phrase "UNTRUSTED good signature" is dangerously misleading

Ximin Luo infinity0 at gmx.com
Sun Jul 14 13:04:39 CEST 2013


On 14/07/13 11:14, Ximin Luo wrote:
> On 14/07/13 08:40, Werner Koch wrote:
>> On Sun, 14 Jul 2013 06:01, rjh at sixdemonbag.org said:
>>
>>> If you want this to happen, the proper way to go forward is to convince
>>> the GnuPG developers to change the way GnuPG talks about ownertrust,
>>> good signatures versus verified signatures, and so on.  If GnuPG makes
>>
>> We already did this many years ago.  Actually I can't find the phrase
>> the OP complained about.  Here is an example checking a signature using
>> a different account.  The key has been freshly imported:
>>
>>   gpg: Signature made Thu Dec 20 20:48:35 2012 CET using RSA key ID 4F25E3B6
>>   gpg: Good signature from "Werner Koch (dist sig)"
>>   gpg: WARNING: This key is not certified with a trusted signature!
>>   gpg:          There is no indication that the signature belongs to the owner.
>>   Primary key fingerprint: D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
>>
> 
> I can also confirm this; it does indeed appear the bad phrase originates from
> Enigmail and not GnuPG, or perhaps something that sits in between the two.
> 

I've filed a bug to Enigmail:
https://sourceforge.net/p/enigmail/bugs/158/

> For the GnuPG warning, I think the "This key is not certified with a trusted
> signature!" is succinct and technically accurate. However the follow-up
> explanation (and there ought to be a follow-up) could still be confusing to
> non-techies, and does not suggest a course of action.
> 
> Perhaps something like:
> 
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          It may not actually belong to e.g. <first UID>.
> gpg:          See keysigning(7) for guidance on how to fix this.
> 

Actually, probably better to point to the gnupg-doc instead of writing a new
man page.

/usr/share/doc/gnupg-doc/mini-HOWTO/GPGMiniHowto-3.html#ss3.6

is quite nice and short but still quite jargon-heavy IMO. Also this is
completely wrong:

"Ownertrust is a value that the owner of a key uses to determine the level of
trust for a certain key."

Ownertrust is the level of trust[1] that the local GnuPG instance has in a key.
A *trust signature* is what the owner of that signature/key uses to comment on
their level of trust[1] for a certain other key.

[1] specifically certification-trust as termed by Hauke Laging in a previous post

I will send in a patch when I get some time.

> so that it actually communicates to the user it's a problem to be fixed, rather
> than an un-actionable warning. It's analogous to certificate warnings in
> browsers; I imagine you guys can take some inspiration from those. I would even
> go so far as to not exit 0 in this situation, but that might break existing
> programs.


-- 
GPG: 4096R/5FBBDBCE
https://github.com/infinity0
https://bitbucket.org/infinity0
https://launchpad.net/~infinity0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130714/e2c88486/attachment.sig>


More information about the Gnupg-devel mailing list