#231 Deficient behaviour of 'Details' button

fixed
nobody
None
1.6.0
Minor
24.2.0
gpg4win 2.2.0
Windows
1.8.0
2015-01-31
2013-12-23
Philj34
No

Some unhelpful comments provided by enigmail when using the 'Details' button for further information. Some options not working in certain cases outlined in attached note -"enigmail bug.txt"

1 Attachments

Related

Bugs: #231

Discussion

  • Hi Phil,

    first of all, thank you very much for your testing and the very detailed bug report!

    I'll comment here inline partly for documentation/debugging and partly for your information.

    The ‘Details’ button, its behaviour and poor information provision.

    This bug is described in successive steps which I hope you will find
    logical. Otherwise it could be split into several smaller bugs.
    (Observed in enigmail 1.6.0 and confirmed in 1.7a1pre)

    When a message is received with part of it signed but the sender’s
    public key is not available in the receiver’s keyring, Thunderbird
    displays a yellow header band with a message generated by Enigmail “Part
    of the message signed; click on ‘Details’ button for more information”.

    Step 1 :

    Clicking on the ‘Details’ button reveals 3 usable options (plus 4 others
    greyed out)(my numbering) : 1. Import Public Key 2. OpenPGP Security
    Info 3. Copy OpenPGP Security Info

    Option 3. does nothing (because nothing to copy ?) Option 2. just shows
    dialog box with ‘unverified signature’. This adds insufficient info for
    the inexperienced user to know how to proceed.

    Suggested remedy :

    • grey out option 3 and just leave the first two options - modify the
      message given by option 2 ‘OpenPGP Security Info’ to say “Unverified
      signature. You need the sender’s public key to verify the signature.”

    I think, we should leave Option 3 and copy your proposed text to the clipboard.

    Step 2 :

    After selecting option 1 and importing the the sender’s public key, the
    import procedure completes with display of an OpenPGP Alert dialog box
    showing details of the imported key. After clicking OK to close this
    box, Thunderbird header changes to blue, enigmail header message changes
    and adds : Key ID: 0xXYXYXYXY / Signed on: 20/12/2013 15.52.

    ‘Details’ button shows 6 usable options : 1. OpenPGP Security Info 2.
    Copy OpenPGP Security Info 3. View Key properties 4. View OpenPGP
    PhotoID 5. Sign Sender’s Key 6. Set Owner trust of sender’s key

    all options work except 3. ‘View Key Properties’ . When this is
    selected, nothing happens not even an error message.

    This is a real programming bug; in the JS error console I get:

    Timestamp: <date-time>
    Error: TypeError: keyListObj.keyList[keyId] is undefined
    Source File: resource://enigmail/commonFuncs.jsm
    Line: 390

    This is because the newly imported key is not available in the enigmail
    key manager until the key cache is reloaded. (key manager/File/reload
    key cache)

    The reload key cache probably cures the results of the above bug.

    Suggested remedy :

    • force a key cache reload after import - alternatively (but a poor
      solution) provide a warning to user to reload key cache after import.

    Automatic is better.

    to provide improved clarity that the signature is message related and
    not key related, modify the second line of enigmail’s header to read :
    “Key ID: 0xXYXYXYXY / message signed on : date-time”

    If you click on the little [+] Box in the top left corner the displayed
    text changes to two lines:

    Part of the message signed; click on 'Details' button for more information
    Key ID: 0xXYXYXYXY / Signed on: <Date-time>
    ^
    Insert "Message"-----+

    Is that what you are suggesting?

    STEP 2A :

    In some cases, when during or after import signature verification fails
    (for some unknown reason), the header bar turns pink/purple and the
    enigmail header message becomes : “Error-signature verification failed;
    click on ‘Details’ button for more information”

    The ‘Details’ button gives the same 6 options : 1. OpenPGP Security Info
    2. Copy OpenPGP Security Info 3. View Key properties 4. View OpenPGP
    PhotoID 5. Sign Sender’s Key 6. Set Owner trust of sender’s key

    but their behaviour is deficient.

