Maniphest T7786

Draft: Kleopatra: improvements of signature verification result messages
Open, HighPublic
Actions

Assigned To
ebo
Authored By
ebo
Aug 20 2025, 12:34 PM
Tags
Subscribers
alexk
ebo
hej
ikloecker
timegrid

Description

We want to restructure the verification result messages to put the most important information at the beginning and also make a few text improvements.

Tasks for all messages: Move text from the 2nd row to the top (the most important info is given there, e.g. "The signature is invalid:")
Caveat: at some places, only a single word like "The" was added, check the texts carefully when implementing (and testing) this.

New texts:

  • for invalid signature: The signature is invalid: Bad signature\nThe signature was created with certificate: %1

Question:

  • Can we be sure that the signature in question is by that certificate? (The common case is that the file which was signed was changed after the (at that time valid) signature was made)
  • Better word here for "Bad"?
  • for valid and trusted signature: (maybe leave out the part in []? {} indicates that there are other variants, too)
    • GPD: The signature is valid and the certificate['s validity] is {fully} trusted.\nThe signature was created on %1 with the certificate: %2"
    • VSD 1: The signature is VS-NfD compliant.\nThe signature was created on %1 with the certificate: %2"
    • VSD 2: The signature is Not VS-NfD compliant. The certificate['s validity] is {fully} trusted.\nThe signature was created on %1 with the certificate: %2"

To discuss: Leave out the part in [ ]?

  • for valid but unknown: The signature can't be checked, the certificate is missing. You can search for it [on the configured server] or import it from a file.\nThe signature was created on %1 using an unknown certificate with fingerprint %2

To discuss:
a) it is not necessarily a keyserver, it may be ldap
b) we search on the configured server after a click on the fingerprint link. How to make that clear?

  • for technically correct but revoked signature: The signature is invalid: The signing certificate was revoked\nThe signature claims to be created on %1 with the certificate: %2
  • or better: The signature may be invalid […]

To discuss: "claims to be" OK?

  • for valid but not trusted: The signature can't be verified. The signing certificate is not certified by you or a trusted [third] party.\nThe signature was created on %1 with the certificate: %2"

To discuss: the part after "certified by"

  • for valid but not trusted and expired: The signature can't be verified. The signing certificate is expired and not certified by you or a trusted [third] party.\nThe signature was created on %1 with the certificate: %2"

Note: as "not trusted" should have precedence over expired, we want to only mention the "expired" as an addition.

  • for valid and trusted but expired: The signature may be invalid: The signing certificate has expired.\nThe signature was created on %1 with the certificate: %2"

Related Objects
Search...

Event Timeline

ebo triaged this task as Normal priority.Aug 20 2025, 12:34 PM
ebo created this task.
ebo created this object with edit policy "Contributor (Project)".
ebo updated the task description. (Show Details)Aug 21 2025, 12:26 PM
ebo mentioned this in T7790: Kleopatra: "no trusted certification" should have precedence over "expired" in signature verification.Aug 21 2025, 12:38 PM
ebo mentioned this in T7701: Draft: Kleopatra: Add information for verification results.Aug 27 2025, 12:13 PM
ebo updated the task description. (Show Details)Aug 27 2025, 2:32 PM
ebo claimed this task.Oct 20 2025, 4:18 PM
ebo raised the priority of this task from Normal to High.
alexk added a subscriber: alexk.Oct 30 2025, 3:55 PM

An new suggestion for the wording without prior reading of the above texts to get a fresh view.
But in German ...

Die Struktur der Punkte unten ist wie folgt:

  • Erster Punkt, ist eine direkte Antwort, die auch eine nicht fachlich versierte Person versteht.
    • Folgende Punkte sind für ein Tooltip. Zuerst ein weitere erklärender Text.
    • Danach dann Hinweise wie man mit dem Problem umgeht. (der Text "Was kann man tun" kann auch raus.)

Signaturprüfung

Ergebnisvarianten:

Zertifikat zur Signatur nicht vorhanden

  • Die Signatur kann nicht geprüft werden, da das zugehörige Zertifikat nicht vorhanden ist. Den Daten kann nicht vertraut werden.
    • Das zum Prüfen der Daten notwendige Zertifikat des Absenders ist nicht in Ihrer Zertifikatsliste vorhanden.
    • Was kann man tun: Sie können den Absender bitten Ihnen das Zertifikat zukommen zu lassen; Gleichen Sie den Fingerabdruck des Zertifikats mit dem Absender ab und beglaubigen Sie das Zertifikat. Prüfen Sie danach die Daten+Signatur erneut.

Zertifikat ist vorhanden, aber ...

die Signatur passt nicht

  • Daten und Signatur passen nicht zusammen. Den Daten kann nicht vertraut werden.
    • Die Daten oder die Signatur sind verändert worden. Dies kann zufällig (z.B. durch einen Übertragungsfehler) oder unabsichtlich (z.B. durch eine nachträgliche Änderung der Daten, evtl. auch durch einen Mail-Client) oder absichtlich (bewusste Manipulation) passieren.
    • Was kann man tun: Lassen Sie sich die Daten noch einmal zusenden.

dem Signaturzertifikat wird nicht vertraut

  • Es kann nicht sichergestellt werden ob die Daten wirklich von dem Absender stammen, da dem Zertifikat mit dem die Daten signiert wurden nicht vertraut wird.
    • Da dem Zertifikat des Signierenden nicht vertraut wird, kann auch den Daten nicht vertraut werden. Technisch passen Signatur und Daten aber zusammen.
    • Was kann man tun: Vergleichen Sie den Fingerabdruck mit dem Sender und beglaubigen Sie das Zertifikat. Prüfen Sie danach die Daten+Signatur erneut.

die Signatur ist nicht VS konform

  • Die Signatur wurde nicht VS konform erstellt. Damit dürfen keine Verschlusssachen signiert werden, es ist für nicht VS-konforme Nutzung aber in Ordnung.
    • Was kann man tun: Für eine VS konforme Kommunikation bitten Sie den Absender ein VS-konformes Zertifikat zu erstellen und ihnen zukommen zu lassen.

das Signaturzertifikat wurde zurückgerufen

  • Es kann nicht sichergestellt werden ob die Daten wirklich von dem Absender stammen, da das Zertifikat zurückgerufen wurde.
    • Das Zertifikat könnte zurückgerufen worden sein, weil es kompromittiert wurde und ein Dritter dies nun nutzt. Den Daten kann daher nicht vertraut werden. Technisch passen Signatur und Daten aber zusammen.
    • Was kann man tun: Es könnte sein, dass Sie Daten zu einem Zeitpunkt bekommen haben, zu dem das Zertifikat noch gültig war. Wenn das sichergestellt ist können die Daten in Ordnung sein. Im Zweifelsfall kontaktieren Sie den Sender um die Situation zu klären und sich evtl. die Daten erneut, mit einem aktuellen Zertifikat signiert, zusenden zu lassen.

das Signaturzertifikat ist abgelaufen

  • Den Daten kann nicht vertraut werden, da die Gültigkeit des Zertifikats abgelaufen ist.
    • Eventuell hat jemand Drittes Kontrolle über das Zertifikat und versendet gefälschte Daten.
    • Was kann man tun: Es könnte sein, dass Sie Daten zu einem Zeitpunkt bekommen haben, zu dem das Zertifikat noch OK war. Wenn das sichergestellt ist können die Daten in Ordnung sein. Kontaktieren Sie den Sender und bitten um ein aktuelles, verlängertes Zertifikat von ihm; damit können die Daten erneut prüfen. Sollte der Sender ein neues Zertifikat haben bitten Sie ihn die Daten damit signiert erneut zukommen zu lassen. Vergleichen Sie den Fingerabdruck des neuen Zertifikats mit dem Sender und beglaubigen Sie das Zertifikat. Nun können sie die Daten erneut prüfen.

