Page MenuHome GnuPG

Kleopatra: Handle --require-compliance by preventing non compliant actions
Closed, WontfixPublic


GnuPG / GPGSM have the --require-compliance command line switch which leads into errors when non compliant actions / decryptions are requested. But Kleopatra still allows to start them. It would be nicer if Kleopatra would grey out the OK / Start buttons in that case.

If it is also done in Libkleos keyresolver dialog for GpgOL this will work for the Outlook plugin, too because it does not resolve internally for non-compliant keys in compliance mode.

Event Timeline

aheinecke triaged this task as Wishlist priority.Tue, Aug 30, 10:31 AM
aheinecke created this task.
aheinecke claimed this task.

After internal discussion this will be moved to Wontfix.

The reasoning is that require-compliance is meant as a command line switch to ease scripting. Not as a global option. Other Software on the System might use GnuPG for non vs-nfd compliant actions. Like Git. This could lead to strange errors. It is also in our interest and the result of several discussions with the BSI that Kleopatra should be able to decrypt / encrypt also to Non VS-NfD compliant users. Restricting us to always compliant actions would hinder users that want to use our Software for more then just VS-NfD encryption.

Another reason is that by offering a require-compliance option in the UI we would make a false promise. We cannot technically ensure that VS-NfD compliance is given. E.g. someone created a key with the random generator of Gpg4win but used compliant algorithms. We cannot detect something like that and having a require-compliance option might be misleading. The users or administrators or SIEBes have to ensure VS-NfD compliance by only signing such keys if they want to require compliance and users should use only such keys. But we cannot technically ensure that. It is an organisational question.