Page MenuHome GnuPG
Create Task
Maniphest T6950

Kleopatra: Usability improvements for directory services configuration
Testing, NormalPublic
Actions

Description

  • Make a group out of OpenPGP keyserver.
  • As a first item in the Group add a label "Please note that there can only be one OpenPGP keyserver configured at at time"
  • Add a checkbox "do not use OpenPGP keyserver (which internally will set the value to none)" to finish up: T6761: Kleopatra: Handle special keyserver value "none" T6708: Allow to inhibit the use of a default PGP keyserver
  • Add a checkbox "Search missing signing keys when verifying a signature" to add "auto-key-retrieve" to the gpg.conf
  • Show an error when adding HKP servers as an S/MIME server.
  • (optional) Fix display / give an indication for misconfigured keyservers. Optional because I am not sure if we even get a useful result from gpgconf in that case.

The original report was:

I have recently upgraded to version 4.2 and discovered that Kleopatra has a problem related to keyservers configuration.
Settings -> Configure Kleopatra -> Directory services
I manually added several HKP keyservers (the same as I use in my Enigmail).
The next time I opened this configuration I saw an empty list.
Not totally empty, there were several entries, but without any text.


I can press "Edit" on such an entry, which opens an edit window with an empty serverl URL field.
The connection security radio box however seems to have the value I set when adding.

Note: tested on a Win7 VM.

As such I am uncertain what keyserver(s) Kleopatra would use when searching or uploading keys.
Apparently a key upload works though.

P.S.
why the keyserver suggestion is specifically from ubuntu?

Details

Version
gpg4win 4.2

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEO4fa0e44cd855 Try to prevent some invalid LDAP servers
rLIBKLEO6940c0b9608f Try to prevent some invalid LDAP servers
rLIBKLEOcad37df87718 Try to prevent some invalid LDAP servers
rKLEOPATRA Kleopatra
rKLEOPATRAf9558ff42b8b Add checkbox for enabling/disabling keyserver
rKLEOPATRAd119e96dc75f Add config for automatic key retrieval
rKLEOPATRA107d0af664de Add OpenPGP group and info label
rKLEOPATRA41537d827d39 Add checkbox for enabling/disabling keyserver
rKLEOPATRAeb2e8441702a Add config for automatic key retrieval
rKLEOPATRA4f2f29c89239 Add OpenPGP group and info label
rKLEOPATRA104b4d336261 Add config for automatic key retrieval
rKLEOPATRAb72ea1cf9edc Add checkbox for enabling/disabling keyserver
rKLEOPATRA7a4b5aa7da90 Add OpenPGP group and info label
rKLEOPATRA6ebfdb4058b9 Add config for automatic key retrieval
rKLEOPATRAb91e9059024e Add checkbox for enabling/disabling keyserver
rKLEOPATRA337ecd522482 Add OpenPGP group and info label
rKLEOPATRA6de451d9aedd Add config for automatic key retrieval
rKLEOPATRAd768287243fc Add checkbox for enabling/disabling keyserver
rKLEOPATRA97d3b64b792d Add OpenPGP group and info label

Related Objects

Event Timeline

andreisrr created this task.Jan 19 2024, 2:32 PM
ikloecker added a subscriber: ikloecker.Jan 19 2024, 8:35 PM

Under "X.509 Directory Services" you can add "key servers" for X.509 certificates (aka CMS certificates, vulgo S/MIME certificates). For OpenPGP only a single OpenPGP server can be entered. The suggestion is the Ubuntu key server because it is/was one of very few reliable key servers.

This is more a support request than a bug report. Please use the gpg4win forum in the future.

andreisrr added a comment.Jan 19 2024, 9:02 PM

Is the lack of display of entries in the listbox proper functionality?

Why the limitation to a single OpenPGP keyserver?
And if such a limitation exists, the UI certainly did not tell the user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.

Thank you

aheinecke triaged this task as Wishlist priority.Jan 19 2024, 9:13 PM
aheinecke added a subscriber: aheinecke.

This is not the first time I saw that users are confused by this. My wish would be to change the label of the Group at least to "S/MIME (X509) Directory Services"

@andreisrr do you have any suggestions

The Ticket for me is otherwise the following:

aheinecke raised the priority of this task from Wishlist to Normal.Jan 19 2024, 9:16 PM
aheinecke added a project: Restricted Project.

Oh These are good points

In T6950#181673, @andreisrr wrote:

Is the lack of display of entries in the listbox proper functionality?

No that is a bug, So i moved this from wishlist to normal prio.

Why the limitation to a single OpenPGP keyserver?

Because otherwise the UI will get confusing if you get the same key e.g. from multiple keyservers And it is AFAIK a limitation of GnuPG. We could use a keyserver with a DNS entry again which randomly selects a keyserver? To avoid always using the same one.

And if such a limitation exists, the UI certainly did not tell the user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.

Yes, that should be fixed, too.

Thanks.

aheinecke renamed this task from Kleopatra directory services - erroneous items to Kleopatra: Usability improvements for directory services configuration.Jan 19 2024, 9:17 PM

I renamed the task accoringly.

aheinecke updated the task description. (Show Details)Jan 19 2024, 9:20 PM
andreisrr added a comment.Jan 19 2024, 9:39 PM

My suggestion would be the following:

To avoid any confusions, I would create separate tabs for X.509 and for
OpenPGP. (like under Appearance or GnuPG)
Even a grouping for the OpenPGP keyserver part of settings is still
quite a subtle distinction.

