phrase "UNTRUSTED good signature" is dangerously misleading

Ximin Luo infinity0 at gmx.com
Sun Jul 14 12:14:16 CEST 2013 

On 14/07/13 08:40, Werner Koch wrote:
> On Sun, 14 Jul 2013 06:01, rjh at sixdemonbag.org said:
> 
>> If you want this to happen, the proper way to go forward is to convince
>> the GnuPG developers to change the way GnuPG talks about ownertrust,
>> good signatures versus verified signatures, and so on.  If GnuPG makes
> 
> We already did this many years ago.  Actually I can't find the phrase
> the OP complained about.  Here is an example checking a signature using
> a different account.  The key has been freshly imported:
> 
>   gpg: Signature made Thu Dec 20 20:48:35 2012 CET using RSA key ID 4F25E3B6
>   gpg: Good signature from "Werner Koch (dist sig)"
>   gpg: WARNING: This key is not certified with a trusted signature!
>   gpg:          There is no indication that the signature belongs to the owner.
>   Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
> 

I can also confirm this; it does indeed appear the bad phrase originates from
Enigmail and not GnuPG, or perhaps something that sits in between the two.

For the GnuPG warning, I think the "This key is not certified with a trusted
signature!" is succinct and technically accurate. However the follow-up
explanation (and there ought to be a follow-up) could still be confusing to
non-techies, and does not suggest a course of action.

Perhaps something like:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          It may not actually belong to e.g. <first UID>.
gpg:          See keysigning(7) for guidance on how to fix this.

so that it actually communicates to the user it's a problem to be fixed, rather
than an un-actionable warning. It's analogous to certificate warnings in
browsers; I imagine you guys can take some inspiration from those. I would even
go so far as to not exit 0 in this situation, but that might break existing
programs.

X

> It seems that Enigmail creates the string.  Looking at the output of GPA
> gives:
> 
>   |4F25E386|Key NOT valid|Werner Koch (dist sig)|Uncertain signature ...|
>            [orange]
> 
> If the key is valid (trusted), it would be
> 
>   |4F25E386|valid|Werner Koch (dist sig)|Good signature ...|
>            [green]
> 
> GPA uses the GPGME library which provides the needed information.  Thus
> the code is pretty simple:
> 

-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130714/05ca6419/attachment.sig>

More information about the Gnupg-devel mailing list