Kleopatra: Show which certificates in a group are not usable for encryption
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• ebo
	Jan 30 2024, 4:11 PM

Description

If encryption to a group fails (or even when creating a group) we need to make it easy for the users to check why the can not encrypt to a group. They need to see which key is to blame.

The "Edit Group" window would be a good place for that. Problems would become visible immediately on creation of the group. If a key in the group expires later and encryption to the group does not work any more, the user could then check the group menu.

Lets add a column ~~"encryption possible" (name could be shorter, I admit)~~ "usable" (tooltip "usable for encryption") on the left side with the icons "checkmark" (green, VSD compliant encryption possible), "!" (blue, possible but not compliant) and "X" (red, no encryption possible).
For not VSD versions only the green icon should be used for "encryption possible" and not the blue one.

We could then still allow to put all kinds of keys in the group, even revoked or sign-only keys. And T6722 would no longer be needed IMHO. To clarify that groups can only be used for encryption if no key has an X in the first column, we should add a short sentence near the top of the "edit group" window ~"If the group is to be used for encryption, no certificate with the icon X in the first column can be included." I'd like that info in fat print, to be more noticeable.

Details

External Link: https://invent.kde.org/pim/kleopatra/-/merge_requests/266

Revisions and Commits

rLIBKLEO Libkleo
	rLIBKLEOf3f895717995 Make it build with Qt 5 and without backported T6666
	rLIBKLEO624d5e105b05 Check for row >= 0 and fix compiler warnings
	rLIBKLEO635e3dc60690 KeyFilterManager: Add model for custom key filters
	rLIBKLEOba2b3108c404 Check for row >= 0 and fix compiler warnings
	rLIBKLEOc6e1f6d9922c KeyFilterManager: Add model for custom key filters
	rLIBKLEOcaf94b2b64cf KeyFilterManager: Add role to get the key filter object
	rLIBKLEOe5a19c8d15ff KeyFilterManager: Add role to get the key filter object
	rLIBKLEO4ffff30dab6a KeyFilterManager: Add role to get the key filter object
	rLIBKLEOb9843f1b10f2 KeyFilterManager: Add role to get the key filter object
	rLIBKLEOe7c08dc0b2d3 KeyFilterManager: Add role to get the key filter object
	rLIBKLEOb19ff13ff84e KeyFilterManager: Add role to get the key filter object
rKLEOPATRA Kleopatra
	rKLEOPATRA8be6b78e914c Update group edit dialog
	rKLEOPATRA726e9300911c Update group edit dialog
	rKLEOPATRA331a1973509c Update group edit dialog
	rKLEOPATRAdbd26160268f Show usage as "unusable" for certificates that can't be in groups
	rKLEOPATRA360ddee650a3 Use error icon and move icon to usage column
	rKLEOPATRAd4c21c733227 Use error icon and move icon to usage column
	rKLEOPATRAd1f785a77b1c Show usage as "unusable" for certificates that can't be in groups
	rKLEOPATRA2b27e5529d0c Show usage as "unusable" for certificates that can't be in groups
	rKLEOPATRA0ecdd312cee2 Use error icon and move icon to usage column
	rKLEOPATRA3a16c6fd5af9 Use error icon and move icon to usage column
	rKLEOPATRAc02adfc68786 Show usage as "unusable" for certificates that can't be in groups
	rKLEOPATRA42303a0cb603 Show usage as "unusable" for certificates that can't be in groups
	rKLEOPATRAa3025d0fe85a Use error icon and move icon to usage column
	rKLEOPATRA8b59c32eec1c Show usage as "unusable" for certificates that can't be in groups
	rKLEOPATRA47a0dff72038 Use error icon and move icon to usage column
	rKLEOPATRAebcca880fd2a Show usage as "unusable" for certificates that can't be in groups
	rKLEOPATRAb255f67910eb Use error icon and move icon to usage column
	rKLEOPATRAca342b9b7b18 Highlight non-encryption keys in group's key list
	rKLEOPATRA484a9d9e46c3 Highlight non-encryption keys in group's key list
	rKLEOPATRAd349841fb071 Highlight non-encryption keys in group's key list
	rKLEOPATRAa2bc3b912567 Highlight non-encryption keys in group's key list
	rKLEOPATRA38f08dcc44f9 Highlight non-encryption keys in group's key list

Related Objects
Search...

		Status	Assigned	Task
		Open	None	T6916 Kleopatra group related improvements
		Resolved	• TobiasFella	T6966 Kleopatra: Show which certificates in a group are not usable for encryption

Event Timeline

• ebo created this task.Jan 30 2024, 4:11 PM

• ebo added a parent task: T6916: Kleopatra group related improvements.

I don't think that we need to show which keys are compliant or not because that is already shown by the VS-NfD compliance status. And then we only have left the case where the keys are expired / revoked so a user could sort by validity to find out which ones are those.

Alternatively I would rather grey out the "save" button and say somewhere in the widget:
The following certificates cannot be used for encryption:
....
....
Please refresh them or remove them from the groups.

I don't think another column makes much sense since the validity column already contains the required information. I tend to give this low prio because at least in my opinion everything is already there to quickly find the offending certificates.

