Page MenuHome GnuPG
Create Task
Maniphest T6632

Okular: Highlight / preselect "nonRepudiation" certificates for qualified signatures
Testing, NormalPublic
Actions

Description

So for signing digital documents there is a special signature usage in certificates which is called "nonRepudiation" so I have a smartcard with three S/MIME certificates on them. All look pretty much alike and have the same chain etc.

The three certificates have:

keyUsage: digitalSignature
keyUsage: nonRepudiation
keyUsage: keyEncipherment dataEncipherment

But I have seen other cases where keyUsage was both "digitalSignature" and "nonRepudiation"

Now Okular currently shows them in a list, it only shows two of those certificates because only two can sign. But Ideally it would highlight the one with usage "nonRepudiation" and if we change the certificateslection interface to something like a combobox it should also preselect that one. Currently I have no way of seeing the difference in the UI.

The catch is though, GPGME currently both shows them with the same capabilities, so from the GPGME API they are indistinguishable. So a subtask will be opened for that

Event Timeline

aheinecke triaged this task as Normal priority.Aug 3 2023, 3:07 PM
aheinecke created this task.
svuorela added a comment.Aug 3 2023, 4:25 PM

gpgme puts digitalSignature and norRepudiation into canSign. We need them separated at the sources (maybe exposing keyUsage directly in gpgme. That would also make the code in poppler better and more accurate. I'm trying to reconstruct the keyUsages from the canSign&friends functions.

werner added a subscriber: werner.Aug 3 2023, 8:55 PM

Use the is_qualified flag to figure out QES certificates. This is more than just a capability flag.

aheinecke removed a subtask: T6633: GPGME: Add API for extended key usage flags like nonRepudation.Aug 4 2023, 7:58 AM
ebo edited projects, added gpd5x; removed Restricted Project.Dec 12 2025, 3:47 PM
svuorela added a comment.Tue, Jan 13, 2:38 PM

We now have a filter for qualified signatures if there is any in the list

svuorela changed the task status from Open to Testing.Tue, Jan 13, 2:38 PM
ebo moved this task from Backlog to QA on the gpd5x board.Tue, Jan 13, 2:38 PM
timegrid added a subscriber: timegrid.EditedThu, Jan 15, 4:26 PM

I created a bunch of smime certs (via OpenSSL) and imported them in gpg4win-5.0.0 @ win11:

  • For each keyusage
    • keyEncipherment, dataEncipherment
    • digitalSignature
    • nonRepudiation
    • digitalSignature, nonRepudiation
  • Alice's certs with different names, Bob's certs with same name for each key

For "nonRepudiation" certs I still can't see no highlight (as stated in the description) or any other hint:

What do you mean with filter?

svuorela added a comment.Tue, Jan 20, 1:27 PM

None of these certificates are for qualified signatures.

timegrid added a comment.Wed, Jan 21, 12:46 PM

I see. I added the root cert to C:\ProgramData\GNU\etc\gnupg\qualified.txt and the usage of the signing certs does include a qualified signature in Kleopatra now. Still I don't see any highlight/filter in Okular:

timegrid added a comment.Wed, Jan 21, 1:33 PM

See here for how it should look like:

timegrid added a comment.Wed, Jan 21, 2:02 PM

I also tested to add the qual flag to the root cert in the global trusted.txt, as using qualified.txt is considered legacy, but still the same behavior