Das Zertifikat ist in Ordnung und die Signaturprüfung erfolgreich

  • Die Signaturprüfung ist erfolgreich.
    • Daten und Signatur passen zusammen und wurden erfolgreich geprüft.
    • Was kann man tun: Kontrollieren sie regelmäßig ob das Zertifikat des Senders noch aktuell ist um ein hohes Sicherheitsniveau aufrecht zu erhalten.
TobiasFella mentioned this in Unknown Object (Maniphest Task).Nov 17 2025, 9:49 AM
ikloecker mentioned this in T8035: Kleopatra: Good signatures are reported as invalid signatures if key is expired or revoked.Jan 15 2026, 4:45 PM
ebo added a parent task: T8095: Kleopatra: parent ticket for improvements of verification result messages.Feb 9 2026, 11:51 AM
tfry mentioned this in T8173: Improvements to security level button/info.Mar 16 2026, 1:49 PM
ebo mentioned this in T8154: Kleopatra: Adjust folder name in archive decryption feedback for single folder content.Mar 19 2026, 9:52 AM
ebo merged a task: T7701: Draft: Kleopatra: Add information for verification results.Fri, May 22, 2:38 PM
ebo added subscribers: hej, ikloecker.
ebo added a comment.EditedFri, May 22, 3:17 PM

Ok, new try on the basis of Alexanders suggestion:

Note that here we do no longer use the gpg/gpgsm error messages in the texts, but we still link to the audit log which contains them.

The parts shown as list items are from the info/help which should be accessible via a button.
The button should be after the first sentence / part.

V-SUMMARY (!= summary now) it is meant to be: User-ID + creation date (with link to cert details)

Caevat: I did not include expiration of the signature (as opposed to expiration of the signature key), compare T8035.

Certificate for the signature is not available

The signature cannot be verified because the corresponding certificate is not available. The data cannot be trusted. [The signing certificate’s fingerprint is %1. | The signing certificate’s issuer is %1, the S/N is %2.]

  • The signing certificate is not present in your certificate list, but it is needed to verify the data.
  • What can be done: Ask the sender for the certificate or import it from a file or a keyserver. After import, verify the certificate’s fingerprint and then [certify it | trust its root certificate]. Then verify the data again.

Certificate is available, but ...

The signature does not match (“Bad signature”)

Data and signature do not match. The data cannot be trusted.
Signed by V-SUMMARY on %date+time.

  • The data or the signature has been altered. This can happen accidentally (e.g. due to a transmission error), unintentionally (e.g. due to a subsequent change to the data, possibly by an email client), or intentionally (deliberate manipulation).
  • What can be done: Ask the sender to resend the data.
The signature certificate has been revoked

It cannot be verified whether the data truly originates from the sender, as the signing certificate has been revoked.
Signed by V-SUMMARY on %date+time.

  • The certificate may have been revoked because it was compromised and is now being used by a third party. The data can therefore not be trusted. Technically, signature and data match.
    1. case trusted:
  • What can be done: It is possible that you received the data at a time when the certificate was still valid. If this is the case, the data may be valid. If in doubt, contact the signer to clarify the situation and, if necessary, ask them to resend the data with a current certificate.
    1. case not trusted:
  • What can be done: Ask the sender to resend the data signed with a current certificate.
The signature certificate has expired

The data cannot be trusted because the signing certificate has expired.
Signed by V-SUMMARY on %date+time.

  • It is possible that a third party has gained control of the certificate and is sending forged data.
  • What can be done: If you received the data at a time when the certificate was still valid, the data may be ok. Contact the sender and ask them to provide the current, renewed certificate; then verify the data again. If the sender has a new certificate, ask them to send it and the data signed with this new certificate.

Anmerkung: Der Teil mit "Contract the sender" gefällt mir noch nicht.

The signing certificate is not trusted

It cannot be verified whether the data originates from the stated source, as the signing certificate is not trusted.
Signed by V-SUMMARY on %date+time.

  • Since the signing certificate is not marked as verified, the data cannot be trusted to originate from the right source, either. Technically, signature and data match.
  • What can be done: Verify the certificate’s [fingerprint and certify it | Root-CA fingerprint and trust it]. Then verify the data again.
The certificate is valid and the signature verification was successful

Signature verification was successful.
Signed by V-SUMMARY on %date+time.

