322664 – Result of file signature verification is misleading/confusing

Bug 322664 - Result of file signature verification is misleading/confusing

Summary: Result of file signature verification is misleading/confusing

Status:	REPORTED

Alias:	None

Product:	kleopatra
Classification:	Applications
Component:	general (show other bugs)
Version:	2.1.1
Platform:	Microsoft Windows Microsoft Windows

Importance:	NOR wishlist
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-07-21 21:23 UTC by maddinster
Modified:	2016-09-04 18:42 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description maddinster 2013-07-21 21:23:09 UTC

When you check a file that was signed with a key that has a low trust level (like not signed by yourself) you get the following output:
"Not enough information to check signature validity,"
That is not very helpful. It would be nice to know, that the signature test was in fact successful but the used key is maybe not trustworthy and what can be done to change this.

If you check a file that was changed after signing the certificate becomes suddenly unknown.
"Invalid signature.
Signed with unknown certificate 0x... The signature is bad"
It would be better understandable with a clear statement, the file was not signed with the certificate 0x... of XY.

The german text is even stranger:
"Signatur ungültig.
Signiert mit unbekanntem Zertifikat 0x... Die Signatur ist unbrauchbar."
Unbrauchbar? Why state that the signature is useless? The signature is plain wrong!

It may make sense from a cryptographers point of view but this is one of the little hassles that people think about when they say that cryptography is too complicated.

Reproducible: Always

Steps to Reproduce:
1. check file signed with valid but untrusted key
2. look at result
3. edit file and check again
4. look at result again

Comment 1 Tails 2014-09-21 15:00:58 UTC

I'm part of the people developing Tails, a live system for privacy and online anonymity:

https://tails.boum.org/

We recommend Kleopatra for our users to verify our ISO images:

https://tails.boum.org/doc/get/verify_the_iso_image_using_other_operating_systems/

But this message has proven to be very confusion to our users. To the point that we added it to our documentation explaining that things are actually all-right when you get that message.

I agree with maddinster@gmail.com in the sense that this message shouldn't question the signature validity: when it happens the signature is indeed valid. But mention that this is a valid signature by a key which hasn't been verified.

I think that the way to fix this is to get closer to the original GnuPG message, which is more accurate in this case. This could be something link this:

Good signature from "John Doe <john@doe.com>"
Signature made Mon 02 May 2014 00:12:54 CEST
WARNING: This key is not certified with a trusted signature!
                   There is no indication that the signature belongs to the owner.