A checkbox "do not user keyserver" with the described intent is ok, and
in the configuration page, the rest of the fields should be disabled
when unchecked.

On the other hand, the use of multiple OpenPGP keyservers should be
possible, but I guess this should go to a feature request.

aheinecke mentioned this in T6708: Allow to inhibit the use of a default PGP keyserver.Jan 19 2024, 9:39 PM
andreisrr added a comment.Jan 19 2024, 9:49 PM
Why the limitation to a single OpenPGP keyserver?

Because otherwise the UI will get confusing if you get the same key
e.g. from multiple keyservers And it is AFAIK a limitation of GnuPG.
We could use a keyserver with a DNS entry again which randomly selects
a keyserver? To avoid always using the same one.

Actually, when having multiple keyservers, the following would work:

  • have multiple keyservers configured
  • when uploading a key, have a dropdown list to select to which server

you want to upload

  • when searching, have a dropdown list to select which server is queried.

(other scenarios of querying multiple keyservers would complicate things
significantly)

Rather then a user choice at action time, all these can be acomplished
at this time by manually changing the configuration between actions by
reconfiguring the single keyserver. But this is a much more cumbersome
way of doing it.

And if such a limitation exists, the UI certainly did not tell the
user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.

Yes, that should be fixed, too.

Thanks.

*TASK DETAIL*
https://dev.gnupg.org/T6950

*EMAIL PREFERENCES*
https://dev.gnupg.org/settings/panel/emailpreferences/

*To: *aheinecke
*Cc: *aheinecke, ikloecker, andreisrr, nourman1, Neurone, Rafixmod,

ccharabaruk, gp_ast

This is an automated email from the GnuPG development hub. If you have
registered in the past at https://bugs.gnupg.org/ your account was
migrated automatically. You can visit https://dev.gnupg.org/ to set a
new password and update your email preferences.

TobiasFella added a commit: rKLEOPATRA97d3b64b792d: Add OpenPGP group and info label.Apr 4 2024, 9:46 AM
TobiasFella added a commit: rKLEOPATRAd768287243fc: Add checkbox for enabling/disabling keyserver.
TobiasFella added a commit: rKLEOPATRA6de451d9aedd: Add config for automatic key retrieval.
TobiasFella added a commit: rKLEOPATRA337ecd522482: Add OpenPGP group and info label.Apr 4 2024, 10:17 AM
TobiasFella added a commit: rKLEOPATRAb91e9059024e: Add checkbox for enabling/disabling keyserver.
TobiasFella added a commit: rKLEOPATRA6ebfdb4058b9: Add config for automatic key retrieval.
TobiasFella added a commit: rKLEOPATRA7a4b5aa7da90: Add OpenPGP group and info label.Apr 4 2024, 2:44 PM
TobiasFella added a commit: rKLEOPATRAb72ea1cf9edc: Add checkbox for enabling/disabling keyserver.
TobiasFella added a commit: rKLEOPATRA104b4d336261: Add config for automatic key retrieval.
TobiasFella added a commit: rLIBKLEOcad37df87718: Try to prevent some invalid LDAP servers.Apr 4 2024, 4:36 PM
TobiasFella added a commit: rKLEOPATRA4f2f29c89239: Add OpenPGP group and info label.Apr 4 2024, 4:42 PM
TobiasFella added a commit: rKLEOPATRA41537d827d39: Add checkbox for enabling/disabling keyserver.
TobiasFella added a commit: rKLEOPATRAeb2e8441702a: Add config for automatic key retrieval.
TobiasFella claimed this task.Apr 5 2024, 10:34 AM
TobiasFella moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
TobiasFella added a commit: rLIBKLEO6940c0b9608f: Try to prevent some invalid LDAP servers.Apr 8 2024, 1:47 PM
ikloecker added a commit: rLIBKLEO4fa0e44cd855: Try to prevent some invalid LDAP servers.May 2 2024, 3:30 PM
ikloecker added a commit: rKLEOPATRA107d0af664de: Add OpenPGP group and info label.May 6 2024, 5:07 PM
ikloecker added a commit: rKLEOPATRAf9558ff42b8b: Add checkbox for enabling/disabling keyserver.
ikloecker added a commit: rKLEOPATRAd119e96dc75f: Add config for automatic key retrieval.
ikloecker added a project: vsd33.May 7 2024, 9:41 AM
ikloecker moved this task from Backlog to WiP on the vsd33 board.
TobiasFella changed the task status from Open to Testing.Aug 8 2024, 10:53 AM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Oct 1 2024, 3:55 PM
ikloecker mentioned this in T7395: Prepare Release Notes for Gpg4win 4.4.0 for Kleopatra.Wed, Nov 13, 5:04 PM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Thu, Nov 21, 12:20 PM
ebo added a subscriber: ebo.

tested with Gpg4win-Beta-75++

Looks like this now:

All done except giving a hint for a misconfigured ldapserver. But I did not encounter display of an empty line for an entry.
Should somebody encounter that issue, please open a new ticket with a description on how to reproduce this.