Page MenuHome GnuPG
Create Task
Maniphest T8035

Kleopatra: Good signatures are reported as invalid signatures if key is expired or revoked
Testing, NormalPublic
Actions

Description

While looking into T7790: Kleopatra: "no trusted certification" should have precedence over "expired" in signature verification I noticed that Kleopatra reports good signatures as "invalid" if the signing key is expired or revoked. I don't think that this is done intentionally. gpg reports such signatures as good signatures. See T7790#210769 (for output of gpg) and T7790#211521 (for screenshots of Kleopatra).

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEO5068e461be73 Adapt test to new signature verification texts
rLIBKLEO9b09f94aed6e Fix and improve handling of good but not fully valid signatures
rKLEOPATRA Kleopatra
rKLEOPATRAe93084728e80 Don't show green result for expired signatures

Related Objects
Search...

Event Timeline

ikloecker triaged this task as Normal priority.Jan 15 2026, 2:12 PM
ikloecker created this task.
ikloecker added a commit: rLIBKLEO9b09f94aed6e: Fix and improve handling of good but not fully valid signatures.Jan 15 2026, 4:26 PM
ikloecker changed the task status from Open to Testing.Jan 15 2026, 4:45 PM
ikloecker moved this task from Backlog to WIP on the gpd5x board.

Fixed. Some examples for the improved texts which are based on the texts that gpg prints.

  • good signature with expired key

  • good signature with revoked key

  • good signature with uncertified key

  • expired signature with certified key

  • expired signature with uncertified key

Hint: Create expired signatures with gpg --default-sig-expire seconds=5 --detach-sign ...

This ticket is mostly about fixing the problem that good signatures were reported as invalid. Unless there are actual errors in the new texts there's T7786: Draft: Kleopatra: improvements of signature verification result messages for improving the messages.

ikloecker added a commit: rLIBKLEO5068e461be73: Adapt test to new signature verification texts.Jan 15 2026, 5:02 PM
ikloecker mentioned this in Unknown Object (Maniphest Task).Jan 19 2026, 9:04 AM
ebo added a comment.EditedFeb 4 2026, 2:18 PM

For "expired signature with certified key" I believe green with check mark is a too positive. Should be a warning, too.

ikloecker changed the task status from Testing to Open.Feb 4 2026, 9:11 PM
ikloecker added a commit: rKLEOPATRAe93084728e80: Don't show green result for expired signatures.Feb 5 2026, 11:30 AM
ikloecker added a comment.Feb 5 2026, 11:33 AM

Now an expired signature with certified key is reported like this:

ikloecker changed the task status from Open to Testing.Feb 5 2026, 11:33 AM
ikloecker mentioned this in Unknown Object (Maniphest Task).Feb 9 2026, 8:58 AM
ebo added a parent task: T8095: Kleopatra: parent ticket for improvements of verification result messages.Feb 9 2026, 11:27 AM
werner added a subscriber: werner.Feb 9 2026, 3:30 PM

At least for an expired data signature I would suggest to have an info button to further expliah this. Maybe to a FAQ or KB article. The case is too rare that we should not discuss endlessly the pros and cons of expiring signatures. I hope that Kleo does not provide an option to crerate such a signature.

ebo moved this task from WIP to QA on the gpd5x board.Thu, Feb 26, 2:33 PM
timegrid moved this task from QA to Done on the gpd5x board.Wed, Mar 4, 2:50 PM
timegrid added a subscriber: timegrid.

Looks good to me on gpg4win-5.0.2-beta2 @ win11.

  • good signature with expired key
  • good signature with revoked key
  • good signature with uncertified key
  • expired signature with certified key
  • expired signature with uncertified key
timegrid moved this task from Done to gpd-5.0.2 on the gpd5x board.Wed, Mar 4, 2:50 PM
timegrid edited projects, added gpd5x (gpd-5.0.2); removed gpd5x.