The validity column does not contain that information in case only the encryption subkey has expired.
As is the case if people extended an expired keypair via Kleopatra with VSD up to 3.1.26.

Additionally the expiry date does not jump out at you, a column with icons does.
As column title we would like "usable" with tooltip text "usable for encryption".

• ebo updated the task description. (Show Details)Feb 15 2024, 9:54 AM

• TobiasFella added a commit: rKLEOPATRA38f08dcc44f9: Highlight non-encryption keys in group's key list.Feb 19 2024, 11:50 AM

• TobiasFella added a commit: rKLEOPATRAa2bc3b912567: Highlight non-encryption keys in group's key list.Feb 20 2024, 11:39 AM

• TobiasFella added a commit: rKLEOPATRAd349841fb071: Highlight non-encryption keys in group's key list.Feb 20 2024, 2:31 PM

• TobiasFella added a commit: rKLEOPATRA484a9d9e46c3: Highlight non-encryption keys in group's key list.

• TobiasFella changed the task status from Open to Testing.Feb 21 2024, 2:17 PM

• TobiasFella claimed this task.

• TobiasFella moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

• ikloecker added a commit: rKLEOPATRAca342b9b7b18: Highlight non-encryption keys in group's key list.May 6 2024, 5:04 PM

• ikloecker added a project: vsd33.May 7 2024, 11:06 AM

• ikloecker moved this task from Backlog to WiP on the vsd33 board.

• ebo moved this task from WiP to QA on the vsd33 board.Jul 25 2024, 5:13 PM

This is how the upper part of the "New Group" window looks with Version 3.2.2.2405000+git~ (Gpg4win-4.3.2-beta41):

It seems that, deviating from the task description, something else was implemented. And it's not even what Andre suggested in the comments but seemingly something inspired by it.
I do not like it.
I think that the color coding of suitable certificates is a no go for a11y. And it clashes with our color marking in VSD. Which in that case is a convenience only, that info is also available in a column. Instead of a tooltip in this case.

Additionally, revoked and expired certificates are not marked as not suitable for encryption, although you can not encrypt to them.

After quite some time I noticed that it is possible to get certificates without encryption subkey selected into the group if you mark all certificates and select them for the group:

So the UI here is different from the upper pane of the window. I believe that is not acceptable.
The warning icons used in the lower pane are much better to parse, visually. But without an additional column I believe this does not work for a11y.

I think this task should go back to the drawing board. It should not go into the next release.

• ebo changed the task status from Testing to Open.Jul 29 2024, 1:35 PM

• ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

This task only dealt with the lower pane. It added the warning icon and the tool tip "This certificate cannot be used for encryption." For the upper pane see T6722.

Your concern about a11y is likely valid. Depending on the configuration of the screen reader the tool tip may not be read to the user automatically.

I think it makes sense to use the existing Status column (formerly known as "User IDs" column) instead of adding a second status column. We could show the warning icon there and use the text "unusable" or, maybe, "unusable (REASON)", e.g. "unusable (expired)", "unusable (sign-only)", etc.. The tool tip could provide more details. For usable certificates we'd show the usual status text.

In T6966#189067, @ebo wrote:

This is how the upper part of the "New Group" window looks with Version 3.2.2.2405000+git~ (Gpg4win-4.3.2-beta41):

It seems that, deviating from the task description, something else was implemented. And it's not even what Andre suggested in the comments but seemingly something inspired by it.
I do not like it.
I think that the color coding of suitable certificates is a no go for a11y. And it clashes with our color marking in VSD. Which in that case is a convenience only, that info is also available in a column. Instead of a tooltip in this case.

Right, using colors for this was not a good idea.

Additionally, revoked and expired certificates are not marked as not suitable for encryption, although you can not encrypt to them.

Right, that must be fixed.

After quite some time I noticed that it is possible to get certificates without encryption subkey selected into the group if you mark all certificates and select them for the group:

That's working as intended in Qt6, but apparently behaves differently in Qt5. If we end up keeping this feature for the next release, I'll come up with a fix

So the UI here is different from the upper pane of the window. I believe that is not acceptable.
The warning icons used in the lower pane are much better to parse, visually.

You're right, we should use the icons in the top pane as well, instead of the colors.

But without an additional column I believe this does not work for a11y.

I like Andre's suggestion for a warning banner "The group contains the following [...]" better. I think it signals better to the user that there's a problem that needs to be resolved.

I think this task should go back to the drawing board. It should not go into the next release.

We decided how it should be implemented.

To be changed for this lower pane of the window, which shows the certificates already in the group:
- The column status for the certificates not usable should be set to "unusable"
  - Note: revoked and expired keys are unusable, too. Although expired ones might be only temporarily unusable
- The warning icon should be removed
- instead, add the red X icon to the Status column

For the upper part displaying certificates to choose from:
- Regarding the column: same as in the lower part
- Add the same drop down filter box as in the main certificate list
- Set a default filter which displays only certificates with valid encryption keys
- The filter can be changed by the user to any other filter from the drop down (same filters as main cert list)
- If the filter is changed, the choice is not saved for this window, default is always "show only keys usable for encryption"