gpg: unhelpful messages?

Neal H. Walfield neal at walfield.org
Mon Aug 29 13:22:52 CEST 2016 

Hi,

While doing some unrelated development / testing, it occured to me
that the following message is rather misleading:

  # gpg --verify FILE
  gpg: Signature made Wed 24 Aug 2016 01:49:53 PM CEST
  gpg:                using RSA key 7223B56678E02528
  gpg: Good signature from "Neal H. Walfield <neal at walfield.org>" [unknown]
  gpg:                 aka "Neal H. Walfield <neal at gnupg.org>" [unknown]
  gpg:                 aka "Neal H. Walfield <neal at g10code.com>" [unknown]
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 8F17 7771 18A3 3DDA 9BA4  8E62 AACB 3243 6300 52D9
       Subkey fingerprint: C03F A641 1B03 AE12 5764  6118 7223 B566 78E0 2528

I think there are two problems with the above message.


First, gpg says: "Good signature from USERID".  The good signature is
from the key, not the user id.  Anyone can create a key and specify
any user id that she wants.  Only if the USERID / KEY binding has been
somehow verified should we say Good signature.  Otherwise, we should
say something along the lines of:

  Good signature from KEY allegedly controlled by USERID [unknown]

or the slightly shorter:

  Good signature from KEY with the moniker USERID [unknown]

These are more accurate and only slightly more verbose than the status
quo.

Now, it is true that there is warning, which contradicts the previous
text, but understanding it requires understanding what a "trusted
signature" is.  I think anyone who understands what a trusted
signature is also understands what "good signature ... [unknown]"
means and hence the warning is completely useless.


Second, the warning says: "There is no indication that the signature
belongs to the owner."  Whereas my previous critique is based on the
reliance on jargon, this phrase is just technically false.  If the
signature is valid, then it definitely belongs to the owner.  The
question is whether the owner is actually who the user thinks she is.


I mentioned these issues to Werner on gnupg-devel and he said:

  1. People complain about the TOFU messages being too verbose.

  2. No one has complained about the above messages in the past 25
     years.

  3. gpg is just for geeks and as just the interface can use lots of
     jargon and users can be expected to look up these terms.

I agree with #1 and would like to find a UX person to help communicate
the problem more succinctly, but disagree with #2 and #3.

I'm curious to what degree others agree or disagree with the above.  I
personally think it is worth investing some time to improve gpg's
command line UI even if it is only for geeks, particularly because it
is the geeks who implement the other UIs and take cues from gpg's UI.

:) Neal

More information about the Gnupg-devel mailing list