Page MenuHome GnuPG

Kleopatra: Encryption to group with expired key fails with unexpected message
Closed, ResolvedPublic


Take a Kleopatra group of OpenPGP Keys from which one is expired and try to encrypt for it:

Selection works with an appropriate feedback, but then the user get an unexpected error message:

If something fails, it should be the encryption, not the Signature....
GpgME seems to "know" the real problem, though:

[7420] org.kde.pim.kleopatra: Kleo::Crypto::SignEncryptTask(0x8f4e648) slotResult job: QGpgME::QGpgMESignEncryptJob(0x62624e0) signing result: "GpgME::SigningResult(\n error:              GpgME::Error(117440565 (Unbrauchbarer öffentlicher Schlüssel))\n createdSignatures:\n invalidSigningKeys:\nGpgME::InvalidSigningKey(\n fingerprint: 1B7724C95351B75394303415C2577F23F8E93418\n reason:      GpgME::Error(117440513 (Allgemeiner Fehler))\n)\n)" encryption result: "GpgME::EncryptionResult(\n error:        GpgME::Error(117440565 (Unbrauchbarer öffentlicher Schlüssel))\n invalid recipients:\nGpgME::InvalidRecipient(\n fingerprint: 1B7724C95351B75394303415C2577F23F8E93418\n reason:      GpgME::Error(117440729 (Alle Unterschlüssel sind abgelaufen oder widerrufen))\n)\n)"



Event Timeline

This is in contrast to the behavior for "single" keys. An expired key is not listed as available for encryption at all.

I think that if we know that GnuPG is not encrypting to expired keys we need to use the X icon for that key and disable the sign/encrypt button until this key is removed.

aheinecke triaged this task as Normal priority.Oct 5 2023, 9:45 AM

We decided what aheinecke wrote before: The key group name should be displayed with a red X and the encryption button should be disabled as long as encryption is not possible.

Additionally the details of the group should not (only) be displayed if you click on the symbol (which is very difficult to find) we should add a new, separate info button. Which is also good for a11y.

And the filter for the key selection has to be checked. Also compare T6743

ikloecker mentioned this in Unknown Object (Event).Oct 9 2023, 9:44 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker changed the task status from Open to Testing.Nov 2 2023, 2:09 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker added a subscriber: ikloecker.

Fixed for Sign/Encrypt Files/Folders and Sign/Encrypt notepad.

  • Invalid encryption certificates and groups with invalid encryption certificates are now marked with the red error icon.
  • The Sign/Encrypt button is disabled if invalid encryption certificates/groups have been selected.
  • Works for both: The encrypt to self certificate and the encrypt to others certificates/groups.
  • Works for groups containing invalid encryption certificates and for valid certificates with invalid encryption subkeys.

Note: Similar issues with invalid signing certificates have been fixed for T6788: Kleopatra: Signing with expired signing subkey shouldn't be possible.

ikloecker mentioned this in Unknown Object (Event).Nov 6 2023, 9:33 AM

Discussed this with ebo. This is a bugfix that should be in the release even though it is multiple changes I will cherry pick them over to the release branches.

Works for the reported and important cases, Tested with VS-Desktop-

For the case from the description, a group with one expired key it looks now like this:

Debugview only says the same:
[7124] org.kde.pim.kleopatra: Setting KeyGroup. "OpenPGP (2 Schlüssel, nicht alle beglaubigt)"

I do not really like the text "not all certified" as it is misleading. "Not all valid would" be better. What do you say? For me it looks like a no-brainer but I don't now where else the same code is used where the phrasing maybe doesn't fit.

But I like very much that clicking on the red X brings up the group details where I can see that one key is expired. Now that I know this feature exists.
What about the second part of Should I make a separate a11y ticket for that with low prio?

For a valid, but not VS-NfD compliant key it looks like this and encryption is possible:

If a valid key has only an expired encryption subkey it looks like this:

Here we could discuss, too, if we want a new ticket with a low prio for this or we want to leave it.

What about the second part of Should I make a separate a11y ticket for that with low prio?


ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

ok, opened T6819 for the separate button.
The rest is ok, I think. As long as we display keypairs in a single entry, it can not be helped that they may appear valid in the certificate list but are invalid for signing or encryption subkeys.
We display that here correct for the respective contexts.
Therefore closing,

ebo edited projects, added vsd32 (vsd-3.2.0); removed vsd32.