Intended use of GPG signature verification


with the current Mayan support for GPG signatures (as embedded and detached signatures), I can see two use cases:

  1. Offline integrity verification of downloaded files (and their detached signature if the signature type is detached)
  2. Online integrity verification completely handled in the user interface

Use case 1 works but requires additional steps and skills like synchronizing the public keys and operating gpg on the machine where the file was downloaded to.

With use case 2 I found two usability issues which I will try to explain here. I did not open an issue at gitlab because I’m not sure what the current intended use for GPG signatures is.

  • Feedback of signature validity.

    A bad signature is displayed in a misleading way. “Signature key present?” is reported as False even though the key is actually present. The date is “None” which is the only indication of a bad signature: for a good signature with missing public key, the date is the actual signature date.

  • Signature and document file can be out of sync If a valid signature is uploaded to Mayan and the file is afterwards modified in the file storage, there is no indication in the signature view that something is wrong. Nevertheless, a download of the file will hand out the modified version. By remapping the pages it is even possible to have the modified version visible in the document preview, and still the signature view will show a good signature. Only after calling Tools → “Refresh all signatures” the signature view will change to one where the date and signature id is None. However, with a large database it is unclear when the background task has finished, or if the file has been modified after the signature was refreshed. It would be good if there was a way to get a definitive answer about the current state of a signature.

The following improvements could be made:

  • Clearly communicate bad signatures to distinguish them from other issues like a good signature with missing public key. Also the reason for bad signatures should be displayed (content mismatch, key expired, unsupported algorithm, …)
  • Refresh and validate the signature of a file automatically when the signature view is visited. At least offer a “validate” action for each signature individually.
  • Maybe warn about a bad signature in the user interface: in the preview and when the “quick download” or “email file” functionality is used.
  • Improve the documentation of the two tools “Refresh all signatures” and “Verify all documents”. I think I understood what the “Refresh” tool does, but I’m not sure about the “Verify all documents” tool. What exactly is verified, where can I find the result of the verification?

I’m looking forward to a discussion, what are your thoughts?

Best regards