Today, when doing an online search for OpenPGP keys, for keys that we already had previously imported (same fingerprint), we prompt the user, asking to import (and also offering the choice to accept).

We should use the same behavior here when processing email attachments.

If a found key was previously imported (same fingerprint), we should automatically import it (no prompt).

This will enable us to process extended lifetime and revocations, there's no question, we must import those.

I'm extending the scope of this bug, because of code overlap. See duplicates (soon).

To summarize what this should fix:

• auto import keys found online, if we already have the key (same fingerprint) imported, without asking.
• always search both WKD and keyserver, because one of both might be outdated
• we should search the keyserver by fingerprint to discover revocation or extended validity (which might be old keys, while a search by email gives us a different key)

(In reply to Kai Engert (:KaiE:) from comment #5)

• we should search the keyserver by fingerprint to discover revocation or extended validity (which might be old keys, while a search by email gives us a different key)

This also requires the fix from bug 1634524.
That's a very small change, so let's just move that code in here, too.

(In reply to Kai Engert (:KaiE:) from comment #6)

This also requires the fix from bug 1634524.
That's a very small change, so let's just move that code in here, too.

I take that back. That one might be a candidate for backporting, so let's keep it separate.

IMHO we should consider backporting this work to the stable esr91 branch. I'm already running a backported patch locally. I think it's an important usability improvement, with little risk.

The current patch has insufficient handling for WKD, which may contain multiple keys in the single blob of data we receive.

We need to do the following:

• split the blob into individual keys, which will allow us to handle keys differently
  (currently, it's only offer/import all or none, or auto-import all or none,
  this simplification was added temporarily for a code/UI experiment)
• for all keys that we already have (same fingerprint),
  automatically update them (silently).
• ignore keys that are revoked/expired and which we don't have yet
• offer the remaining good keys for import

I've updated the revision in phab, it implements the functionality I've described in comment 12.

additional pieces backported to esr91

esr91 backport merged into single patch
(The backport excludes the silent import mechanism.)

Pushed by kaie@kuix.de:
https://hg.mozilla.org/comm-central/rev/f1400a5a846d
Update existing OpenPGP keys without asking. Search both WKD and keyserver during discovery, also by key ID. r=mkmelin

Comment on attachment 9263495 [details] [diff] [review]
1751885-esr91-v3.patch

[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: it's more painful to obtain keys
Testing completed (on c-c, etc.): yes
Risk to taking this patch (and alternatives if risky): This is new functionality, so there's some risk for new effects. But I think the improved functionality is worth it.

Comment on attachment 9263495 [details] [diff] [review]
1751885-esr91-v3.patch

[Triage Comment]
Approved for esr91

I just noticed this is not yet on beta. Is that OK with you?

(In reply to Wayne Mery (:wsmwk) from comment #20)

I just noticed this is not yet on beta. Is that OK with you?

No. Thanks for pointing that out. It needs beta testing.