Kleopatra: Usability improvements for directory services configuration
Open, NormalPublic
Actions

Assigned To

Authored By

	andreisrr
	Jan 19 2024, 2:32 PM

Description

Make a group out of OpenPGP keyserver.
As a first item in the Group add a label "Please note that there can only be one OpenPGP keyserver configured at at time"
Add a checkbox "do not use OpenPGP keyserver (which internally will set the value to none)" to finish up: T6761: Kleopatra: Handle special keyserver value "none" T6708: Allow to inhibit the use of a default PGP keyserver
Add a checkbox "Search missing signing keys when verifying a signature" to add "auto-key-retrieve" to the gpg.conf
Show an error when adding HKP servers as an S/MIME server.
(optional) Fix display / give an indication for misconfigured keyservers. Optional because I am not sure if we even get a useful result from gpgconf in that case.

The original report was:

I have recently upgraded to version 4.2 and discovered that Kleopatra has a problem related to keyservers configuration.
Settings -> Configure Kleopatra -> Directory services
I manually added several HKP keyservers (the same as I use in my Enigmail).
The next time I opened this configuration I saw an empty list.
Not totally empty, there were several entries, but without any text.

I can press "Edit" on such an entry, which opens an edit window with an empty serverl URL field.
The connection security radio box however seems to have the value I set when adding.

Note: tested on a Win7 VM.

As such I am uncertain what keyserver(s) Kleopatra would use when searching or uploading keys.
Apparently a key upload works though.

P.S.
why the keyserver suggestion is specifically from ubuntu?

Details

Version: gpg4win 4.2

Revisions and Commits

rLIBKLEO Libkleo
	rLIBKLEO6940c0b9608f Try to prevent some invalid LDAP servers
	rLIBKLEOcad37df87718 Try to prevent some invalid LDAP servers
rKLEOPATRA Kleopatra
	rKLEOPATRAeb2e8441702a Add config for automatic key retrieval
	rKLEOPATRA41537d827d39 Add checkbox for enabling/disabling keyserver
	rKLEOPATRA4f2f29c89239 Add OpenPGP group and info label
	rKLEOPATRA104b4d336261 Add config for automatic key retrieval
	rKLEOPATRAb72ea1cf9edc Add checkbox for enabling/disabling keyserver
	rKLEOPATRA7a4b5aa7da90 Add OpenPGP group and info label
	rKLEOPATRAb91e9059024e Add checkbox for enabling/disabling keyserver
	rKLEOPATRA6ebfdb4058b9 Add config for automatic key retrieval
	rKLEOPATRA337ecd522482 Add OpenPGP group and info label
	rKLEOPATRA6de451d9aedd Add config for automatic key retrieval
	rKLEOPATRAd768287243fc Add checkbox for enabling/disabling keyserver
	rKLEOPATRA97d3b64b792d Add OpenPGP group and info label

Related Objects

Mentioned In: T6708: Allow to inhibit the use of a default PGP keyserver
Mentioned Here: T6708: Allow to inhibit the use of a default PGP keyserver
T6761: Kleopatra: Handle special keyserver value "none"

Event Timeline

andreisrr created this task.Jan 19 2024, 2:32 PM

Under "X.509 Directory Services" you can add "key servers" for X.509 certificates (aka CMS certificates, vulgo S/MIME certificates). For OpenPGP only a single OpenPGP server can be entered. The suggestion is the Ubuntu key server because it is/was one of very few reliable key servers.

This is more a support request than a bug report. Please use the gpg4win forum in the future.

Is the lack of display of entries in the listbox proper functionality?

Why the limitation to a single OpenPGP keyserver?
And if such a limitation exists, the UI certainly did not tell the user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.

Thank you

This is not the first time I saw that users are confused by this. My wish would be to change the label of the Group at least to "S/MIME (X509) Directory Services"

@andreisrr do you have any suggestions

The Ticket for me is otherwise the following:

Make a group out of OpenPGP keyserver.
As a first item in the Group add a label "Please note that there can only be one OpenPGP keyserver configured at at time"
Add a checkbox "do not use OpenPGP keyserver (which internally will set the value to none)" to finish up: T6761: Kleopatra: Handle special keyserver value "none" T6708: Allow to inhibit the use of a default PGP keyserver
Add a checkbox "Search missing signing keys when verifying a signature" to add "auto-key-retrieve" to the gpg.conf

Oh These are good points

In T6950#181673, @andreisrr wrote:

Is the lack of display of entries in the listbox proper functionality?

No that is a bug, So i moved this from wishlist to normal prio.

Why the limitation to a single OpenPGP keyserver?

Because otherwise the UI will get confusing if you get the same key e.g. from multiple keyservers And it is AFAIK a limitation of GnuPG. We could use a keyserver with a DNS entry again which randomly selects a keyserver? To avoid always using the same one.

And if such a limitation exists, the UI certainly did not tell the user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.

Yes, that should be fixed, too.

Thanks.

I renamed the task accoringly.

aheinecke updated the task description. (Show Details)Jan 19 2024, 9:20 PM

My suggestion would be the following:

To avoid any confusions, I would create separate tabs for X.509 and for
OpenPGP. (like under Appearance or GnuPG)
Even a grouping for the OpenPGP keyserver part of settings is still
quite a subtle distinction.

A checkbox "do not user keyserver" with the described intent is ok, and
in the configuration page, the rest of the fields should be disabled
when unchecked.

On the other hand, the use of multiple OpenPGP keyservers should be
possible, but I guess this should go to a feature request.

aheinecke mentioned this in T6708: Allow to inhibit the use of a default PGP keyserver.Jan 19 2024, 9:39 PM

Why the limitation to a single OpenPGP keyserver?
Because otherwise the UI will get confusing if you get the same key
e.g. from multiple keyservers And it is AFAIK a limitation of GnuPG.
We could use a keyserver with a DNS entry again which randomly selects
a keyserver? To avoid always using the same one.

Actually, when having multiple keyservers, the following would work:

have multiple keyservers configured
when uploading a key, have a dropdown list to select to which server

you want to upload

when searching, have a dropdown list to select which server is queried.

(other scenarios of querying multiple keyservers would complicate things
significantly)

Rather then a user choice at action time, all these can be acomplished
at this time by manually changing the configuration between actions by
reconfiguring the single keyserver. But this is a much more cumbersome
way of doing it.

And if such a limitation exists, the UI certainly did not tell the
user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.
Yes, that should be fixed, too.

Thanks.

*TASK DETAIL*
https://dev.gnupg.org/T6950

*EMAIL PREFERENCES*
https://dev.gnupg.org/settings/panel/emailpreferences/

*To: *aheinecke
*Cc: *aheinecke, ikloecker, andreisrr, nourman1, Neurone, Rafixmod,

ccharabaruk, gp_ast

This is an automated email from the GnuPG development hub. If you have
registered in the past at https://bugs.gnupg.org/ your account was
migrated automatically. You can visit https://dev.gnupg.org/ to set a
new password and update your email preferences.