After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 708640 - Please warn when signatures are valid but untrusted
Please warn when signatures are valid but untrusted
Status: RESOLVED FIXED
Product: seahorse-plugins
Classification: Applications
Component: Nautilus
unspecified
Other Windows
: Normal normal
: ---
Assigned To: seahorse-plugins-maint
seahorse-plugins-maint
Depends on:
Blocks:
 
 
Reported: 2013-09-23 16:23 UTC by Jérémy Bobbio
Modified: 2016-08-02 15:17 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Naive implementation (933 bytes, patch)
2013-09-23 16:23 UTC, Jérémy Bobbio
committed Details | Review

Description Jérémy Bobbio 2013-09-23 16:23:02 UTC
Created attachment 255584 [details] [review]
Naive implementation

When verifying a signature seahorse-tool currently behave just the same if the signing key is trusted or not. Given that the only the uid of the key is given in the notification, this opens the door to some attacks.

It would be better if the notification could be different. Ideally, when
the signing key is not trusted, its fingerprint should be displayed, just
like `gpg --verify` does.

The attached patch display two different messages depending on the validity
level of the signing key.