Page MenuHome GnuPG

Kleopatra: Usability improvements for directory services configuration
Testing, NormalPublic

Description

  • Make a group out of OpenPGP keyserver.
  • As a first item in the Group add a label "Please note that there can only be one OpenPGP keyserver configured at at time"
  • Add a checkbox "do not use OpenPGP keyserver (which internally will set the value to none)" to finish up: T6761: Kleopatra: Handle special keyserver value "none" T6708: Allow to inhibit the use of a default PGP keyserver
  • Add a checkbox "Search missing signing keys when verifying a signature" to add "auto-key-retrieve" to the gpg.conf
  • Show an error when adding HKP servers as an S/MIME server.
  • (optional) Fix display / give an indication for misconfigured keyservers. Optional because I am not sure if we even get a useful result from gpgconf in that case.

The original report was:

I have recently upgraded to version 4.2 and discovered that Kleopatra has a problem related to keyservers configuration.
Settings -> Configure Kleopatra -> Directory services
I manually added several HKP keyservers (the same as I use in my Enigmail).
The next time I opened this configuration I saw an empty list.
Not totally empty, there were several entries, but without any text.


I can press "Edit" on such an entry, which opens an edit window with an empty serverl URL field.
The connection security radio box however seems to have the value I set when adding.

Note: tested on a Win7 VM.

As such I am uncertain what keyserver(s) Kleopatra would use when searching or uploading keys.
Apparently a key upload works though.

P.S.
why the keyserver suggestion is specifically from ubuntu?

Details

Version
gpg4win 4.2

Event Timeline

Under "X.509 Directory Services" you can add "key servers" for X.509 certificates (aka CMS certificates, vulgo S/MIME certificates). For OpenPGP only a single OpenPGP server can be entered. The suggestion is the Ubuntu key server because it is/was one of very few reliable key servers.

This is more a support request than a bug report. Please use the gpg4win forum in the future.

Is the lack of display of entries in the listbox proper functionality?

Why the limitation to a single OpenPGP keyserver?
And if such a limitation exists, the UI certainly did not tell the user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.

Thank you

aheinecke triaged this task as Wishlist priority.Jan 19 2024, 9:13 PM
aheinecke added a subscriber: aheinecke.

This is not the first time I saw that users are confused by this. My wish would be to change the label of the Group at least to "S/MIME (X509) Directory Services"

@andreisrr do you have any suggestions

The Ticket for me is otherwise the following:

aheinecke raised the priority of this task from Wishlist to Normal.Jan 19 2024, 9:16 PM
aheinecke added a project: Restricted Project.

Oh These are good points

Is the lack of display of entries in the listbox proper functionality?

No that is a bug, So i moved this from wishlist to normal prio.

Why the limitation to a single OpenPGP keyserver?

Because otherwise the UI will get confusing if you get the same key e.g. from multiple keyservers And it is AFAIK a limitation of GnuPG. We could use a keyserver with a DNS entry again which randomly selects a keyserver? To avoid always using the same one.

And if such a limitation exists, the UI certainly did not tell the user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.

Yes, that should be fixed, too.

Thanks.

aheinecke renamed this task from Kleopatra directory services - erroneous items to Kleopatra: Usability improvements for directory services configuration.Jan 19 2024, 9:17 PM

I renamed the task accoringly.

My suggestion would be the following:

To avoid any confusions, I would create separate tabs for X.509 and for
OpenPGP. (like under Appearance or GnuPG)
Even a grouping for the OpenPGP keyserver part of settings is still
quite a subtle distinction.

A checkbox "do not user keyserver" with the described intent is ok, and
in the configuration page, the rest of the fields should be disabled
when unchecked.

On the other hand, the use of multiple OpenPGP keyservers should be
possible, but I guess this should go to a feature request.

Why the limitation to a single OpenPGP keyserver?

Because otherwise the UI will get confusing if you get the same key
e.g. from multiple keyservers And it is AFAIK a limitation of GnuPG.
We could use a keyserver with a DNS entry again which randomly selects
a keyserver? To avoid always using the same one.

Actually, when having multiple keyservers, the following would work:

  • have multiple keyservers configured
  • when uploading a key, have a dropdown list to select to which server

you want to upload

  • when searching, have a dropdown list to select which server is queried.

(other scenarios of querying multiple keyservers would complicate things
significantly)

Rather then a user choice at action time, all these can be acomplished
at this time by manually changing the configuration between actions by
reconfiguring the single keyserver. But this is a much more cumbersome
way of doing it.

And if such a limitation exists, the UI certainly did not tell the
user
when attempting to add a second hkp:// URL

I am asking these from the issue/bug angle.

Yes, that should be fixed, too.

Thanks.

*TASK DETAIL*
https://dev.gnupg.org/T6950

*EMAIL PREFERENCES*
https://dev.gnupg.org/settings/panel/emailpreferences/

*To: *aheinecke
*Cc: *aheinecke, ikloecker, andreisrr, nourman1, Neurone, Rafixmod,

ccharabaruk, gp_ast

This is an automated email from the GnuPG development hub. If you have
registered in the past at https://bugs.gnupg.org/ your account was
migrated automatically. You can visit https://dev.gnupg.org/ to set a
new password and update your email preferences.

TobiasFella moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
TobiasFella changed the task status from Open to Testing.Aug 8 2024, 10:53 AM
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Oct 1 2024, 3:55 PM