Signature creation date not shown

Mark Foster's Avatar

Mark Foster

10 Jun, 2020 08:08 PM

Which of our tools is giving you problems? GPG Services

Attach a screenshot of the version info for all installed components (how to: https://gpgtools.tenderapp.com/kb/faq/where-can-i-find-version-info...): Attached.

Describe your problem. Add as much detail as possible. When verifying a signature using the GPGMail plugin the signature creation date is shown. See screenshot.
When verifying the same signature using GPGServices the creation date is NOT shown. See screenshot.

If this is intentional, could you please say why?
Could you please add this important piece of information to the verification dialog?

What did you expect instead I expected to see the same information as provided by the plugin.

Describe steps leading to the problem. Select any signed text and verify signature of selection from services menu.

Are you using any other Mail.app plugins? No.

Thank you for your attention.

  1. Support Staff 1 Posted by Steve on 12 Jun, 2020 11:35 PM

    Steve's Avatar

    HI Mark,

    thanks for bringing up this request.

    Just to be sure I understand it correctly: the first verification result is from GPG Mail and the second from GPG Services?

    As you probably know, we have just revamped the dialogs for GPG Services and added support for system notifications. So what we did for the new GPG Services dialogs, is to adapt the information we had in the old dialogs and re-design them so they look less confusing and we prevent the dialog clutter that was the old GPG Services.

    So in that regard no information should be lost. But I understand your request to add the information when the signature was created. Out of curiosity, can you share your specific use case for this information?

    Best,
    Steve

  2. 2 Posted by Mark Foster on 13 Jun, 2020 10:38 AM

    Mark Foster's Avatar

    Hi Steve,

    Thank you for getting back to me.

    You understand correctly; the first screenshot - the larger one with the certificate logo is as displayed by the GPGMail plugin. The second, smaller one with the cog/gearwheel is as displayed by GPG Services.

    I did see in the release notes for 2020.1 that you are now using the system notifications framework. I do not, however, see any difference in the output content between this version and 2019.2. As far as I can remember the signature creation date has never appeared in the dialog produced by the services verification.

    To add: Using gpg command line to verify the same signature also provides the signature creation date ...

    shell> gpg --verify csirt.txt
    gpg: Signature made Thu 28 May 08:21:02 2020 BST
    gpg: using RSA key 41A8A66E4EC70D66
    gpg: Good signature from "JANET CSIRT <[email blocked]>" [full]
    gpg: aka "copyright <[email blocked]>" [full]
    gpg: aka "intelligence <[email blocked]>" [full]
    gpg: aka "intelligence (rtir-bot) <[email blocked]>" [full]

    ... so it has always puzzled me as to why the services verification does not, especially if it is supposed to be doing the same thing. I understand the desire to keep notifications as simple as possible, but not at the expense of important information.

    In this particular case it is a message from (JISC) JANET CSIRT to our security alerts mailing list and, while there is no commercially sensitive information or security related concerns with this particular message, there are other email addresses and names present so I would be unable to share on an open forum. Happy to send directly if that would help.

    In terms of the value of the information: I think it largely speaks for itself. When validating the content of a message it is useful to know when partially signed content was created as it may not have been at the same time as the rest of the message body or when the message was actually sent.

    Thanks.

    Please let me know if there is anything else that I may add.

  3. 3 Posted by Mark Foster on 13 Jun, 2020 08:35 PM

    Mark Foster's Avatar

    Here is another missing creation date example for you. One that you know well.

    From MacGPG2 command line:

    shell> gpg --verify GPG_Suite-2020.1.dmg.sig
    gpg: assuming signed data in 'GPG_Suite-2020.1.dmg'
    gpg: Signature made Wed 3 Jun 19:43:41 2020 BST
    gpg: using RSA key 8C31E5A17DD5D932B448FE1DE8A664480D9E43F5
    gpg: Good signature from "GPGTools Team <[email blocked]>" [full]
    gpg: aka "GPGTools Project Team (Official OpenPGP Key) <[email blocked]>" [full]
    gpg: aka "GPGMail Project Team (Official OpenPGP Key) <[email blocked]>" [full]
    gpg: aka "[jpeg image of size 5871]" [unknown]

    From GPG Services verify signature of file:

    --
    Mark Foster
    [email blocked]

  4. Support Staff 4 Posted by Steve on 15 Jun, 2020 07:01 PM

    Steve's Avatar

    Thanks so much for taking the time to elaborate a bit more on your use-case scenario.

    We have a ticket for this feature request. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussion should you run into further problems or need assistance.

    All the best,
    Steve

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • Screenshot_2020-06-10_at_21.02.47.png 515 KB
  • Screenshot_2020-06-10_at_21.00.19.png 77.2 KB
  • Screenshot_2020-06-10_at_21.00.54.png 181 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac