Checking for existing gpg keys causes frequent keyring popups

[sssoleileraaa]

Description

"Keyring access from domain: sd-app" popup appears every time we sync. Once you see this every 15 seconds you stop closing the popup window and just expect it to be there the entire online lifetime of the client.

[eloquence]

Why does the client have to access the keyring every time we sync, even if there are no changes?

[sssoleileraaa]

Ah, it looks like this is the result of making a call to

securedrop-client/securedrop_client/crypto.py

Line 149 in 078c3d0

def fingerprints(self) -> typing.Dict[str, bool]:

in order to make sure we don't import fingerprints that have already been imported.

[eloquence]

Per @creviera the now highly frequent popups are extremely distracting. The high frequency also diminishes the value of these notifications as a security feature. Tracking as release blocker.

Per comment by @redshiftzero in standup today, if we set the fingerprint after successful key import, then we can only import key (i.e. access gpg keyring) if fingerprint column is null, which should reduce sd-gpg access to a reasonable level.