Maniphest T8304

Kleopatra: Don't use dirmngr if it has been disabled
Testing, NormalPublic
Actions

Assigned To
ikloecker
Authored By
ebo
Tue, Jun 23, 2:55 PM
Tags
Subscribers
ebo
ikloecker

Description

We have some customers who have an offline computer for sensitive data. There, dirmngr should not be started except to manually import crls retrieved via another machine. We advise such customers to set disable-dirmngr in gpg.conf and gpgsm.conf and set disable-crl-checks in the latter file, too.

There are some occasions where the dirmngr is started, for regular S/MIME CRL-checks (those arecovered by the above settings) for pubkey search or -update via WKD and (on current master) to connect to AD on Windows, when suggesting Name an Mail when generating a keypair or CSR.

At the very least Kleopatra should honor the disable-dirmngr settings in gpg.conf and gpgsm.conf in all cases. For 3.3.7 and 5.0.2 the dirmngr is startet for WKD searches despite the settings and for master later than 5.0.2 dirmngr is started generally after startup (for the AD search which then needs dirmngr because of T6094).

But I would like to have a Registry key for Kleopatra, e.g. "Offline", which would with one setting set all the sensible settings for that case at once without needing to go to the config files. This would be easier for customers to configure. The regkey should set disable-dirmngr for gpg and gpgsm and disable-crl-checks, too.

Details

Version
Gpg4win-5.0.2 and VSD 3.3.7

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEO5b83f59edd19 Don't launch dirmngr if it's disabled
rLIBKLEO77de76019123 Add helper to check if dirmngr is disabled
rLIBKLEO3c5d7b4915bd Don't launch dirmngr if it's disabled
rLIBKLEO04a1abe9e4ac Add helper to check if dirmngr is disabled
rKLEOPATRA Kleopatra
rKLEOPATRA7a2441bdbbdb Don't create progress dialog if no jobs are started
rKLEOPATRAada3423d8465 Handle disabled network access when updating certificates
rKLEOPATRA00f14685d84f Don't try server lookups if dirmngr is disabled
rKLEOPATRA5c0c45d047b9 Don't create progress dialog if no jobs are started
rKLEOPATRA5000152f14ba Handle disabled network access when updating certificates
rKLEOPATRAefd8d84b4b53 Don't try server lookups if dirmngr is disabled
rGPGMEQT Gpgme for Qt
rGPGMEQTd764c5c57973 Don't start dirmngr for WKD lookup if it is disabled for gpg
rGPGMEQT82ad47a35d0f Don't start dirmngr for AD query if it is disabled for gpg and gpgsm

Related Objects

Event Timeline

ebo created this task.Tue, Jun 23, 2:55 PM
ebo created this object with edit policy "Contributor (Project)".
ikloecker added a subscriber: ikloecker.Wed, Jun 24, 9:12 AM

If a general "offline" option is wanted then it has to be in GnuPG. Kleopatra shouldn't mess with the configuration of GnuPG by setting disable-dirmngr for gpg and gpgsm. In any case, in my opinion, such an option deserves a ticket of its own. For this ticket I will only ensure that the disable-dirmngr options are respected by Kleopatra.

ikloecker added a commit: rKLEOPATRAefd8d84b4b53: Don't try server lookups if dirmngr is disabled.Wed, Jun 24, 3:08 PM
ikloecker added a commit: rKLEOPATRA5000152f14ba: Handle disabled network access when updating certificates.
ikloecker added a commit: rKLEOPATRA5c0c45d047b9: Don't create progress dialog if no jobs are started.
ikloecker renamed this task from Draft: Kleopatra: Don't use dirmngr if it has been disabled to Kleopatra: Don't use dirmngr if it has been disabled.Wed, Jun 24, 3:15 PM
ikloecker triaged this task as Normal priority.
ikloecker added a commit: rGPGMEQT82ad47a35d0f: Don't start dirmngr for AD query if it is disabled for gpg and gpgsm.Wed, Jun 24, 3:16 PM
ikloecker added a commit: rGPGMEQTd764c5c57973: Don't start dirmngr for WKD lookup if it is disabled for gpg.
ikloecker changed the task status from Open to Testing.Wed, Jun 24, 3:27 PM
ikloecker claimed this task.
ikloecker moved this task from Backlog to WIP on the gpd5x board.

Fixed.

  • Kleopatra won't start dirmngr on start-up on Windows if dirmngr is disabled for gpg and gpgsm.
  • gpgmeqt's AD query job will fail with "no dirmngr" error if dirmngr is disabled for gpg and gpgsm. Kleopatra ignores this error (after logging it) and will try the next source for prefilling name and email of new certificates.
  • Lookup on server and updating of certificates will give appropriate error messages if dirmngr is disabled for gpg and/or gpgsm.

I haven't touched any other actions that might trigger network access because those use gpg or gpgsm which should fail with an appropriate error if dirmngr is disabled.

The update check uses gpg-agent-connect --dirmngr "loadswdb --force" /bye to check for updates which very likely doesn't check if dirmngr is disabled. Since the update check is disabled for VSD and GPD (?) I chose not to touch the update check.

ikloecker added a commit: rLIBKLEO04a1abe9e4ac: Add helper to check if dirmngr is disabled.Wed, Jun 24, 3:32 PM
ikloecker added a commit: rLIBKLEO3c5d7b4915bd: Don't launch dirmngr if it's disabled.
ikloecker added a commit: rLIBKLEO77de76019123: Add helper to check if dirmngr is disabled.Wed, Jun 24, 3:49 PM
ikloecker added a commit: rLIBKLEO5b83f59edd19: Don't launch dirmngr if it's disabled.
ikloecker added a commit: rKLEOPATRA00f14685d84f: Don't try server lookups if dirmngr is disabled.Wed, Jun 24, 4:30 PM
ikloecker added a commit: rKLEOPATRAada3423d8465: Handle disabled network access when updating certificates.
ikloecker added a commit: rKLEOPATRA7a2441bdbbdb: Don't create progress dialog if no jobs are started.