    1. gives message “Error - signature verification failed” which adds
      nothing to the user’s experience. 2. copies nothing to the clipboard 3.
      does nothing (unlike STEP 2 above, reloading key cache does not change
      this behaviour. After reloading key cache, the key is displayed in key
      manager) - no warning or error box. 4. is greyed out 5. signing dialog
      is opened but key and fingerprint of sender’s key is blank. 6. trust
      dialog is opened but ‘key to trust’ box is blank.

    Suggested remedy :

    This has only happened to me with one key and I don’t understand yet
    what is wrong with this key so I can’t suggest what additional info
    should be supplied by enigmail. Nor do I know what diagnostic checks
    enigmail makes before determining that signature verification has
    failed.

    Perhaps, when a key signature verification fails

    Just for clarity: This is not a "key signature" which is failing, the
    message signature does not match the message, for whatever reason.
    This happens when either the message or the signature were altered on
    the way between the signing process on the senders computer and your
    verification process. There is nothing that Enigmail can do about it.

    Such a situation is no indication that anything is wrong with the key
    and so there is no need to reimport or abandon the key.

    There are many reasons for technical alteration of messages on the way:
    - Truncation/folding of message/signature lines in the senders mail
    application
    - Truncation/reformatting of message/signature lines in one of the mail
    servers on the way
    - Alteration of message/signature lines in the recipients mail application
    - ...

    Some of the above reasons can be cured by correcting wrong settings
    in the participating mail applications, but this depends on type of message
    and type of mail application.

    You can see, there's no general hint we can give.

    The only option for the user is to contact the message sender and ask him
    to resend the signed message in the hope that the message alteration on
    the way goes away, but it's quite likely that the technical reason on the
    way for the signature mismatch will hit again and produce the same
    situation once more.

    As a summary:

    One nasty bug in enigmail has been identified and has to be corrected. Why copying to the clipboard does not work reliably still has to be identified. Some things in the user interface can be expressed more clearly.

    Thanks again for testing!

    Merry christmas!

    Ludwig

     
    • Philj34
      Philj34
      2013-12-26

      Hi Ludwig,

      I sent you a brief reply a couple days' ago. I've been thinking a bit further on
      the points you raised about my 'STEP 2A'.

      Your comments added to my understanding on the issues and difficulties in
      providing a simple response and for that I thank you. I do however think that
      something needs to be done in that area because what you get when clicking on
      the Details button in this case either add nothing to the neophyte's quest for
      information or just plain do not work.

      I added some comments 'in-line' below.

      Best regards,

      Philip

      On 24/12/2013 12:47, "Ludwig Hügelschäfer" wrote:

      Hi Phil,

      first of all, thank you very much for your testing and the very detailed bug report!

      I'll comment here inline partly for documentation/debugging and partly for your
      information.

      The ‘Details’ button, its behaviour and poor information provision.
      
      This bug is described in successive steps which I hope you will find
      logical. Otherwise it could be split into several smaller bugs.
      (Observed in enigmail 1.6.0 and confirmed in 1.7a1pre)
      
      When a message is received with part of it signed but the sender’s
      public key is not available in the receiver’s keyring, Thunderbird
      displays a yellow header band with a message generated by Enigmail “Part
      of the message signed; click on ‘Details’ button for more information”.
      
      Step 1 :
      
      Clicking on the ‘Details’ button reveals 3 usable options (plus 4 others
      greyed out)(my numbering) : 1. Import Public Key 2. OpenPGP Security
      Info 3. Copy OpenPGP Security Info
      
      Option 3. does nothing (because nothing to copy ?) Option 2. just shows
      dialog box with ‘unverified signature’. This adds insufficient info for
      the inexperienced user to know how to proceed.
      
      Suggested remedy :
      
        * grey out option 3 and just leave the first two options - modify the
          message given by option 2 ‘OpenPGP Security Info’ to say “Unverified
          signature. You need the sender’s public key to verify the signature.”
      

      I think, we should leave Option 3 and copy your proposed text to the clipboard.

