Bug 322664

Summary: Result of file signature verification is misleading/confusing
Product: [Applications] kleopatra Reporter: maddinster
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: REPORTED ---    
Severity: wishlist CC: foundations, kolAflash, mutz
Priority: NOR    
Version: 2.1.1   
Target Milestone: ---   
Platform: Microsoft Windows   
OS: Microsoft Windows   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description maddinster 2013-07-21 21:23:09 UTC 
When you check a file that was signed with a key that has a low trust level (like not signed by yourself) you get the following output:
"Not enough information to check signature validity,"
That is not very helpful. It would be nice to know, that the signature test was in fact successful but the used key is maybe not trustworthy and what can be done to change this.

If you check a file that was changed after signing the certificate becomes suddenly unknown.
"Invalid signature.
Signed with unknown certificate 0x... The signature is bad"
It would be better understandable with a clear statement, the file was not signed with the certificate 0x... of XY.

The german text is even stranger:
"Signatur ungültig.
Signiert mit unbekanntem Zertifikat 0x... Die Signatur ist unbrauchbar."
Unbrauchbar? Why state that the signature is useless? The signature is plain wrong!

It may make sense from a cryptographers point of view but this is one of the little hassles that people think about when they say that cryptography is too complicated.

Reproducible: Always

Steps to Reproduce:
1. check file signed with valid but untrusted key
2. look at result
3. edit file and check again
4. look at result again
Comment 1 Tails 2014-09-21 15:00:58 UTC 
I'm part of the people developing Tails, a live system for privacy and online anonymity:

https://tails.boum.org/

We recommend Kleopatra for our users to verify our ISO images:

https://tails.boum.org/doc/get/verify_the_iso_image_using_other_operating_systems/

But this message has proven to be very confusion to our users. To the point that we added it to our documentation explaining that things are actually all-right when you get that message.

I agree with maddinster@gmail.com in the sense that this message shouldn't question the signature validity: when it happens the signature is indeed valid. But mention that this is a valid signature by a key which hasn't been verified.

I think that the way to fix this is to get closer to the original GnuPG message, which is more accurate in this case. This could be something link this:

Good signature from "John Doe <john@doe.com>"
Signature made Mon 02 May 2014 00:12:54 CEST
WARNING: This key is not certified with a trusted signature!
                   There is no indication that the signature belongs to the owner.