Re: [Tails-dev] [review'n'merge:1.1] feature/6608-OpenPGP-si…

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] [review'n'merge:1.1] feature/6608-OpenPGP-signature-verification-in-Nautilus
Hi,

tl;dr: none of the usecases that fail with the proposed branch work in
Tails 1.0 either, so I think this branch can be merged as-is — it only
brings the expected improvements, and nothing more.

anonym wrote (25 Apr 2014 14:04:44 GMT) :
> I tested it, and with the new shared-mime-info nautilus can verify .sig
> files generated with `--detach-sign` without issue. Public key and
> symmetrically encrypted files (both .gpg) also decrypt successfully.


> However, it gets confused with gpg's default file extensions for other
> types of signatures:


> * `--clearsign` creates a .asc file which nautilus associates with
> "Import Key" which fails with "Import Failed: Keys were found but not
> imported".


That's expected: Seahorse does not know how to check inline
signatures, and this was not covered by Lunar's work.

Clearsign .asc:

  - Tails 1.0: "Verify signature" in the Nautilus menu => "Couldn't
    verify file: bla.txt.asc", "No valid signatures found".


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.2: I confirm it wrongly says "Import key", and
    (rightfully) fails.


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.3: not recognized as a signature (default
    application = gedit). That's thanks to Lunar fixing
    https://bugs.freedesktop.org/show_bug.cgi?id=70539 in s-m-i 1.3.


Renamed to .sig:

  - Tails 1.0: "Verify signature" in the Nautilus menu => "Couldn't
    verify file: bla.txt.asc", "No valid signatures found".


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.2: I confirm it pretends it's not
    a valid signature.


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.3: it pretends it's not a valid signature.


> * `--sign` creates a .gpg file which nautilus associates with "Decrypt
> File" which fails with "Coudln't decrypt file: <file>: No data".


That's expected too: Seahorse does not know how to check inline
signatures, and this was not covered by Lunar's work.

Binary signature .gpg:

- Tails 1.0: "Decrypt file" in the Nautilus menu => "No data".

  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.2: "Decrypt file" in the Nautilus menu (wrong)
    => (rightfully) fails.


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.3: "Decrypt file" in the Nautilus menu (wrong)
    => (rightfully) fails.


Renamed to .sig:

  - Tails 1.0: "Verify signature" in the Nautilus menu => "Couldn't
    verify file: bla.txt.sig", "No valid signatures found".


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.2: I confirm it pretends it's not
    a valid signature.


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.3: it still pretends it's not
    a valid signature.


> Renaming them to .sig throws the error "Couldn't verify file: <file>: No
> valid signatures found".


See test results above.

> Lastly, it cannot import keys exported without `--armor`; a dialog
> titled "Importing" is shown, with a progress bar that never advances. At
> least it can be closed with the "Cancel" button.


I get:

  - Tails 1.0: no Seahorse entry in the right-click menu, that is it
    is not recognized as a key. Trying to import with Seahorse
    directly => "Invalid file format".


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.2: I get "The file is of an unknown type"
    instead of what anonym reported.


  - feature/6608-OpenPGP-signature-verification-in-Nautilus +
    shared-mime-info 1.3: Nautilus proposes me to open this file
    with... Archive manager :]


So, no regressions AFAICT, but rather a bunch of missing features.
I don't think we care enough about these features to report wishlist
tickets upstream, that I don't expect to be acted upon unless we
provide patches. Thoughts?

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc