Page MenuHome GnuPG
Create Task
Maniphest T6722

Kleopatra: Forbid adding non-encryption keys to groups
Testing, NormalPublic
Actions

Description

Kleopatra should forbid adding sign-only keys to groups. And it should be made clear that groups are meant to be used for encryption by changing the wording from "groups" to "encryption groups" where appropriate. If a group with sign-only keys is imported, then the user shall be informed. Groups with sign-only keys shall be marked in the group dialog as invalid and it should not be possible to export such groups.

Rationale: Kleopatra's certificate groups are meant to be used for simplifying encrypting to a group of certificates. Currently, it's possible to add sign-only certificates to groups. This renders those groups unusable for encryption which is a usability problem. The users won't know why some group doesn't work as intended.

A secondary use case for groups is defining aliases for single keys. Forbidding sign-only keys in groups will prevent defining an alias for a sign-only key. We think this is acceptable because people can configure such an alias in their gpg.conf using gpg's group option.

Edit 2024-02-15: Changed "sign-only keys" to "non-encryption keys" in title because this applies to any keys that cannot be used for encryption.

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEO861195066436 Warn about groups containing sign-only keys in the groups dialog
rLIBKLEO398862f83203 Warn about groups containing sign-only keys in the groups dialog
rKLEOPATRA Kleopatra
rKLEOPATRAe831a50721ef Prevent sign-only keys from being added to a key group
rKLEOPATRAd4d64b718a76 Prevent sign-only keys from being added to a key group
rKLEOPATRAde420ea0a5e3 Show a warning when the user imports a group containing sign-only keys
rKLEOPATRA43b17287e7f8 Show a warning when the user imports a group containing sign-only keys
rKLEOPATRAe74b771c728d Prevent sign-only keys from being added to a key group

Related Objects
Search...

Event Timeline

ikloecker created this task.Sep 19 2023, 12:15 PM
ikloecker mentioned this in Unknown Object (Maniphest Task).
aheinecke triaged this task as Normal priority.Sep 19 2023, 12:19 PM
aheinecke added projects: Restricted Project, kleopatra.
aheinecke added a subscriber: aheinecke.

Yes I think this makes sense and a little safeguard from weird situtations where users won't know how to resolve a problem. I think we should also check for that when ever a group is opened that it does not contain such keys. In case someone "revoked" there encryption key or more commonly the encryption subkey expired. In that case a message box might make sense telling the user which key / keys are not suitable for decryption.

ikloecker mentioned this in T6744: Kleopatra and key resolver: Use the blue symbol for non-compliant keys.Nov 10 2023, 6:55 PM
ebo added a parent task: T6916: Kleopatra group related improvements.Jan 3 2024, 12:05 PM
ebo mentioned this in T6966: Kleopatra: Show which certificates in a group are not usable for encryption.Jan 30 2024, 4:11 PM
TobiasFella added a commit: rKLEOPATRAe74b771c728d: Prevent sign-only keys from being added to a key group.Feb 14 2024, 4:09 PM
TobiasFella added a commit: rKLEOPATRA43b17287e7f8: Show a warning when the user imports a group containing sign-only keys.Feb 14 2024, 4:59 PM
TobiasFella moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Feb 15 2024, 9:01 AM
ikloecker renamed this task from Kleopatra: Forbid adding sign-only keys to groups to Kleopatra: Forbid adding non-encryption keys to groups.Feb 15 2024, 9:55 AM
ikloecker updated the task description. (Show Details)
TobiasFella added a commit: rKLEOPATRAde420ea0a5e3: Show a warning when the user imports a group containing sign-only keys.Feb 16 2024, 11:14 AM
TobiasFella added a commit: rLIBKLEO398862f83203: Warn about groups containing sign-only keys in the groups dialog.Feb 16 2024, 12:10 PM
TobiasFella added a commit: rLIBKLEO861195066436: Warn about groups containing sign-only keys in the groups dialog.Feb 19 2024, 11:11 AM
TobiasFella added a commit: rKLEOPATRAd4d64b718a76: Prevent sign-only keys from being added to a key group.Feb 20 2024, 11:28 AM
TobiasFella added a commit: rKLEOPATRAe831a50721ef: Prevent sign-only keys from being added to a key group.Feb 20 2024, 1:27 PM
TobiasFella changed the task status from Open to Testing.Feb 21 2024, 2:17 PM
TobiasFella claimed this task.