In T6702#216593, @ikloecker wrote:

[...]
Possible improvements:
[...]

• Show better error than "unknown host", i.e. something like "CRL check failed" or "Certificate validity check failed", but I'm not sure we get better information from gpgsm.

Before encryption the certificates are checked for validity. In case that a certificate has a broken URL as crlDP or the content of the crlDP is invalid gpgsm should provide more details when returning with failure.

Test certificates are provided by:

In T6702#216065, @timegrid wrote:

Maybe those smime certs will do:

ca.pem2 KBDownload

• broken: inaccessible url crlDistributionPoints = URI:http://gnupg.test/crl.pem
  
  
  bob-brokenCrlDP.p124 KBDownload

• invalid: invalid content crlDistributionPoints = URI:https://gnupg.com/share/g10code-key.asc
  
  
  bob-invalidCrlDP.p124 KBDownload

In my tests, both have the same behavior:

• invalid after opening the details, so the cert can't be chosen for file encryption afterwards
• if chosen before invalidation, it hangs indefinitely on file encryption (will create another ticket for this)