Page MenuHome GnuPG

Kleopatra: Review usage of Key::canEncrypt and replace with hasEncrypt where appropriate
Testing, NormalPublic

Description

If we are looking for a certificate which can be used for encryption (regardless of expiration, revocation, etc.), then we need to use the new Key::hasEncrypt (added with T6748) because Key::canEncrypt returns false for an expired OpenPGP certificate with encryption subkey and non-encryption primary key.

Similar problems could occur when looking for signing certificates or authentication certificates.

This task tracks the changes that are not directly related to T6743: Libkleo Keyresolver: check for existing encryption subkey instead valid one, as first step.

Event Timeline

ikloecker triaged this task as Normal priority.
ikloecker created this task.
ikloecker mentioned this in Unknown Object (Event).

The changes are best reviewed by a developer to check that I didn't make a mistake when I replaced usage of the canSign, canEncrypt, etc. methods with the new hasSign, hasEncrypt, etc. methods or the corresponding compatibility helpers keyHasSign, etc..

ikloecker mentioned this in Unknown Object (Event).Oct 16 2023, 10:17 AM
ikloecker changed the task status from Open to Testing.Oct 31 2023, 9:26 AM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

The changes affect:

  • State of "Clipboard -> OpenPGP Sign" action in tray icon context menu
  • Selection of signing key in "OpenPGP Sign Clipboard" dialog
  • Selection of encryption key in "Sign/Encrypt" via dialog
  • Selection of recipients in "Encrypt Clipboard" dialog
  • Usage information in tool tips for certificates in main certificate list

In the above cases, expired keys with sign/encrypt subkeys but without sign/encrypt primary key may now be selectable as sign/encrypt keys. And the usage info in the tool tips should show the capabilities even for expired keys.

Nothing should have changed to before here:

  • Selection of certification key in Certify dialogs
  • State of "Revoke User ID" button/context menu entry in Certificate Details dialog
  • Write certificate to PIV card
  • Key selection when writing key to PIV card