50 gpgme[5376.10d4]   _gpgme_io_connect:2162: error: Input/output error (5)\n
2026-05-27 09:02:50 gpgme[5376.10d4] _assuan_connect (ctx=0x000001b1ccae0e90): error: Input/output error\n
2026-05-27 09:02:50 gpgme[5376.10d4] assuan_socket_connect (ctx=0x000001b1ccae0e90): call: can't connect to `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.dirmngr': Input/output error\n\n

Corresponding process monitor logs (ignore the different timestamps; no idea why they are different):

9:03:03.0745248 AM	kleopatra.exe	5376	CreateFile	C:\Users\g10code\AppData\Local\gnupg\S.dirmngr	SUCCESS	Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened	c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:03.0755726 AM	kleopatra.exe	5376	QueryEAFile	C:\Users\g10code\AppData\Local\gnupg\S.dirmngr	SUCCESS		c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:03.0897074 AM	kleopatra.exe	5376	ReadFile	C:\Users\g10code\AppData\Local\gnupg\S.dirmngr	SUCCESS	Offset: 0, Length: 22, Priority: Normal	c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:03.0898639 AM	kleopatra.exe	5376	ReadFile	C:\Users\g10code\AppData\Local\gnupg\S.dirmngr	END OF FILE	Offset: 22, Length: 8,192	c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:03.0899011 AM	kleopatra.exe	5376	CloseFile	C:\Users\g10code\AppData\Local\gnupg\S.dirmngr	SUCCESS		c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:03.5996913 AM	kleopatra.exe	5376	TCP Reconnect	g10-win11:57293 -> g10-win11:59188	SUCCESS	Length: 0, seqnum: 0, connid: 0	c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:04.1148715 AM	kleopatra.exe	5376	TCP Reconnect	g10-win11:57293 -> g10-win11:59188	SUCCESS	Length: 0, seqnum: 0, connid: 0	c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:04.6246102 AM	kleopatra.exe	5376	TCP Reconnect	g10-win11:57293 -> g10-win11:59188	SUCCESS	Length: 0, seqnum: 0, connid: 0	c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:05.1375932 AM	kleopatra.exe	5376	TCP Reconnect	g10-win11:57293 -> g10-win11:59188	SUCCESS	Length: 0, seqnum: 0, connid: 0	c:\Program Files\Gpg4win\bin\kleopatra.exe
9:03:05.1376972 AM	kleopatra.exe	5376	TCP Disconnect	g10-win11:57293 -> g10-win11:59188	SUCCESS	Length: 0, seqnum: 0, connid: 0	c:\Program Files\Gpg4win\bin\kleopatra.exe

It seems to be the connect system call that's trying to connect for 2 seconds. No idea whether there's something we can do.

Possible solution: Kleopatra starts a dirmngr in the background after the initial keylisting.