Allow "refresh key/signatures" from key's context menu (from key list)
Open, NormalPublic
Actions

Assigned To

Authored By

	uwi
	Sep 27 2023, 12:30 PM

Description

Like suggested as a comment for https://dev.gnupg.org/T5903, I'd wish to have a RMB (right mouse button) context menu for the list of certificates to refresh just the current one. There exists a menu entry to refresh all keys, but there may be reasons not to want that.
The feature cited basically implements the same, but at a "higher UI level" (i.e.: one level deeper in the structure).
I think the advantage of my proposal is that one might even multi-select keys and then use the context menu to refresh just those keys.

For the German UI the context menu looks like this (in 4.2.0):

Details

Version: gpg4win 4.2.0

Revisions and Commits

rKLEOPATRA Kleopatra
	rKLEOPATRAf89776f9161b Add action for refreshing (multiple) keys to key list
	rKLEOPATRA60dc00750fb5 Add action for refreshing (multiple) keys to key list
	rKLEOPATRA1f5908a3df43 Add action for refreshing (multiple) keys to key list
	rKLEOPATRA280a41b411f2 Add action for refreshing (multiple) keys to key list
	rKLEOPATRA96f8ce80de38 Add action for refreshing (multiple) keys to key list
	rKLEOPATRAf05470c65088 Add action for refreshing (multiple) keys to key list

Related Objects
Search...

		Status	Assigned	Task
		Open	None	T6935 Kleopatra: Key search and refresh related improvements
		Open	TobiasFella	T6739 Allow "refresh key/signatures" from key's context menu (from key list)

Event Timeline

uwi created this task.Sep 27 2023, 12:30 PM

uwi mentioned this in T5903: Kleopatra: Add refresh button in certificatedetails .

• ebo awarded a token.Sep 28 2023, 2:33 PM

Multi select makes this nontrivial. But I think only with multi select this would really be useful. But yes it is a nice item for the backlog. E.g. if you know that a company switched their mail domain you might want to refresh all the keys from that company and you could do that with filter + multi select and refresh.

Mmh or even select all expired keys and then refresh them.

I guess I asked for it, because much older "PGP Desktop" had it already (via menu entry):

Aha, so you know how to provoke us into action, good man ;-) Alright I give it high priority. No seriously, makes sense to have we'll see when we can fit it in. Needs an extension in our internal api so probably not in the next release but sooner rather then later.

• ebo added a parent task: T6935: Kleopatra: Key search and refresh related improvements.Jan 12 2024, 12:18 PM

• ebo raised the priority of this task from Wishlist to Normal.Feb 15 2024, 9:15 AM

TobiasFella added a commit: rKLEOPATRAf05470c65088: Add action for refreshing (multiple) keys to key list.Apr 17 2024, 12:40 PM

TobiasFella claimed this task.Apr 17 2024, 12:40 PM

TobiasFella added a commit: rKLEOPATRA96f8ce80de38: Add action for refreshing (multiple) keys to key list.Apr 25 2024, 2:31 PM

TobiasFella added a commit: rKLEOPATRA280a41b411f2: Add action for refreshing (multiple) keys to key list.Apr 29 2024, 11:17 AM

TobiasFella added a commit: rKLEOPATRA1f5908a3df43: Add action for refreshing (multiple) keys to key list.Apr 29 2024, 2:09 PM

TobiasFella added a commit: rKLEOPATRA60dc00750fb5: Add action for refreshing (multiple) keys to key list.

• alexk moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 30 2024, 4:59 PM

TobiasFella changed the task status from Open to Testing.May 2 2024, 1:47 PM

ikloecker added a commit: rKLEOPATRAf89776f9161b: Add action for refreshing (multiple) keys to key list.May 6 2024, 5:08 PM

ikloecker added a project: vsd33.May 7 2024, 11:34 AM

ikloecker moved this task from Backlog to WiP on the vsd33 board.

• ebo moved this task from WiP to QA on the vsd33 board.Jun 10 2024, 9:23 AM

Tested with Gpg4win-4.3.2-beta25:

Good news: There is a "Update Certificates" action in the context menu and it does search.
Bad news: If Origin is "Unknown", it only searches on keyserver, even if the UID is a mail address (verified via dirmngr logging).
If the (original) Origin is WKD, WKD as well as keyserver are checked:

As the certificate in this case was imported for the first time from WKD only 30 seconds before the refresh, I'm sure the "The certificate has been updated." is wrong. It should be "The certificate has not changed."

Why did I insert "original" above: If you first import a certificate from a file and after that do al "lookup" and import that result, the Origin column swichtes to "WKD". But "Update certificate" does still not query WKD! (not even after restarting Kleopatra.)