      Step 2 :
      
      After selecting option 1 and importing the the senders public key, the
      import procedure completes with display of an OpenPGP Alert dialog box
      showing details of the imported key. After clicking OK to close this
      box, Thunderbird header changes to blue, enigmail header message changes
      and adds : Key ID: 0xXYXYXYXY / Signed on: 20/12/2013 15.52.
      
      Details button shows 6 usable options : 1. OpenPGP Security Info 2.
      Copy OpenPGP Security Info 3. View Key properties 4. View OpenPGP
      PhotoID 5. Sign Senders Key 6. Set Owner trust of senders key
      
      all options work except 3. View Key Properties . When this is
      selected, nothing happens not even an error message.
      

      This is a real programming bug; in the JS error console I get:

      Timestamp:
      Error: TypeError: keyListObj.keyList[keyId] is undefined
      Source File: resource://enigmail/commonFuncs.jsm
      Line: 390

      This is because the newly imported key is not available in the enigmail
      key manager until the key cache is reloaded. (key manager/File/reload
      key cache)
      

      The reload key cache probably cures the results of the above bug.

      Suggested remedy :
      
        * force a key cache reload after import - alternatively (but a poor
          solution) provide a warning to user to reload key cache after import.
      

      Automatic is better.

      to provide improved clarity that the signature is message related and
      not key related, modify the second line of enigmail’s header to read :
      “Key ID: 0xXYXYXYXY / message signed on : date-time”
      

      If you click on the little [+] Box in the top left corner the displayed
      text changes to two lines:

      Part of the message signed; click on 'Details' button for more information
      Key ID: 0xXYXYXYXY / Signed on:
      ^
      Insert "Message"-----+

      Is that what you are suggesting?

      STEP 2A :
      
      In some cases, when during or after import signature verification fails
      (for some unknown reason), the header bar turns pink/purple and the
      enigmail header message becomes : Error-signature verification failed;
      click on Details button for more information
      
      The Details button gives the same 6 options : 1. OpenPGP Security Info
      2. Copy OpenPGP Security Info 3. View Key properties 4. View OpenPGP
      PhotoID 5. Sign Senders Key 6. Set Owner trust of senders key
      
      but their behaviour is deficient.
      
       1. gives message Error - signature verification failed which adds
          nothing to the users experience. 2. copies nothing to the clipboard 3.
          does nothing (unlike STEP 2 above, reloading key cache does not change
          this behaviour. After reloading key cache, the key is displayed in key
          manager) - no warning or error box. 4. is greyed out 5. signing dialog
          is opened but key and fingerprint of senders key is blank. 6. trust
          dialog is opened but key to trust box is blank.
      
      Suggested remedy :
      
      This has only happened to me with one key and I dont understand yet
      what is wrong with this key so I cant suggest what additional info
      should be supplied by enigmail. Nor do I know what diagnostic checks
      enigmail makes before determining that signature verification has
      failed.
      
      Perhaps, when a key signature verification fails
      

      Just for clarity: This is not a "key signature" which is failing, the
      /message signature/ does not match the /message/, for whatever reason.
      This happens when either the message or the signature were altered on
      the way between the signing process on the senders computer and your
      verification process. There is nothing that Enigmail can do about it.

      Such a situation is no indication that anything is wrong with the key
      and so there is no need to reimport or abandon the key.

      There are many reasons for technical alteration of messages on the way:
      - Truncation/folding of message/signature lines in the senders mail
      application
      - Truncation/reformatting of message/signature lines in one of the mail
      servers on the way
      - Alteration of message/signature lines in the recipients mail application
      - ...

      Some of the above reasons can be cured by correcting wrong settings
      in the participating mail applications, but this depends on type of message
      and type of mail application.

      You can see, there's no general hint we can give.

