Mmh or even select all expired keys and then refresh them.

I guess I asked for it, because much older "PGP Desktop" had it already (via menu entry):

Aha, so you know how to provoke us into action, good man ;-) Alright I give it high priority. No seriously, makes sense to have we'll see when we can fit it in. Needs an extension in our internal api so probably not in the next release but sooner rather then later.

Tested with Gpg4win-4.3.2-beta25:

Good news: There is a "Update Certificates" action in the context menu and it does search.
Bad news: If Origin is "Unknown", it only searches on keyserver, even if the UID is a mail address (verified via dirmngr logging).
If the (original) Origin is WKD, WKD as well as keyserver are checked:

As the certificate in this case was imported for the first time from WKD only 30 seconds before the refresh, I'm sure the "The certificate has been updated." is wrong. It should be "The certificate has not changed."

Why did I insert "original" above: If you first import a certificate from a file and after that do al "lookup" and import that result, the Origin column swichtes to "WKD". But "Update certificate" does still not query WKD! (not even after restarting Kleopatra.)

When multiple certificates are selected for updating, it seems there are multiple keyserver queries, but there is only a feedback in the singular. "The certificate has been updated" in spite of 3-times "HTTP Status 404".
I won't do any more thorough checks at this time.

I can confirm that Kleopatra reports "The certificate was updated." when updating the certificate werner.koch@gnupg.com although gpgme reports "unchanged: 1" as ImportResult. Kleopatra even reports "The certificate was updated." under WKD for a locally generated test key that's not available via WKD. This should be fixed.

Using gpg 2.4.6-betaX I could not reproduce that the origin of a certificate initially imported from a file changes to WKD after doing an update or another lookup followed by an import. Update: I can reproduce this when the WKD contains new data (e.g. new signatures) for the key compared to the key imported from file. In this case the origin of the key changes to WKD, but the origin of the user ID stays "unknown". And Kleopatra only considers the origin of the user IDs when checking which user ID to look up via WKD (if the setting to look up all user IDs via WKD is not enabled).

And "But "Update certificate" does still not query WKD! (not even after restarting Kleopatra.)" seems to happen because the setting "Query certificate directories of providers for all user IDs" wasn't enabled.

And "But "Update certificate" does still not query WKD (not even after restarting Kleopatra.)" seems to happen because the setting "Query certificate directories of providers for all user IDs" wasn't enabled.

Yes, correct. I think we should turn on this option in the settings by default. This is what one usually wants (and probably expects, like me).

And what should we do about the refresh with multiple certificates? Maybe we should enable this action for the upcoming release only for one certificate at a time and make a new ticket for the next release where we include the possibility to do this for several certificates at once?

Querying WKDs for keys not retrieved via WKD leaks information, i.e. a (fake) WKD could track who is looking for keys. KDE's privacy-by-default policy doesn't allow such a setting to be enabled by default. (In VSD you can enable it for certain customers who don't have a problem with this.)

What's the problem with refreshing multiple certificates except for a misleading "Certificates have been updated." message?

Looking only at the text used, you get exactly the same messages used for single certificate updates, "The certificate has been updated" or "The certificate was not found.", both in the singular.

And looking at the logic from the user side it looks like the results from the multiple updates are mashed up somehow. If I combine the update of one certificate with origin WKD and one with keyserver I get "The certificate has been updated" for both categories:

But if I do separate searches for the same certificates I get:

WKD:

Ergebnis der OpenPGP-Zertifikat Aktualisierung via Schlüsselserver, LDAP oder Active Directory
Das Zertifikat wurde nicht gefunden.
Ergebnis der Aktualisierung via Schlüsselverzeichnis (WKD)
Das Zertifikat wurde aktualisiert.

Keyserver:

Ergebnis der OpenPGP-Zertifikat Aktualisierung via Schlüsselserver, LDAP oder Active Directory
Das Zertifikat hat sich nicht geändert.
Ergebnis der Aktualisierung via Schlüsselverzeichnis (WKD)
Das Zertifikat wurde aktualisiert.

From my viewpoint the resulting combined answer seems to be without a connection to reality, it's obviously not only the result for the first or last update.

I think if we want to include multiple key updates we would have to restructure the feedback, so it does not get to complicated. Maybe like the message we use for key imports, only listing "number of certificates updated", "number of certificates unchanged" and additionally "number of certificates not found"

I updated the certificates of Werner, Andre and you and got as result "The certificates were updated.", i.e. plural, for both, keyserver and WKD. Singular could mean that only updates for one certificate were found.

We have to check if we get enough information for a bit more detailed result as proposed by you. I agree that this would be nicer.

Note that the origin stored for the key is for example required if a key is updated by fingerprint. In that case we don't known from which user ID to take the origin.

Turns out

• the singular instead of plural in the German version is a translation thing and should now be fixed (but is not in the testversion beta35)
• there is another issue muddying the waters regarding search in WKD, for which I will create another ticket

Seems here remains only the notifications for multi-keysearches, which are not necessarily true or at the very least misleading.

The ticket mentioned in the previous comment is T7190: Kleopatra: wrong claim of update in WKD for keys with no mail address.

ok, works with Version 3.2.2.2405000+git~ (Gpg4win-4.3.2-beta41).

For the better feedback part see T7206.