Page MenuHome GnuPG
Create Task
Maniphest T6683

GpgOL: Configurable error if sign is selected and prefer_smime
Closed, ResolvedPublic
Actions

Description

This should really be part of our VSD new release for strategic reasons. But I needed to update GpgOL in there anyway compared to Gpg4win. GpgOL currently shows a kind of incomprehensible error when there is no S/MIME secret key available for singing and sign is selected. Since a very important customer still does always_sign in their default config this is usually the first contact that they have with our Software. They cannot send mails until they disable the signing.

We want to just put a configurable registry key in there so that customers can link users to their internal procedures on how to obtain an S/MIME certificate. Bonus points if the dialog actually checks for alwaysSign and either offers to not to prefer S/MIME in that case (because OpenPGP keys can be selfgenerated on the fly) or allows to disable alwaysSign.

Revisions and Commits

rO GpgOL
rO0457e59223f6 Improve handling of S/MIME sign without cert
rOdd7533111e41 Fix encoding for no singning certificate warning
rO976e9822a5ca Improve handling of sign selected without certs

Related Objects

Event Timeline

aheinecke triaged this task as High priority.Aug 25 2023, 9:17 AM
aheinecke created this task.
aheinecke added a comment.Sep 19 2023, 3:46 PM

So the default error is now:

When selecting OK:

You can also configure this with the hidden option "smimeNoCertSigErr" for something specific to your organization:

When you switch to openpgp you have the option to generate a key. If you stick with S/MIME it will send out an unsigned mail.

The error message is only shown once per start of outlook so as to not be too annoying.

aheinecke added a commit: rO976e9822a5ca: Improve handling of sign selected without certs.Sep 19 2023, 6:18 PM
aheinecke added a comment.Sep 19 2023, 6:19 PM

The most difficult thing here was to actually support the case where the user then sees the keyresolver dialog and selects "yes i do not wish to sign" this never worked.

My solution for this was to implement something that goes a bit against the architectural design of async encryption but I doubt that we will ever see async encryption in GpgOL COM.

aheinecke changed the task status from Open to Testing.Sep 19 2023, 6:19 PM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Sep 29 2023, 2:50 PM
ebo changed the task status from Testing to Open.Oct 4 2023, 9:09 AM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo added a subscriber: ebo.

I do not see the default error message, not even with a new, totally empty keyring.
I immediately get:

VS-Desktop-3.2.0.0-beta229/231

ebo added a comment.EditedOct 4 2023, 9:26 AM

I realized that I still had "always show confirmation dialog" on... When I turn that off I get the default error message, but with encoding errors:


(I'll take care of the line break, btw)

But, as I had switched to a keyring with a valid S/MIME certificate for the sender, this is unexpected.

Clicking OK then results in a switch to OpenPGP without any question or explanation:

Edit: In that keyring I had for the recipient an expired S/MIME and a valid OpenPGP one, though that one was not VS-NfD compliant because not certified. So I would expect the confirmation dialog to come up (with OpenPGP selected) instead of pinentry.

ikloecker added a subscriber: ikloecker.Oct 4 2023, 9:49 AM
In T6683#176424, @ebo wrote:

Does anybody understand this? I had to check the source code to understand what "Identität und Integrität nicht bestätigen" ("Don't confirm identity and integrity") means. The tool tip reads "The E-Mail will not be cryptographically signed." which explains it, but I think we should improve the text in the drop down. Is "confirm" actually the correct word? Isn't "confirm identity and integrity" something that the receiver does by verifying the signature? Even if "confirm" fits, I think for me "certify" would make it clearer. Although my confusion comes mostly from the missing subject of confirmation, i.e. "the email".

So, maybe we should change it to "Don't confirm identity and integrity of the email". From the screenshot there's plenty of space for a longer text. (Even more correct would be "Don't confirm identity of the sender and integrity of the email", but that's probably getting too long.)

Thinking more about this, I'm wondering whether this dialog is actually the correct place to disable signing if signing was enabled in Outlook. There should at least be a big fat warning directly above the "OK" button that the email will be sent unsigned. (Or maybe there is another confirmation dialog shown before actually sending the email which I don't know about.)

aheinecke added a comment.Oct 4 2023, 10:03 AM

Yes, the wording for this line should be improved, I agree.
In the current release and the releases up to now this action did not work at all when it was not used in combination with encrypt. That usually happens only if an administrator activates the "always_sign" option, prefers S/MIME and then does not issue users with S/MIME certificates. For OpenPGP we have the "Generate" option preselected in that case.

The reason to disable this here is that in Outlook you have a prominent "Secure" Button that enables sign + encrypt. And while encrypting without having a key for your own is an important use case this dialog made the most sense for me to say "don't sign, don't encrypt for myself."

The use case is that your communication partner only offers S/MIME certificates but you internally use only OpenPGP, you can then still send this recpient an S/MIME mail that you can't decrypt or sign but which at least the recipient will be able to read.

ebo added a comment.Oct 4 2023, 11:51 AM

If I repeat this with a totally empty keyring, I get the new message regarding the missing signing certificate.

"OK" then opens the confirmation dialog, as you planned:

So it seems it works for the intended case but has unexpected side effects in other ones.

Although I suspect now that the "no 509 certificate" message box coming up in spite of a valid S/MIME for the sender was a side effect from restarting Outlook at the wrong time. I can not reproduce it at the moment, anyway.

ebo added a comment.Oct 4 2023, 2:18 PM

The new "no 509 certificate" message box comes up always when restarting Outlook and then immediately composing and sending a message, even when the user has a certificate.
-> add a check if the cache is already loaded in GpgOL

alexreynolds added a subscriber: alexreynolds.Oct 23 2023, 8:19 AM
This comment was removed by ebo.
ebo removed a subscriber: alexreynolds.Oct 23 2023, 8:39 AM
aheinecke changed the task status from Open to Testing.Nov 6 2023, 1:16 PM

Yeah there were some logic errors with this but I think I caught them all.

aheinecke added a commit: rOdd7533111e41: Fix encoding for no singning certificate warning.Nov 6 2023, 3:19 PM
aheinecke added a commit: rO0457e59223f6: Improve handling of S/MIME sign without cert.
aheinecke reassigned this task from aheinecke to ebo.Nov 7 2023, 4:00 PM
aheinecke moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo mentioned this in T6805: GpgOL: RSA 2048 Key generated in VSD.Nov 9 2023, 1:58 PM
ebo closed this task as Resolved.Nov 9 2023, 3:46 PM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo added a project: vsd32 (vsd-3.2.0).

In GnuPG-VS-Desktop-3.1.90.267-Beta-Standard it works, aside from T6805:
You do not get the new "no x509" message wrongly any more even when quickly sending a mail after restart of Outlook.
But it correctly appeares if no X509 is available.
And the message is configurable via the registry setting HKLM/HKCU \Software\GNU\GpgOL\smimeNoCertSigErr (although I do not know how to add line breaks there, but that is not important).

ebo added a comment.Nov 9 2023, 3:53 PM

But I wonder if we should not address https://dev.gnupg.org/T6683#176429, the text there is not changes in this Beta version.

ebo mentioned this in T6808: Libkleo Keyresolver: misleading display/wording in confirmation dialog.Nov 10 2023, 12:30 PM
aheinecke mentioned this in T4484: GpgOL: Improve handling for always sign, when no S/MIME sec key is available.Jul 31 2024, 1:10 PM