Kleopatra: add info texts to verification results
Open, NormalPublic

Assigned To
None
Authored By
ebo
Wed, Jul 8, 3:01 PM
Subscribers

Description

Split off from ticket T7786: Kleopatra: improvements of signature verification result messages. This ticket only covers the info/help texts which should be accessible via a button behind the verification result texts. We want the texts accessible for all users.

The text in the info window should be structured into paragraphs, these are below marked by bullet points (for better visibility only).

Case certificate for the signature is not available
  • The signing certificate is not present in your certificate list, but it is needed to verify the data.
  • What can be done: Ask the sender for the certificate or import it from a file or a keyserver. Then verify the data again.
The signature does not match (“Bad signature”)
  • The data or the signature has been altered. This can happen accidentally (e.g. due to a transmission error), unintentionally (e.g. due to a subsequent change to the data, possibly by an email client), or intentionally (deliberate manipulation).
  • What can be done: Ask the sender to resend the data.
The signature certificate has been revoked
  • The certificate may have been revoked because it was compromised and it might now be used by a third party. The data can therefore not be trusted. Technically, signature and data match.
  • It is possible that you received the data at a time when the certificate was still valid and trusted. If this is the case, the data may be valid.
  • What can be done: If in doubt, contact the signer to clarify the situation and, if necessary, ask them to resend the data signed with a current certificate.
The signature certificate has expired
  • For an expired certificate, it cannot be evaluated whether the certificate can be trusted. Therefore the data cannot be trusted. Technically, signature and data match.
  • If the certificate was valid and trusted when you received the data, the data is likely valid.
  • What can be done:

SMIME: If in doubt, contact the signer to clarify the situation and, if necessary, ask them to resend the data with a current certificate.
OPENPGP: You can look for an updated certificate on a keyserver, or ask the sender for it, then verify the data again after importing the certificate.

The signing certificate is not trusted
  • Technically, signature and data match, but the signing certificate is not marked as trusted. Therefore the data cannot be trusted to originate from the stated source.
  • What can be done: Verify the certificate’s [fingerprint and certify it | Root-CA fingerprint and trust it]. Then verify the data again.
The signature is not VS-NfD compliant / NATO restricted compliant

The signature was not created with a VS-NfD compliant certificate. It must not be used for classified information, but it is acceptable for non-classified use.

The signature is VS-NfD compliant / NATO restricted compliant

The algorithm of the certificate used for the signature is VS-NfD compliant.