Page MenuHome GnuPG
Create Task
Maniphest T6879

Kleopatra: Add support for adding an ADSK
Testing, NormalPublic
Actions

Description

So we now have deployed the ADSK feature in 3.2 https://gnupg.org/blog/20230321-adsk.html so we can assume that for 3.3 a lot of clients will have support for that.

In Kleopatra the UI needs to be different from just adding a General subkey though, you basically need a certificate line edit to select a public certificate which should be used as ADSK and clearly indicate "Warning: Every client with support for this will additionally encrypt to this certificate. This means that every message you will receive can also be decrypted by "$Key".

Edit 2024-10-29: It was decided to drop the option to select the ADSK and instead take it from the gpg.conf configured ADSK for new keys. Plus error handling, see below.

Details

External Link
https://invent.kde.org/pim/kleopatra/-/merge_requests/88

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRA9a520135ee6a Also allow setting an ADSK for gnupg versions >= 2.2.45 and < 2.3.0
rKLEOPATRAa2622ca36440 Also allow setting an ADSK for gnupg versions >= 2.2.45 and < 2.3.0
rKLEOPATRA14b7337b7ada Only show ADSK action when an ADSK is configured in gpg
rKLEOPATRA5b68849f60ad Show ADSK action for gpg > 2.4.5
rKLEOPATRA1066d4fa811b Show ADSK action for gpg > 2.4.5
rKLEOPATRA8cacef0344cd Only show ADSK action when an ADSK is configured in gpg
rKLEOPATRA5b1e1c9daffc Show ADSK action for gpg > 2.4.5
rKLEOPATRAc9c7e631a617 Show ADSK action for gpg > 2.4.5
rKLEOPATRAed5a68f51063 Only show ADSK action when an ADSK is configured in gpg
rKLEOPATRAf2fd3bfffb4e Implementing adding ADSKs

Related Objects
Search...

Event Timeline

aheinecke triaged this task as Normal priority.Dec 12 2023, 9:15 AM
aheinecke created this task.
aheinecke added a parent task: T6874: Kleopatra subkey management improvements.
aheinecke mentioned this in T6882: Make ADSK configurable for new keys.Dec 12 2023, 9:29 AM
TobiasFella moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Jan 3 2024, 2:29 PM
TobiasFella moved this task from Backlog to WiP on the vsd33 board.Feb 15 2024, 8:56 AM
werner moved this task from WiP to Backlog on the vsd33 board.Apr 30 2024, 2:47 PM
ikloecker set External Link to https://invent.kde.org/pim/kleopatra/-/merge_requests/88.May 8 2024, 10:12 AM
werner added a subscriber: werner.Jun 4 2024, 10:29 AM

Let us drop the option to select the ADSK and instead take them from the gpg.conf configured ADSK for new keys. Thus a simple dialog with a confirmation will be sufficient. We add some magic to gpgme to allow this with the adsk API. This solves the use-case to add ADSK to alread-existsing keys in the same way as they are added to new keys.

alexk added a subscriber: alexk.Jun 4 2024, 11:10 AM
alexk added a parent task: T6882: Make ADSK configurable for new keys.Jun 4 2024, 11:13 AM
ikloecker removed a parent task: T6882: Make ADSK configurable for new keys.Jun 4 2024, 1:40 PM
ikloecker added a subtask: T6882: Make ADSK configurable for new keys.
ikloecker added a subscriber: ikloecker.Jun 4 2024, 1:51 PM

Makes sense. Then default-new-key-adsk needs to be exported by gpgconf, so that gpgme/Kleopatra can use/show it.

ikloecker changed the status of subtask T6880: GPGME (++/qt): Add support for --quick-add-adsk from Open to Testing.Jun 7 2024, 2:47 PM
ikloecker mentioned this in T6880: GPGME (++/qt): Add support for --quick-add-adsk.
ebo added a subscriber: ebo.Jun 11 2024, 1:13 PM

Noticed when looking at the MR that there seems to be no error handling for the case that no ADSK is configured (or something is wrong with the configuration). At least I did not see any strings informing the user about an error.

Of course it would be much better to not display the "Add ADSK" action if there is no ADSK configured.
But Ingo said that Kleopatra does not know this, as gpgconf --list-options gpg does not provide this info.

Would it be possible to add this?
In that case we would only need to cover errors if the ADSK was not configured correctly (I assume gpg would return an appropriate error for this) or the configured certificate is not available. And we would not have to explain the action in more depth.

TobiasFella changed the task status from Open to Testing.Jun 24 2024, 9:50 AM
ikloecker changed the task status from Testing to Open.Jul 1 2024, 7:53 PM
ikloecker added a commit: rKLEOPATRAf2fd3bfffb4e: Implementing adding ADSKs.

