Page MenuHome GnuPG
Create Task
Maniphest T7701

Draft: Kleopatra: Add information for verification results
Open, NormalPublic
Actions

Description

Follow up of discussion from T7651.

Valid (= technically correct) signatures where the signing certificate is
a) expired
b) revoked or
c) has no trusted certification
need more information beyond the warning icon.

Current state case a:
Text: The signature is invalid: Signing certificate is expired


b: The signature is invalid: Signing certificate was revoked
c: The used key is not certified by you or any trusted person.
Additional task regarding c: Change the string to "The signing certificate is not certified by a trusted person."

We want some kind of accessible information button/link for a "tooltip". (I assume that a regular tooltip is not possible here.)
It should open a new window with some explanation on how to assess if this signature is ok in this case or not.

For the current state of discussions on the tooltip texts, see https://dev.gnupg.org/T7701#203507

The ticket for the regular texts is T7786: Draft: Kleopatra: improvements of signature verification result messages, there a new result type is introduced, too:
d) not trusted and expired

Related Objects

Event Timeline

ebo triaged this task as Normal priority.Jun 25 2025, 4:58 PM
ebo created this task.
ebo mentioned this in T7651: Draft: Kleopatra: Improve color codes of verification result messages.Jun 25 2025, 5:00 PM
ebo updated the task description. (Show Details)Jun 26 2025, 9:17 AM
hej added a comment.Jul 1 2025, 10:28 AM

a: expired certificate

Dialog text:
The signature is invalid: The signing certificate has expired.

Tooltip:
If the certificate was still valid when the file was signed, the signature may still be trustworthy. Check the signature date to decide.

b: revoked certificate

Dialog text:
The signature is invalid: The signing certificate was revoked.

Tooltip:
A revoked certificate could mean it was compromised. Only trust this signature if you're sure why the certificate was revoked.

c: untrusted certificate

Dialog text:
The signing certificate is not certified by a trusted person.

Tooltip:
This means Kleopatra can't confirm who signed the file. You can choose to trust the certificate or import a trusted certification.

ebo added a comment.EditedJul 11 2025, 3:17 PM

After further discussion, I propose the following. All tool tips and the last dialog text were changed:

a: expired certificate
Dialog text:
The signature is invalid: The signing certificate has expired.

Tooltip:
Either obtain an updated certificate or check if the signature was made before the keys expiration and decide if you can trust it in this case.

b: revoked certificate
Dialog text:
The signature is invalid: The signing certificate was revoked.

Tooltip:
A revoked certificate could mean it was compromised. Only if the revocation reason was another one (e.g. replacement) then signatures made before the revocation may still be trustworthy.

c: untrusted certificate
Dialog text:
The signing certificate is not certified by yourself or a trusted entity.

Tooltip:
This means you can't be sure who signed the file. For that you need to establish trust in the certificate.

hej added a comment.Jul 14 2025, 12:16 PM

a: expired certificate
Dialog text:
The signature is invalid: The signing certificate has expired.

OK :)

Tooltip:
Either obtain an updated certificate or check if the signature was made before the keys expiration and decide if you can trust it in this case.

Korrektes Englisch wäre:
Either obtain an updated certificate or check whether the signature was made before the certificate’s expiration, and decide if you can trust it.

Das klingt allerdings recht holprig. Gegenvorschlag:
You can check if the signature was made before the certificate expired. If so, it may still be valid. Alternatively, ask the sender for an updated certificate.

b: revoked certificate
Dialog text:
The signature is invalid: The signing certificate was revoked.

OK :)

Tooltip:
A revoked certificate could mean it was compromised. Only if the revocation reason was another one (e.g. replacement) then signatures made before the revocation may still be trustworthy.

Vorschlag (klingt flüssiger): A revoked certificate may indicate it was compromised. If it was revoked for another reason (like replacement), signatures made before that may still be OK.
Oder deutlich kürzer: Revoked certificates are often unsafe. If it was replaced, earlier signatures may still be valid.

c: untrusted certificate
Dialog text:
The signing certificate is not certified by yourself or a trusted entity.

Besser: The signing certificate is not certified by you or a trusted person.

Tooltip:
This means you can't be sure who signed the file. For that you need to establish trust in the certificate.

Besser: The signer’s identity can’t be verified. You can trust the certificate manually or import a trusted certification.
Oder kürzer: Without trust, the signer’s identity can’t be confirmed.

ebo added a comment.Jul 25 2025, 4:46 PM

Besser: The signing certificate is not certified by you or a trusted person.

A trusted key or a Root CA is no trusted person.

ebo added a comment.EditedJul 25 2025, 4:51 PM

next version:

a: expired certificate
Dialog text:
The signature may be invalid: The signing certificate has expired.
Tooltip:
Ask the sender for an updated certificate. If you can assure that the signature was made before the expiration date, you may trust it.

b: revoked certificate
Dialog text:
The signature may be invalid: The signing certificate was revoked.
Tooltip:
A revoked certificate may indicate it was compromised. If it was revoked for another reason (like replacement), signatures made before the revocation date may still be OK.

c: untrusted certificate
Dialog text:
The signing certificate is not certified by you or a trusted third party.
Tooltip:
Without established trust, the signer’s identity can’t be confirmed.

The last needs a bit more info imho…

ebo updated the task description. (Show Details)Jul 25 2025, 4:52 PM
ebo renamed this task from Draft: Kleopatra: Add information for verification results to Kleopatra: Add information for verification results.Jul 29 2025, 3:05 PM
ebo renamed this task from Kleopatra: Add information for verification results to Draft: Kleopatra: Add information for verification results.Aug 4 2025, 2:52 PM
ebo added a comment.Aug 27 2025, 12:11 PM

tooltip suggestion for d, not trusted and expired:
Ask the sender for an updated certificate and when you receive it, follow the procedure to establish trust and certify it.
or:
Ask the sender for an updated certificate. When you receive it, you need to establish trust and certify it.

ebo updated the task description. (Show Details)Aug 27 2025, 12:13 PM