When multiple certificates are selected for updating, it seems there are multiple keyserver queries, but there is only a feedback in the singular. "The certificate has been updated" in spite of 3-times "HTTP Status 404".
I won't do any more thorough checks at this time.

I can confirm that Kleopatra reports "The certificate was updated." when updating the certificate werner.koch@gnupg.com although gpgme reports "unchanged: 1" as ImportResult. Kleopatra even reports "The certificate was updated." under WKD for a locally generated test key that's not available via WKD. This should be fixed.

Using gpg 2.4.6-betaX I could not reproduce that the origin of a certificate initially imported from a file changes to WKD after doing an update or another lookup followed by an import. Update: I can reproduce this when the WKD contains new data (e.g. new signatures) for the key compared to the key imported from file. In this case the origin of the key changes to WKD, but the origin of the user ID stays "unknown". And Kleopatra only considers the origin of the user IDs when checking which user ID to look up via WKD (if the setting to look up all user IDs via WKD is not enabled).

And "But "Update certificate" does still not query WKD! (not even after restarting Kleopatra.)" seems to happen because the setting "Query certificate directories of providers for all user IDs" wasn't enabled.

ikloecker changed the task status from Testing to Open.Jun 13 2024, 3:40 PM

ikloecker moved this task from QA to Backlog on the vsd33 board.

And "But "Update certificate" does still not query WKD (not even after restarting Kleopatra.)" seems to happen because the setting "Query certificate directories of providers for all user IDs" wasn't enabled.

Yes, correct. I think we should turn on this option in the settings by default. This is what one usually wants (and probably expects, like me).

And what should we do about the refresh with multiple certificates? Maybe we should enable this action for the upcoming release only for one certificate at a time and make a new ticket for the next release where we include the possibility to do this for several certificates at once?

Querying WKDs for keys not retrieved via WKD leaks information, i.e. a (fake) WKD could track who is looking for keys. KDE's privacy-by-default policy doesn't allow such a setting to be enabled by default. (In VSD you can enable it for certain customers who don't have a problem with this.)

What's the problem with refreshing multiple certificates except for a misleading "Certificates have been updated." message?

Looking only at the text used, you get exactly the same messages used for single certificate updates, "The certificate has been updated" or "The certificate was not found.", both in the singular.

And looking at the logic from the user side it looks like the results from the multiple updates are mashed up somehow. If I combine the update of one certificate with origin WKD and one with keyserver I get "The certificate has been updated" for both categories:

But if I do separate searches for the same certificates I get:

WKD:

Ergebnis der OpenPGP-Zertifikat Aktualisierung via Schlüsselserver, LDAP oder Active Directory
Das Zertifikat wurde nicht gefunden.
Ergebnis der Aktualisierung via Schlüsselverzeichnis (WKD)
Das Zertifikat wurde aktualisiert.

Keyserver:

Ergebnis der OpenPGP-Zertifikat Aktualisierung via Schlüsselserver, LDAP oder Active Directory
Das Zertifikat hat sich nicht geändert.
Ergebnis der Aktualisierung via Schlüsselverzeichnis (WKD)
Das Zertifikat wurde aktualisiert.

From my viewpoint the resulting combined answer seems to be without a connection to reality, it's obviously not only the result for the first or last update.

I think if we want to include multiple key updates we would have to restructure the feedback, so it does not get to complicated. Maybe like the message we use for key imports, only listing "number of certificates updated", "number of certificates unchanged" and additionally "number of certificates not found"

I updated the certificates of Werner, Andre and you and got as result "The certificates were updated.", i.e. plural, for both, keyserver and WKD. Singular could mean that only updates for one certificate were found.

We have to check if we get enough information for a bit more detailed result as proposed by you. I agree that this would be nicer.

Note that the origin stored for the key is for example required if a key is updated by fingerprint. In that case we don't known from which user ID to take the origin.

Turns out

the singular instead of plural in the German version is a translation thing and should now be fixed (but is not in the testversion beta35)
there is another issue muddying the waters regarding search in WKD, for which I will create another ticket

Seems here remains only the notifications for multi-keysearches, which are not necessarily true or at the very least misleading.

The ticket mentioned in the previous comment is T7190: Kleopatra: wrong claim of update in WKD for keys with no mail address.

• ebo mentioned this in T7206: Draft: Kleopatra: give better feedback for key refresh.Wed, Jul 17, 3:06 PM

ok, works with Version 3.2.2.2405000+git~ (Gpg4win-4.3.2-beta41).

For the better feedback part see T7206.

Allow "refresh key/signatures" from key's context menu (from key list)Open, NormalPublicActions