[Gpg4win-devel] Kleopatra devel

[Andre Heinecke]

Hi,

On Wednesday 12 December 2018 15:25:03 CET Luc Lalonde wrote:
> Here at work we are looking at either using PGP or X.509 certs for
> signing documents.
> 
> Personnaly I was pushing for the use of PGP, but there are are two
> sticking points:
> 
>   * PDF signatures are in a separate file

Yeah, there has been some work to do signatures in documents with PGP using 
Libreoffice.

Although you could also do an "opaque" signature (gpg -s) that would combine 
the document with the signature. But in that case you would need an OpenPGP 
tool to extract the original file by verifying the signature.

>   * there does not seem to be a way to add a signature to an existing
>     signature file with Kleopatra

True.

> Has there ever been an interest for the second point?   If so, here's
> how I see it:
> 
> If a signature file exists, Kleopatra would ask the user to add the
> signature to the exisisting file OR replace it.
> 
> For most non-technical users, it's not an option to go to command line
> and concatenate two or more signature files into one.
> 
> What do you think?

There has indeed been interest in that. But the use cases for that are 
uncommon in my opinion.

It's also a bit complicated IMO to make it user friendly. You would have to 
check the signature -> Is it done by your own key but no longer valid (e.g. 
you edited the file)? -> Replace without question.

If it is valid but from a different key -> Ask.

The add of a second detached signature is not very difficult. You could use a 
verifydetachedjob from QGpgME and just add the result to the signature file 
instead of replacing it.

I would be happy to review / add such a feature to Kleopatra.


Best Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner