Page MenuHome GnuPG
Create Task
Maniphest T6869

Draft: Kleopatra: Improve verification results messages (especially in case of invalid signature)
Open, WishlistPublic
Actions

Description

This is the validation result if you sign a file and after that change its content:

I think the wording could be improved. We should at least add some more information, as IMHO for a user the combination of "The signature is VS-NfD compliant" and "The signature is invalid: Invalid Signature" is contradictory. As well as linguistically ugly with the doubling of "invalid".

Edit (2024-06-18):

We decided to overhaul the message completely, not only for invalid signatures, but for the valid ones, too and combined decrypt/verify.
The details have still to be decided.

Related Objects

Event Timeline

ebo triaged this task as Wishlist priority.Dec 8 2023, 3:02 PM
ebo created this task.
ebo mentioned this in T6870: Kleopatra: Improve representation of signature verification result in case of multiple signatures.Dec 8 2023, 3:28 PM
ikloecker added a subscriber: ikloecker.Jun 17 2024, 4:10 PM

The part after the colon in "The signature is invalid: Invalid Signature" is the error returned by gpg that's responsible for the invalid signature. It could potentially be some other reason. Of course, we can simply not show the error anymore. Obviously, this would remove some details, but maybe that's okay. People could still look at the audit protocol for further information.

I don't really think it's a good idea to speculate about the reason for the invalid signature. An invalid signature has to raise a red flag. Always. If people start to ignore invalid signatures then all hope is lost.

werner added a subscriber: werner.Jun 17 2024, 4:25 PM

It is trivial append a bogus signature and would thuns inhibit to check the expected signature.

ebo added a comment.EditedJun 17 2024, 4:33 PM

In reply to Ingo:
Ok, I can live with that but I still would like this message to be improved.
Looking at it some more I noticed some other details which bother me:

a) In contrast to in a "Valid Signature" message (which seems to be always on a new line), there is no line break before "Invalid Signature"
b) The text continues in the new paragraph with "With certificate:". But there is no line "Signature created on $DATE" before that which makes the meaning unclear. Could we print that line here, too? And only prepend it with "Invalid" to not cause confusion? -> "Invalid signature created on $DATE"
c) Red text on a red tinted background is not really good for a11y …

ebo added a comment.Jun 18 2024, 2:40 PM

A minimal fix would be:

  • Line break before the "Invalid Signature" (so it's the same formatting as with valid signatures)
  • Then after the space a line "Invalid Signature with the certificate:"
  • Delete the lines below the certificate.

But we decided to wait and completely rework those messages (invalid and valid) and make them better to grasp at a glance.
To be continued…

ebo renamed this task from Kleopatra: Improve information in case of invalid signature to Draft: Kleopatra: Improve verification results messages (especially in case of invalid signature).Jun 18 2024, 2:46 PM
ebo updated the task description. (Show Details)
ebo added a subscriber: alexk.
ikloecker mentioned this in T5846: Kleopatra: File operation resultlistwidget accessibility.Jun 20 2024, 2:11 PM