Page MenuHome GnuPG

Draft: Kleopatra: Improve verification results messages (especially in case of invalid signature)
Open, WishlistPublic


This is the validation result if you sign a file and after that change its content:

I think the wording could be improved. We should at least add some more information, as IMHO for a user the combination of "The signature is VS-NfD compliant" and "The signature is invalid: Invalid Signature" is contradictory. As well as linguistically ugly with the doubling of "invalid".

Edit (2024-06-18):

We decided to overhaul the message completely, not only for invalid signatures, but for the valid ones, too and combined decrypt/verify.
The details have still to be decided.

Event Timeline

ebo triaged this task as Wishlist priority.Dec 8 2023, 3:02 PM
ebo created this task.

The part after the colon in "The signature is invalid: Invalid Signature" is the error returned by gpg that's responsible for the invalid signature. It could potentially be some other reason. Of course, we can simply not show the error anymore. Obviously, this would remove some details, but maybe that's okay. People could still look at the audit protocol for further information.

I don't really think it's a good idea to speculate about the reason for the invalid signature. An invalid signature has to raise a red flag. Always. If people start to ignore invalid signatures then all hope is lost.

It is trivial append a bogus signature and would thuns inhibit to check the expected signature.

In reply to Ingo:
Ok, I can live with that but I still would like this message to be improved.
Looking at it some more I noticed some other details which bother me:

a) In contrast to in a "Valid Signature" message (which seems to be always on a new line), there is no line break before "Invalid Signature"
b) The text continues in the new paragraph with "With certificate:". But there is no line "Signature created on $DATE" before that which makes the meaning unclear. Could we print that line here, too? And only prepend it with "Invalid" to not cause confusion? -> "Invalid signature created on $DATE"
c) Red text on a red tinted background is not really good for a11y …

A minimal fix would be:

  • Line break before the "Invalid Signature" (so it's the same formatting as with valid signatures)
  • Then after the space a line "Invalid Signature with the certificate:"
  • Delete the lines below the certificate.

But we decided to wait and completely rework those messages (invalid and valid) and make them better to grasp at a glance.
To be continued…

ebo renamed this task from Kleopatra: Improve information in case of invalid signature to Draft: Kleopatra: Improve verification results messages (especially in case of invalid signature).Jun 18 2024, 2:46 PM
ebo updated the task description. (Show Details)
ebo added a subscriber: alexk.