Page MenuHome GnuPG
Create Task
Maniphest T7701

Draft: Kleopatra: Add information for verification results
Open, NormalPublic
Actions

Description

Follow up of discussion from T7651.

Valid (= technically correct) signatures where the signing certificate is
a) expired
b) revoked or
c) has no trusted certification
need more information beyond the warning icon.

Current state case a:
Text: The signature is invalid: Signing certificate is expired


b: The signature is invalid: Signing certificate was revoked
c: The used key is not certified by you or any trusted person.
Additional task regarding c: Change the string to "The signing certificate is not certified by a trusted person."

We want some kind of accessible information button/link for a "tooltip". (I assume that a regular tooltip is not possible here.)
It should open a new window with some explanation on how to assess if this signature is ok in this case or not.

For the texts, see https://dev.gnupg.org/T7701#203507

Related Objects

Event Timeline

ebo triaged this task as Normal priority.Jun 25 2025, 4:58 PM
ebo created this task.
ebo mentioned this in T7651: Draft: Kleopatra: Improve color codes of verification result messages.Jun 25 2025, 5:00 PM
ebo updated the task description. (Show Details)Jun 26 2025, 9:17 AM
hej added a comment.Jul 1 2025, 10:28 AM

a: expired certificate

Dialog text:
The signature is invalid: The signing certificate has expired.

Tooltip:
If the certificate was still valid when the file was signed, the signature may still be trustworthy. Check the signature date to decide.

b: revoked certificate

Dialog text:
The signature is invalid: The signing certificate was revoked.

Tooltip:
A revoked certificate could mean it was compromised. Only trust this signature if you're sure why the certificate was revoked.

c: untrusted certificate

Dialog text:
The signing certificate is not certified by a trusted person.

Tooltip:
This means Kleopatra can't confirm who signed the file. You can choose to trust the certificate or import a trusted certification.

ebo added a comment.EditedJul 11 2025, 3:17 PM

After further discussion, I propose the following. All tool tips and the last dialog text were changed:

a: expired certificate
Dialog text:
The signature is invalid: The signing certificate has expired.

Tooltip:
Either obtain an updated certificate or check if the signature was made before the keys expiration and decide if you can trust it in this case.

b: revoked certificate
Dialog text:
The signature is invalid: The signing certificate was revoked.

Tooltip:
A revoked certificate could mean it was compromised. Only if the revocation reason was another one (e.g. replacement) then signatures made before the revocation may still be trustworthy.

c: untrusted certificate
Dialog text:
The signing certificate is not certified by yourself or a trusted entity.

Tooltip:
This means you can't be sure who signed the file. For that you need to establish trust in the certificate.

hej added a comment.Jul 14 2025, 12:16 PM

a: expired certificate
Dialog text:
The signature is invalid: The signing certificate has expired.

OK :)

Tooltip:
Either obtain an updated certificate or check if the signature was made before the keys expiration and decide if you can trust it in this case.

Korrektes Englisch wäre:
Either obtain an updated certificate or check whether the signature was made before the certificate’s expiration, and decide if you can trust it.

Das klingt allerdings recht holprig. Gegenvorschlag:
You can check if the signature was made before the certificate expired. If so, it may still be valid. Alternatively, ask the sender for an updated certificate.

b: revoked certificate
Dialog text:
The signature is invalid: The signing certificate was revoked.

OK :)

Tooltip:
A revoked certificate could mean it was compromised. Only if the revocation reason was another one (e.g. replacement) then signatures made before the revocation may still be trustworthy.

Vorschlag (klingt flüssiger): A revoked certificate may indicate it was compromised. If it was revoked for another reason (like replacement), signatures made before that may still be OK.
Oder deutlich kürzer: Revoked certificates are often unsafe. If it was replaced, earlier signatures may still be valid.

c: untrusted certificate
Dialog text:
The signing certificate is not certified by yourself or a trusted entity.

Besser: The signing certificate is not certified by you or a trusted person.

Tooltip:
This means you can't be sure who signed the file. For that you need to establish trust in the certificate.

Besser: The signer’s identity can’t be verified. You can trust the certificate manually or import a trusted certification.
Oder kürzer: Without trust, the signer’s identity can’t be confirmed.

ebo added a comment.Fri, Jul 25, 4:46 PM

Besser: The signing certificate is not certified by you or a trusted person.

A trusted key or a Root CA is no trusted person.

ebo added a comment.Fri, Jul 25, 4:51 PM

Hopefully the final version:

a: expired certificate
Dialog text:
The signature is invalid: The signing certificate has expired.
Tooltip:
Ask the sender for an updated certificate. Alternatively, check if the signature was made before the certificate expired. If so, you can decide to trust it.

b: revoked certificate
Dialog text:
The signature is invalid: The signing certificate was revoked.
Tooltip:
A revoked certificate may indicate it was compromised. If it was revoked for another reason (like replacement), signatures made before the revocation date may still be OK.

c: untrusted certificate
Dialog text:
The signing certificate is not certified by you or a trusted third party.
Tooltip:
Without established trust, the signer’s identity can’t be confirmed.

ebo updated the task description. (Show Details)Fri, Jul 25, 4:52 PM
ebo renamed this task from Draft: Kleopatra: Add information for verification results to Kleopatra: Add information for verification results.Tue, Jul 29, 3:05 PM
ebo renamed this task from Kleopatra: Add information for verification results to Draft: Kleopatra: Add information for verification results.Mon, Aug 4, 2:52 PM