Bug 113190 - [Digital-Signatures][OpenPGP] Revoked and expired keys are listed as available OpenPGP keys
Summary: [Digital-Signatures][OpenPGP] Revoked and expired keys are listed as availabl...
Status: VERIFIED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
5.4.0.0.alpha0+
Hardware: All All
: medium normal
Assignee: Thorsten Behrens (allotropia)
URL:
Whiteboard: target:6.0.0 target:5.4.4
Keywords:
Depends on:
Blocks: Digital-Signatures
  Show dependency treegraph
 
Reported: 2017-10-17 14:51 UTC by Eike Rathke
Modified: 2018-02-28 17:26 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:


Attachments
Screenshot with selection box showing expired certificates. (76.60 KB, image/png)
2018-02-01 01:24 UTC, m_a_riosv
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eike Rathke 2017-10-17 14:51:04 UTC
In the Digital Signatures -> Sign Document | Select Certificate dialog, revoked and expired keys are listed as available. While the Expiration date is listed, there's no indication of revoked keys.

Revoked and expired keys should not be listed at all as they can't be used for signing.
Comment 1 Commit Notification 2017-10-18 13:07:56 UTC
Thorsten Behrens committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=087a90e27b7219e8c1aaa880b39376c94a0dcaae

gpg4libre fix tdf#113190 don't show expired/invalid keys

It will be available in 6.0.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 2 Thorsten Behrens (allotropia) 2017-10-18 13:12:57 UTC
Eike reports it fixed, I had issues before with gpgme misbehaving on key attributes; hope the fix works for the majority of users out there.
Comment 3 Eike Rathke 2017-10-18 13:25:31 UTC
Verified works for me..
Comment 4 Commit Notification 2017-10-19 19:36:46 UTC
Thorsten Behrens committed a patch related to this issue.
It has been pushed to "libreoffice-5-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=561d25301bf2a04a2cd34f1674a792167cf5f43b&h=libreoffice-5-4

gpg4libre fix tdf#113190 don't show expired/invalid keys

It will be available in 5.4.4.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 5 m_a_riosv 2018-02-01 01:24:43 UTC
Created attachment 139485 [details]
Screenshot with selection box showing expired certificates.

Issue remains for me. (x86 and x64)

Version: 5.4.4.2 (x64)
Build ID: 2524958677847fb3bb44820e40380acbe820f960
CPU threads: 4; OS: Windows 6.19; UI render: GL; 
Locale: es-ES (es_ES); Calc: CL

Version: 6.0.0.3 (x64)
Build ID: 64a0f66915f38c6217de274f0aa8e15618924765
CPU threads: 4; OS: Windows 10.0; UI render: default; 
Locale: es-ES (es_ES); Calc: CL

Versión: 6.0.0.3
Id. de compilación: 64a0f66915f38c6217de274f0aa8e15618924765
Subproc. CPU: 4; SO: Windows 10.0; Repres. IU: GL; 
Configuración regional: es-ES (es_ES); Calc: group
Comment 6 Timur 2018-02-28 08:49:24 UTC
m.a.riosv has expired X.509 keys in Windows, me also.
But this issue is titled "OpenPGP". 
So it's not clear whether this should be reopened or new bug created for X.509.
Comment 7 Timur 2018-02-28 12:12:54 UTC
Looks like there's a consequence of showing expired X.509: we can use it to sign, but nothing really happens.
Comment 8 Thorsten Behrens (allotropia) 2018-02-28 14:37:29 UTC
(In reply to Timur from comment #6)
> m.a.riosv has expired X.509 keys in Windows, me also.
> But this issue is titled "OpenPGP". 
> So it's not clear whether this should be reopened or new bug created for
> X.509.

Yes, that's very likely a different issue - unless those keys come from GPG. Do you or m.a.riosv have gpg4win installed? With X509 keys showing in Kleopatra? If yes, I'll need further infos, if not -> please file a separate bug.
Comment 9 Timur 2018-02-28 17:26:49 UTC
Yes, I have gpg4win installed but X.509 keys from Windows system certificate manager that are shown in LO are not shown in Kleopatra. 
Kleopatra has just OpenPGP (and CAcert I added for test).
I guess that's a ne bug then.