Kleopatra: revoked UIDs should not be offered for signing and they should be labeled consistently
Testing, HighPublic
Actions

Assigned To

Authored By

	• ebo
	Tue, Jun 10, 4:42 PM

Description

Revoked User IDs are offered for signing/encrypt to self, which is confusing to users. This is not always the case, it seems as if it depends on if they have been used in the past.
Additionally, the icons used for revoked UIDs in the sign/encrypt dialog may be a green check mark, while the background color is red. The background and the icon should always agree.

How to reproduce:
Encrypt something selecting one of the uids of a certificate with at least 2 of them. Then revoke that UID.
Start to encrypt a message or go to the recipients tab of the notepad. Check which UIDs are offered:

In case it is relevant, this is the window which opens if you choose the icon on the right of the drop down menu in the same case:

Here all user-IDs are offered, be they valid or not, even if the UID was never selected for encryption.

If I remember correctly, we planned to show revoked uids only in the extended filter dialog window? (so that user missing an ID they encrypted to before can find it there if they look.)

This looked at first as if it was a regression, as the revoked certificates were not offered in VSD 3.3.0, see T7183: Kleopatra: Reduce certificates offered in Sign/Enyrypt dialog. But if you have used the revoked UID before, it ist offered even in 3.3.0. And you can encrypt to it, too, although with a red encrypt button.

Edit 2025-06-11: the following part was wrong, I'd deleted the secret key in between which of course explains it… I'll delete that part to make the ticket more readable.

But it seems the issue goes away if you delete the secret key and then reimport it.
Edit2 2025-06-11:
Only or the fist encryption after reimport was only the valid UID offered. After encrypting to the key once using that valid UID on the next encryption operation both UIDs are offered again. With the invalid UID preselected and "not VS-NfD compliant" next to the sign/encrypt button. Which results in the user having to correct the chosen UID every time.

Details

External Link: https://rt.gnupg.com/Ticket/Display.html?id=35609
Version: VSD 3.3.2

Revisions and Commits

rKLEOPATRA Kleopatra
	rKLEOPATRA548dab68e089 Revert change of selection of own keys to selection of own user IDs

Related Objects

Mentioned Here: T7183: Kleopatra: Reduce certificates offered in Sign/Enyrypt dialog

Event Timeline

• ebo created this task.Tue, Jun 10, 4:42 PM

• ebo updated the task description. (Show Details)Wed, Jun 11, 9:45 AM

• ebo renamed this task from Kleopatra: revoked UIDs should not be offered for encryption and they should be labeled consistently to Kleopatra: revoked UIDs should not be offered for signing and they should be labeled consistently.Wed, Jun 11, 11:12 AM

• ebo updated the task description. (Show Details)

And mind that the wording "This certificate is revoked" is wrong in any case, only the user ID is revoked, not the public key.

• ikloecker claimed this task.Wed, Jun 11, 12:17 PM

• ebo triaged this task as High priority.Wed, Jun 11, 12:24 PM

• ebo edited projects, added vsd33; removed gpd5x.

• ikloecker added a commit: rKLEOPATRA548dab68e089: Revert change of selection of own keys to selection of own user IDs.Wed, Jun 11, 2:38 PM

Parts of the changes made for T7183: Kleopatra: Reduce certificates offered in Sign/Enyrypt dialog have been reverted. The drop downs for selecting the signing key and the "encrypt to self" key now offer the primary user IDs of usable keys again (instead of all user IDs of usable keys) and there's no button to open a certificate selection dialog anymore.