  • Data and signature match and have been verified.
Addition to all variants (with exception “no certificate”)

"The signature is %1" can expand to:
The signature is not VS-NfD compliant / NATO restricted compliant

The signature was not created in a VS-NfD compliant manner. It must not be used to sign classified information, but it is acceptable for non-classified use.
What can be done: For classified communication, ask the signer for a VS-NfD compliant certificate and that they use it for signing in the future.

The signature is VS-NfD compliant - Would need an other tooltip…

As %1 can contain “not”, different tooltips are difficult…
Maybe instead always the same text:

If the signature is not shown as VS-NfD compliant, it must not be used to sign classified information, but it is acceptable for non-classified use.
What can be done: For classified communication, ask the signer for a VS-NfD compliant certificate and that they use it for signing.
ebo mentioned this in T8116: Draft: Kleopatra: For S/MIME verification do not use "fingerprint" in messages.Fri, May 22, 3:35 PM
hej added a comment.Thu, May 28, 2:29 PM

Some minor language suggestions for the texts in the comment above:

In T7786#218200, @ebo wrote:
  • What can be done: Ask the sender for the certificate or import it from a file or a keyserver. After import, verify the certificate’s fingerprint and then [certify it | trust it’s root certificate]. Then verify the data again.

Typo: "it's" -> "its"

What can be done: Have the data sent to you again.

Suggestion: "Ask the sender to resend the data."

It cannot be verified if the data truly originates from the sender, as the signing certificate has been revoked.

"if" -> "whether" (more natural in indirect questions; same applies below)

It cannot be verified if the data originates from the apparent source, as the signing certificate is not trusted.

"if" -> "whether"

Contact the sender and ask them to provide the current, extended certificate; then verify the data again.

"extended" -> "renewed" (certificates are reissued, not extended); or: "a new, valid certificate"

For classified communication, ask the signer for a VS-NfD compliant certificate and data signed with it.

Suggestion: "For classified communication, ask the signer to resend the data signed with a VS-NfD compliant certificate." (applies to both occurrences)

Data and signature match and have been successfully verified.

"successfully verified" is redundant. Suggestion: "Data and signature match and have been verified."

Feel free to ignore any of the comments, these are just small things I noticed while reading through.

ebo added a subscriber: timegrid.Fri, May 29, 4:27 PM

Thank you, I have adopted your suggestions in most places and edited my comment above accordingly.

In reaction to a comment by @timegrid I also changed one occurrence of "It is possible that" to avoid repetitive wording.

He had some more comments which I paste here, as I can't incorporate them right now / they may need discussion:

Don't we have the reason on hand for revoked certificates? Wouldn't it be helpful to display that?

I think showing the reason was only recently implemented on the gpg side and only in gnupg26: T7083: Show revocation reasons also with a standard -k listing

Why is there no “signed by” info for bad signatures?

I'd like to discuss how we can word it there, simply writing "Signed by" is not really correct, as we can not be sure in this case afaiu.

Expired: Would it be helpful to display the expiration date? It makes a difference whether it expired yesterday or years ago

I'm not sure if this is easily possible. @ikloecker?

not trusted: originates from the apparent source,

  • “apparent” has a rather critical connotation for me—“seemingly/allegedly”
  • I would find something like “from the stated/specified/provided source” more neutral

I do not agree on that, but "apparent" might not be ideal for a non-native speaker audience.

ebo mentioned this in Unknown Object (Maniphest Task).Mon, Jun 1, 9:01 AM
hej added a comment.Mon, Jun 1, 11:06 AM

[...]

not trusted: originates from the apparent source,

  • “apparent” has a rather critical connotation for me—“seemingly/allegedly”
  • I would find something like “from the stated/specified/provided source” more neutral

I do not agree on that, but "apparent" might not be ideal for a non-native speaker audience.

I agree "apparent" is not ideal. It can read as skeptical or accusatory, especially for non-native speakers. "Stated source" would be more neutral and unambiguous.

ebo added a comment.Tue, Jun 2, 11:15 AM

ok, changed to "stated source" above.