      Thanks for those notes - they help my understanding. However, failure to
      provide further information under this first option of the 'Details' button
      negates the utility of the header message inviting him to 'click on the Details
      button for more information'. In light of your comments, it would seem
      reasonable to suggest that the first option should provide some information
      similar to this :

      "Failure of signature verification is not a comment on the status of the
      sender's key but an indication that the contents of the message when checked are
      not identical to those at the time of signature. There are many possible
      reasons for such a difference to occur. Some would imply sinister
      'man-in-the-middle' attacks but many could be due to technical alterations
      caused by handling in the network paths involved in transmission. An example
      could be the use of html code in the message body."

      Presumably, the 'OpenPGP Alert' would resize to accept a larger message and
      perhaps a link could be supplied to a relevant section in the enigmail manual?

      There is no justification for the other options not working in this case :
      nothing is copied to the clipboard; the 'View key properties' produces nothing
      (not even an error message); signing of the sender's key and changing trust
      levels cannot be completed from the dialog boxes which do open because the key
      details are not included in them.

      The only option for the user is to contact the message sender and ask him
      to resend the signed message in the hope that the message alteration on
      the way goes away, but it's quite likely that the technical reason on the
      way for the signature mismatch will hit again and produce the same
      situation once more.

      As a summary:

      One nasty bug in enigmail has been identified and has to be corrected. Why
      copying to the clipboard does not work reliably still has to be identified. Some
      things in the user interface can be expressed more clearly.

      Thanks again for testing!

      Merry christmas!

      Ludwig


      *[bugs:#231] http://sourceforge.net/p/enigmail/bugs/231/ Deficient behaviour
      of 'Details' button *

      Status: open
      Created: Mon Dec 23, 2013 09:44 PM UTC by Philj34
      Last Updated: Mon Dec 23, 2013 09:44 PM UTC
      Owner: nobody

      Some unhelpful comments provided by enigmail when using the 'Details' button for
      further information. Some options not working in certain cases outlined in
      attached note -"enigmail bug.txt"


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/enigmail/bugs/231/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

      Related

      Bugs: #231

      Attachments
  • I fixed a part of this bug: after downloading a key, the key cache is now automatically invalidated, which makes the key properties dialog open correctly.

     
  • I think I fixed displaying the key properties dialog now for all scenarios.

     
    • Philj34
      Philj34
      2014-01-01

      On 31/12/2013 16:38, Patrick Brunschwig wrote:

      I think I fixed displaying the key properties dialog now for all scenarios.

      Windows7-64bit, T'bird 24.2.0 - with latest nightly build (build date:
      2014-01-01, version: 1.7a1pre, git rev: 88b6e2c419b64c2029760da814f671192fa373f)

      The last sender's key for which I get the purple (pink?) header band with
      'Unverified signature' now gives six usable options under the 'Details' button
      and each of these works correctly. Problem seems fixed, thanks.

      The only slightly negative detail, for me, is that in this case, the 'OpenPGP
      Security info' supplied and even copied to the clipboard is of a minimal nature
      (but correct). I would prefer to see a more informative message supplied (as I
      have indicated in previous mails) but I do understand that the message cannot be
      of a definitive nature in this instance.

      Philip


      *[bugs:#231] http://sourceforge.net/p/enigmail/bugs/231/ Deficient behaviour
      of 'Details' button *

      Status: open
      Created: Mon Dec 23, 2013 09:44 PM UTC by Philj34
      Last Updated: Sun Dec 29, 2013 03:51 PM UTC
      Owner: nobody

      Some unhelpful comments provided by enigmail when using the 'Details' button for
      further information. Some options not working in certain cases outlined in
      attached note -"enigmail bug.txt"


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/enigmail/bugs/231/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

      Related

      Bugs: #231

      Attachments
      • Shall we close this bug or leave the remaining

        The only slightly negative detail, for me, is that in this case, the 'OpenPGP Security info' supplied and even copied to the clipboard is of a minimal nature (but correct). I would prefer to see a more informative message supplied (as I have indicated in previous mails) (...)

        as an enhancement?

         
  • I prefer to leave it open. In the past, the dialog used to contain more information, and I think that this would still make sense.

     
    • status: open --> fixed
    • Fixed in version: --- --> 1.8.0