Steve on 12 Jun, 2020 11:35 PM
thanks for bringing up this request.
Just to be sure I understand it correctly: the first verification result is from GPG Mail and the second from GPG Services?
As you probably know, we have just revamped the dialogs for GPG Services and added support for system notifications. So what we did for the new GPG Services dialogs, is to adapt the information we had in the old dialogs and re-design them so they look less confusing and we prevent the dialog clutter that was the old GPG Services.
So in that regard no information should be lost. But I understand your request to add the information when the signature was created. Out of curiosity, can you share your specific use case for this information?
You understand correctly; the first screenshot - the larger one with the certificate logo is as displayed by the GPGMail plugin. The second, smaller one with the cog/gearwheel is as displayed by GPG Services.
I did see in the release notes for 2020.1 that you are now using the system notifications framework. I do not, however, see any difference in the output content between this version and 2019.2. As far as I can remember the signature creation date has never appeared in the dialog produced by the services verification.
To add: Using gpg command line to verify the same signature also provides the signature creation date ...
shell> gpg --verify csirt.txt
gpg: Signature made Thu 28 May 08:21:02 2020 BST
gpg: using RSA key 41A8A66E4EC70D66
gpg: Good signature from "JANET CSIRT <[email blocked]>" [full]
gpg: aka "copyright <[email blocked]>" [full]
gpg: aka "intelligence <[email blocked]>" [full]
gpg: aka "intelligence (rtir-bot) <[email blocked]>" [full]
... so it has always puzzled me as to why the services verification does not, especially if it is supposed to be doing the same thing. I understand the desire to keep notifications as simple as possible, but not at the expense of important information.
In this particular case it is a message from (JISC) JANET CSIRT to our security alerts mailing list and, while there is no commercially sensitive information or security related concerns with this particular message, there are other email addresses and names present so I would be unable to share on an open forum. Happy to send directly if that would help.
In terms of the value of the information: I think it largely speaks for itself. When validating the content of a message it is useful to know when partially signed content was created as it may not have been at the same time as the rest of the message body or when the message was actually sent.
Please let me know if there is anything else that I may add.
Steve on 15 Jun, 2020 07:01 PM
Thanks so much for taking the time to elaborate a bit more on your use-case scenario.
We have a ticket for this feature request. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussion should you run into further problems or need assistance.