Page MenuHome GnuPG
Create Task
Maniphest T6532

Kleopatra: X509 import needs to be offline
Open, NormalPublic
Actions

Description

With keyboxd now more ready for prime time we want users to try it out. The way to try it out will be to export all their certificates using Kleopatra and then reimporting them after switching to keyboxd.

For X509 this does not work well on reasonably dirty keyrings because it will both try to fetch missing issuer certificates and CRLs and run into a ton of dirmngr timeouts. On my Linux system the difference is 48 minutes to import my 800 S/MIME certificates. While it takes 1.6 seconds with --disable-dirmngr.

While it might be nice to have the CRL check / issuer certificate check done when importing only a one certificate i think it should be offline at first. This is anyway more in line with what kleopatra would show when the keyring was already imported because the initial keylisting would be offline.

Optionally If we then see in the import results that only, say less then 5 certificates were imported then we could maybe do a keylist with validation / crl checks on them right after import?

Related Objects
Search...

Event Timeline

aheinecke triaged this task as High priority.Jun 12 2023, 1:34 PM
aheinecke created this task.
ikloecker added a comment.Jun 12 2023, 2:26 PM

There is already an additional handleExternalCMSImports which does

// For external CMS Imports we have to manually do a keylist
// with validation to get the intermediate and root ca imported
// automatically if trusted-certs and extra-certs are used.

But that step is part of the import and thus it won't make the import faster if we do this also for local imports. If we add a special case, then I'd add it just for a single leaf-certificate.

aheinecke added a comment.Jun 12 2023, 2:29 PM

Ok

ikloecker added a comment.Jul 6 2023, 4:10 PM

Note: The gpgsm engine of GpgME supports the offline flag (which maps to --disable-dirmngr) only for keylist operations. gpgsm_import doesn't even have an engine_flags argument.

aheinecke closed this task as Resolved.Aug 14 2023, 10:06 AM

Yes this is no longer required since we use a script now.

aheinecke reopened this task as Open.Aug 14 2023, 10:07 AM
aheinecke lowered the priority of this task from High to Wishlist.

Well better to wishlist this. As a user might still import a bulk of S/MIME certificates.

aheinecke raised the priority of this task from Wishlist to Normal.Aug 14 2023, 10:18 AM
ikloecker mentioned this in T6648: GpgME: Support offline flag for all operations of gpgsm.Aug 14 2023, 11:38 AM
ikloecker closed subtask T6648: GpgME: Support offline flag for all operations of gpgsm as Resolved.Aug 14 2023, 2:08 PM
ikloecker removed ikloecker as the assignee of this task.Oct 31 2023, 9:29 AM
ikloecker added a subscriber: ikloecker.