The option "default-new-key-adsk" of gpg can now be read with Kleo::getCryptoConfigEntry, so that we can check if an ADSK is actually configured to decide whether it makes sense to offer the "Add ADSK" action.

@TobiasFella Please add such a check.

TobiasFella added a commit: rKLEOPATRAed5a68f51063: Only show ADSK action when an ADSK is configured in gpg.Jul 2 2024, 10:30 AM
TobiasFella added a commit: rKLEOPATRAc9c7e631a617: Show ADSK action for gpg > 2.4.5.
TobiasFella added a commit: rKLEOPATRA5b1e1c9daffc: Show ADSK action for gpg > 2.4.5.Jul 2 2024, 10:34 AM
TobiasFella added a commit: rKLEOPATRA8cacef0344cd: Only show ADSK action when an ADSK is configured in gpg.Jul 2 2024, 10:38 AM
TobiasFella added a commit: rKLEOPATRA1066d4fa811b: Show ADSK action for gpg > 2.4.5.
TobiasFella changed the task status from Open to Testing.Jul 2 2024, 11:37 AM

Done: https://invent.kde.org/pim/kleopatra/-/merge_requests/236

ebo changed the status of subtask T6882: Make ADSK configurable for new keys from Open to Testing.Aug 2 2024, 10:37 AM
ikloecker added a commit: rKLEOPATRA5b68849f60ad: Show ADSK action for gpg > 2.4.5.Aug 7 2024, 5:37 PM
ikloecker added a commit: rKLEOPATRA14b7337b7ada: Only show ADSK action when an ADSK is configured in gpg.
ikloecker added a comment.Sep 26 2024, 4:15 PM

The version check can now be extended to 2.2.45 <= gpg < 2.3.0.

TobiasFella added a commit: rKLEOPATRAa2622ca36440: Also allow setting an ADSK for gnupg versions >= 2.2.45 and < 2.3.0.Sep 27 2024, 10:00 AM
TobiasFella added a comment.Sep 27 2024, 10:01 AM

done: https://invent.kde.org/pim/kleopatra/-/merge_requests/285

ikloecker added a commit: rKLEOPATRA9a520135ee6a: Also allow setting an ADSK for gnupg versions >= 2.2.45 and < 2.3.0.Oct 2 2024, 3:07 PM
ikloecker moved this task from Backlog to WiP on the vsd33 board.Oct 2 2024, 3:10 PM

Backported for VSD 3.3

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Oct 17 2024, 9:28 AM
ebo updated the task description. (Show Details)Tue, Oct 29, 12:07 PM
werner closed subtask T6882: Make ADSK configurable for new keys as Resolved.Tue, Oct 29, 12:55 PM
ebo added a comment.Mon, Nov 4, 3:22 PM

Tested with 4win-beta-64. In the subkey tab of the details of a secret key there is now an option "Add ADSK" in the burgher menu, iff the option default-new-key-adsk is set.

Choosing this action you get first a warning window, then
-> with a correctly set "default-new-key-adsk" -> works:


although it will take some time untill the new subkey shows up
-> with the wrongly set option -> error window with "unusable public key" as reported by gpg

But I then changed the config back again to the original correct setting and tried this with another key:
-> Error message…

Cli: gpg> addadsk
Geben Sie den Fingerprint des ADSK an: CC5274CB8072E9778DADD15BCD573B2B0736643A
gpg: Schlüssel "CC5274CB8072E9778DADD15BCD573B2B0736643A!" nicht gefunden: Unbrauchbarer öffentlicher Schlüssel
gpg: Haben Sie den Fingerprint des Unterschlüssels angegeben?
Geben Sie den Fingerprint des ADSK an:

--> this is caused by gpg and will be fixed in the next Testbuild after Beta-70

ebo added a comment.Mon, Nov 11, 3:09 PM

It works in Gpg4win-Beta-75 to add the ADSK to more than one Key.

But if you want to add the ADSK subkey to the key where it is a normal subkey or which has that ADSK already: you get a success message, but no subkey is added.

I would expect an error message instead, as adding the same key twice will not work (and makes no sense anyway).
Maybe "Failed to add ADSK, this subkey already exists."

ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Mon, Nov 11, 3:37 PM

On the Cli, gpg does not give an error but an info message informing that the subkey already exists so there is no error message for Kleopatra to act on.

As the incorrect success message "ADSK added successfully." given by Kleopatra is not seriously wrong, we decided to leave it for now.

ebo closed subtask T6880: GPGME (++/qt): Add support for --quick-add-adsk as Resolved.Mon, Nov 11, 3:42 PM
ikloecker mentioned this in T7395: Prepare Release Notes for Gpg4win 4.4.0 for Kleopatra.Wed, Nov 13, 5:04 PM