Page MenuHome GnuPG

Kleopatra: Handle special keyserver value "none"
Closed, ResolvedPublic

Description

dirmngr supports the special value "none" for the key server to disable the fallback to the default key server (T6708). Kleopatra needs to handle this value in a few places to avoid confusing error messages.

Edit: WKD search related changes are tracked in T6868, including:

  • Search function: Using the "lookup on server" function with "none" set as keyserver causes a pop-up error window (but title is "Information") to appear which has to be recognized with OK before the results of the WKD search will be displayed. The message is "Suche auf Zertifikatsserver fehlgeschlagen. Die Fehlermeldung lautet: Kein Schlüsselserver verfügbar". (For wishes on improvements to the search dialog see T6493, too)

Cases to be fixed and tracked here:

  • Give error message in case:
    • Export OpenPGP key to key server
    • Search is used while keyserver is "none" and no S/MIME directory is configured

      - Refresh OpenPGP keys
  • Avoid changing value "none" to "hkps://none"

Details

Version
VS-Desktop-3.1.90.246-Beta

Event Timeline

ebo set Version to VS-Desktop-3.1.90.246-Beta.
aheinecke added a subscriber: aheinecke.

This issue might be a bit to general, some things like avoiding bad error messages are more important then a fully nice solution. A nice solution IMO would make all the "publish on keyserver" actions / checkboxes invisible in that case. If a restart is required when the setting changes that is ok in my book because the way we use "none" is intended that our entry level packages have "none" defined in the global config. Of course if a user then manually enters a value when none is set we would also need to bring up a message box stating that a restart is required for the change to take effect.

Mh, let us concentrate in here on error messages. I was thinking "but what about disable-dirmngr in the settings" then all publish / refresh / receive actions should be disabled or invisible. So that is better something for a different task.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker changed the task status from Open to Testing.Dec 6 2023, 9:30 AM

The following operations were changed:

  • Export OpenPGP key to key server now shows an error if key server is set to "none".
  • Refresh OpenPGP keys now shows an error if key server is set to "none".
  • If key server is set to "none" and no S/MIME directory servers are configured then you'll get an error when you try Lookup on Server.
  • Kleopatra no longer stores the special value "none" as "hkps://none".

Cross-check that the above operations still work if you either set no key server (so that the internal default is used) or a working key server.

ebo changed the task status from Testing to Open.Dec 6 2023, 10:21 AM

This is not as intended. When doing a search, we wanted No error message and only WKD search should be executed.

Likewise, refresh should then only search for WKD.

In T6761#179919, @ebo wrote:

This is not as intended. When doing a search, we wanted No error message and only WKD search should be executed.

I haven't touched this code or the error message. All I did is make the function hasKeyserverConfigured() return false if the key server has been disabled explicitly with "none". This does now trigger the error message which wasn't triggered before because gpg always used the default key server if no key server was configured.

Likewise, refresh should then only search for WKD.

I was talking about "Refresh OpenPGP Keys". This functionality has always simply called gpg --refresh-keys which knows nothing about WKD.

ikloecker changed the task status from Open to Testing.Dec 7 2023, 8:42 AM

I had a quick look at "Lookup on Server" with regard to doing WKD even if no key servers (neither for OpenPGP nor for S/MIME) are configured. This requires more work because WKD lookup is only possible if an email address is entered while key server lookup also works for arbitrary search terms. The users have to be informed about this restriction which is out of scope of this ticket. I think this fits nicely into T6493.

Yes, It was not my intention that WKD should not work when searching for keys, when keyserver is None. Although such a search could be handled by just entering the email address in the recipient dialog in the file encryption widget to trigger a locate key or in the case of GpgOL to enter the recipient mail but I think that feature is very hidden / not really discoverable for users. And yes an improvement for the search Window in that case would be to then switch to "Enter Email" and use an email validator on the input field for example. So let us handle this as part of T6493

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Dec 7 2023, 10:27 AM

@aheinecke For Gpg4win I do not have a suitable test version yet.

In VSD 3.2.0/3.2.1 the fixes from this ticket are not included

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jan 23 2024, 12:47 PM

For VSD there should at least no info message be shown - which has to be clicked away - when keyserver is set to "None"

I have backported the relevant commits to gpg4win/23.10 for VSD 3.2. I left out the commit that adds a tooltip.

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Mar 8 2024, 4:36 PM

with Version 3.2.2.231170+git~ (Gpg4win-4.3.1-beta12):

  • no error message any more with keyserver = none
  • correct error message when choosing "publish on server"

But in the case "Refresh OpenPGP keys" (in Kleopatras certificate Details) there is no error message but instead ~"the key is unchanged".

In T6761#183780, @ebo wrote:

But in the case "Refresh OpenPGP keys" (in Kleopatras certificate Details) there is no error message but instead ~"the key is unchanged".

It seems that gpgme doesn't report an error if no keyserver is defined. -> T7036: gpgme: gpgme_op_receive_keys does not return an error if keyserver lookup is disabled

And that Kleopatra attempts a keyserver lookup for keyserver none is handled by T7037: Kleopatra: Handle disabled keyserver when updating a certificate.

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

ok, then I set this ticket to resolved, as it now works in version VS-Desktop-3.1.92.39-Beta as far as in Gpg4win.
That is only the "Refresh Keys" does not work yet. Which we now track in the above mentioned Tickets T7036 and T7037

ebo moved this task from WiP to vsd-3.2.0 on the vsd32 board.
ebo edited projects, added vsd32 (vsd-3.2.0); removed vsd32.

Note to self: The error message that nothing was found on the keyserver will still come up if one is configured. That will be fixed with T6493.