Page MenuHome GnuPG
Create Task
Maniphest T6559

GPGSM: "always trust like override" or "force" option
Closed, ResolvedPublic
Actions

Description

A wish from a customer, they sometimes do not have a trusted root CA or an incomplete certificate chain or CRL problems but would still like to encrypt even though it might be less secure.
This usually results in them sending out information they would like to have encrypted, unencrypted as it is not possible in the GnuPG UIs to show a warning (like we do for untrusted OpenPGP certs) and encrypt anyway. This creates a bad user experience so I tend to agree with this customer wish.

Perfect solution would be some "Trust on first use / direct trust" style "I want to trust this leaf certificate and nothing else" which might also be a solution for the current "User Trustlist" which is not denied by default in GnuPG VSD.

Revisions and Commits

rG GnuPG
rG776876ce1c4c gpgsm: Add --always-trust feature.
rGcdd6747e1ec5 gpgsm: Add --always-trust feature.
rM GPGME
rMd75b2a915173 Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME.

Related Objects
Search...

Event Timeline

aheinecke triaged this task as Wishlist priority.Jun 26 2023, 8:37 AM
aheinecke created this task.
aheinecke raised the priority of this task from Wishlist to Normal.Jul 18 2023, 1:12 PM

I am raising this up from the wishlist. Error messages from CRL errors can be so obscure, like we just had in a support call.

For me it is a User Experience "bug/issue" because the user experience is horrible. And that does not reflect bad on S/MIME but on our software. In fact if we had a dialog we could write something like: "Forced online validation of certificates often leads to problems with S/MIME. Do you wish to encrypt anyway?" <encrypt without strict VS-NfD compliance> <no>

My customer right now just had "Unknown error" but often times we see something like "No Name" or other such error messages that the user cannot put into context.

werner added a project: Feature Request.Aug 25 2023, 4:00 PM
werner claimed this task.Aug 30 2023, 6:13 PM
werner added a project: gnupg24.
werner added a commit: rGcdd6747e1ec5: gpgsm: Add --always-trust feature..Aug 31 2023, 11:18 AM
werner added a commit: rMd75b2a915173: Support GPGME_ENCRYPT_ALWAYS_TRUST also for S/MIME..Aug 31 2023, 12:06 PM
werner removed werner as the assignee of this task.Aug 31 2023, 12:07 PM
werner moved this task from Backlog to QA on the gnupg22 board.
werner added a subscriber: werner.
werner added a commit: rG776876ce1c4c: gpgsm: Add --always-trust feature..Aug 31 2023, 12:31 PM
werner moved this task from Backlog to QA on the gnupg24 board.Aug 31 2023, 12:36 PM
aheinecke added a parent task: T6701: GpgOL: Use GPGME_ENCRYPT_ALWAYS_TRUST.Sep 4 2023, 8:45 AM
aheinecke added a parent task: T6702: Kleopatra: Use GPGME_ENCRYPT_ALWAYS_TRUST.Sep 4 2023, 8:49 AM
ebo changed the task status from Open to Testing.Sep 7 2023, 10:51 AM
werner added a project: gpgme.Sep 8 2023, 3:45 PM
werner moved this task from Backlog to QA for next release on the gpgme board.
ebo added a subscriber: ebo.Sep 18 2023, 3:31 PM

Tested on the command line with

  • a previously valid certificate after setting its root certificate to untrusted
  • a expired certificate without the root certificate in the certificate list

after adding "--always-trust" encryption for both test certificates succeeded:

gpgsm: Benutztes Gültigkeitsmodell: bypass
gpgsm: encrypted data created
ebo closed this task as Resolved.Sep 18 2023, 3:39 PM
ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Sep 18 2023, 3:42 PM
ebo moved this task from QA to gnupg-2.2.42 on the gnupg22 board.Sep 18 2023, 4:15 PM
ebo edited projects, added gnupg22 (gnupg-2.2.42); removed gnupg22.
aheinecke mentioned this in Unknown Object (Maniphest Task).Sep 25 2023, 6:59 PM
ebo mentioned this in T6743: Libkleo Keyresolver: check for existing encryption subkey instead valid one, as first step.Oct 2 2023, 1:46 PM
werner moved this task from QA for next release to gpgme 1.23.x on the gpgme board.Oct 25 2023, 10:39 AM
werner edited projects, added gpgme (gpgme 1.23.x); removed gpgme.
werner mentioned this in T6774: Release GPGME 1.23.0.Oct 25 2023, 11:14 AM
werner moved this task from QA to gnupg-2.4.4 on the gnupg24 board.Jan 24 2024, 11:37 AM
werner edited projects, added gnupg24 (gnupg-2.4.4); removed gnupg24.
werner mentioned this in T6578: Release GnuPG 2.4.4.Jan 25 2024, 11:37 AM
werner mentioned this in T7189: Release GnuPG 2.5.0.Jul 5 2024, 2:42 PM