Unify signing proceedure
Reported by steve | November 2nd, 2014 @ 12:03 PM | in 1.4.3 (closed)
We offer three way to sign a key:
- right click "Sign..."
- top menu > Key > Sign...
- Double click key > Key Inspector > UserIDs > Cogwheel > Sign...
Currently: the way signatures are done differs which leads to
user confusion and makes understanding signatures very
difficult.
When taking route 3, users sign single User IDs. While route 1 and
2 sign the entire key.
Expected: Route 3 is fine. Route 1 and 2 should also offer the option to only sign a single User ID (which should be the default). If users verify something, the level they check is often very shallow and thus the signature should only verify a single User ID. That way we increase the level of certainty that the verifying person indeed can verify the User ID in question.
Comments and changes to this ticket
-
-
steve June 21st, 2017 @ 02:33 PM
- State changed from “new” to “started”
- Assigned user set to “Mento”
- Milestone set to “1.4”
-
steve December 14th, 2017 @ 07:32 PM
- Milestone changed from “1.4.1” to “1.4.2”
-
steve December 22nd, 2017 @ 10:04 PM
- Milestone cleared.
-
Support January 9th, 2018 @ 12:17 PM
- State changed from “started” to “fixed”
- Milestone set to “1.4.3”
(from [b354238854cd74580de6592e3ade02ef5c7597ce]) Unify signing proceedure
[#282 state:fixed milestone:1.4.3] https://github.com/GPGTools/GPGKeychainAccess/commit/b354238854cd74...
-
Helmut K. C. Tessarek February 2nd, 2018 @ 01:19 AM
If somebody wants to sign a key, the entire key should be signed by default. That is what key signing is - in reality it is certification, since you need the "certify" capability and not the "sign" capability.
The other "signing" purpose is signing a user id.Those are 2 different things. If you select a key to sign, the action should be to sign a key.
If you select a userid to sign, the action should be to sign the user id.Why would you ever want to change this?
Over the years this GUI has become more and more a tool for absolute beginners. This also led to the problem that intuitive and logical features were removed or changed to a point where it actually makes no sense anymore.
It makes no sense to dumb down this tool to the point where it is unusable for people who actually know how gpg works.I cannot even create a key where the master/main key only has the "certify" capability. When adding an image to the key, the GUI scales down the image to a pretty bad quality and it does this without my approval. Why? I mean, if I want to add an image in a certain quality and size, the GUI shouldn't do stuff that I didn't ask it to do.
I could point out a few more things which are wrong with the GUI. (e.g. inconsistent and wrong capability classification, no indication of stripped keys, ...)I'm more than happy to discuss these issues in a new ticket.
-
steve February 26th, 2018 @ 10:54 AM
You can always tick all userIDs if you want to sign them all. Most users do not thoroughly check all users Ids when signing a key, so we decided to change the behavior in favor of raising incentives to properly check the key before blindly signing an entire key.
This ticket is not a good place to discuss design decisions concerning completely other parts of the software. You know you can always open a discussion on our support platform for that and you are welcome to do so: https://gpgtools.tenderapp.com/
-
steve March 5th, 2018 @ 03:30 PM
- State changed from “fixed” to “verified”
macOS 10.13.3
GPG Suite 2103n
verified -
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Alex (via GPGTools)
Luke Le
steve