Bug 708640 – Please warn when signatures are valid but untrusted

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 708640 - Please warn when signatures are valid but untrusted


Summary:	Please warn when signatures are valid but untrusted


Status:	RESOLVED FIXED

Product:	seahorse-plugins
Classification:	Applications
Component:	Nautilus
Version:	unspecified
Hardware:	Other Windows

Importance:	Normal normal
Target Milestone:	---
Assigned To:	seahorse-plugins-maint
QA Contact:	seahorse-plugins-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2013-09-23 16:23 UTC by Jérémy Bobbio
Modified:	2016-08-02 15:17 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
Naive implementation (933 bytes, patch) 2013-09-23 16:23 UTC, Jérémy Bobbio	committed	Details \| Review

Description Jérémy Bobbio 2013-09-23 16:23:02 UTC

Created attachment 255584 [details] [review]
Naive implementation

When verifying a signature seahorse-tool currently behave just the same if the signing key is trusted or not. Given that the only the uid of the key is given in the notification, this opens the door to some attacks.

It would be better if the notification could be different. Ideally, when
the signing key is not trusted, its fingerprint should be displayed, just
like `gpg --verify` does.

The attached patch display two different messages depending on the validity
level of the signing key.