With the recent changes to the build system the current version numbers for the Beta versions of the MSI packages are 4.0.90.<somenumber> for VSD, 5.0.90.xxx for GPD and Gpg4win. Thus we override the standard micro version with 90 to indicate beta versions. Obviously this will require to de-install a MSI beta version before installing the regular version. But we are somewhat constraint by the Windows versioning scheme.

In T7509#212953, @timegrid wrote:

Is the displayed version 4.0.0.260370 right for the appimage? shouldn't this also display the gpg4win version?

Will go into 1.12.1

Thanks. Will go int the next version.

Got reported again with the 5.0.0 release, see

• https://forum.gnupg.org/t/issue-with-automated-installation-of-gpg4win-5-0-1/7098
• https://forum.gnupg.org/t/version-5-automatisierte-installation/7093/8

Is this wording / layout okay?

Is the displayed version 4.0.0.260370 right for the appimage? shouldn't this also display the gpg4win version?

Looks good to me on gpg4win-5.0.1-beta24 @ archllinux:

The display in Okular is independent from Kleopatra, so dropping it in Kleopatra should be fine.
If a QES certificate is available, Okular should highlight and add a filter for them (which is currently not working, see T6632: Okular: Highlight / preselect "nonRepudiation" certificates for qualified signatures)

I currently have a slight preference to drop bold and go with normal font. Werner would be ok with that, too.

a) Here's a log anyway (ignore it, if decryption does always work):

@svuorela said, QES certs shouldn't be required to be on a smartcard.

Using an icon for QES certificates isn't that easy because we use an icon for smartcard certificates and any list item can have at most one icon. Moreover, QES certificates are very like stored on a smartcard (isn't that even a requirement?), i.e. an icon clash is basically guaranteed.

Additionally, the de-vs-compliance filters are no longer show in non-compliant installations like Gpg4win.

In T6632: Okular: Highlight / preselect "nonRepudiation" certificates for qualified signatures I had the impression, that some hint is useful for signing operations. Probably not so much in general.

Done and backported for VSD 3.4

checked with vsd 3.3.5: no change

I've tried the new patch in my environment, and it fixes the gnupg HEAD self tests as well. Thank you!

Highlighting QES is mostly useful for Okular, I guess.
Maybe use a symbol with a pen? That should be self-explanatory.

We'll go with solution no 2 (which is in effect the same as no 1 anyway)

I misunderstood this, the mail can be forwarded with attachment if you first deselect the mail and then select it again. So the workaround is OK.

We decided to still use the term "Valid" (with description/tooltip "Certificates that are neither expired nor revoked (except disabled ones)"). This matches the use of the term "invalid" for expired and revoked certificates as in "Certificates that are invalid because they have expired (except disabled ones)".

In tests/migrations, (unlike tests/openpgp and tests/cms), the tests do not prepare gpg-agent, but it is gpg which invokes gpg-agent if needed.
Because of that, on NetBSD (where POSIX semaphore has a different semantics), it hangs with gpg --list-secret-key, when gpg tries to spawn the gpg-agent process.
In the old code of 2.4, it simply ignore the npth_protect and npth_unprotect when calling fork to spawn a process.
New code in libgpg-error cares about npth_protect and npth_unprotect but it was not sufficient; We need to care about NetBSD's semantics. Child process should not call npth_protect. With shared semantics, child process's calling npth_protect affects to cause parent process: it hangs.

@wiz Thank you for your quick feedback.

For security I had turned off passphrase caching, most likely.
Still repeating identical dialog boxes are very confusing to the user: What the previous passphrase wrong (re-enter), or is the passphrase required for a different purpose now?
Isn't it how phishing works (you have to enter some credentials, but you aren't sure what they are actually used for)?

Thank you for the patch. I've tried it in my environment, and gnupg 987c6a398a9505399b2c25a775d4b625753bc962 passes all its self-tests for me now!

Thank you, that did indeed fix the problem!

This overloading of "bold" for "my certificates", "qualified certificates" and "trusted root certificates" seems to exist since two decades. I stopped digging into ancient history at the commit that added the hard-coded default filters.

Take care: Too many attributes (color, font) are bad style.

a) "Prefer S/MIME" only applies to encryption, not decryption. If you do not want to decrypt with GpgOL you have to disable S/MIME in GpgOL.

Oh yeah, the mentioned patch is bogus because it assumes that fgets has already set the eof flag while reading the last line. This seems not to be the case.

Well, the qual flag should only be set for CAs dedicated to certifying QES certificates. And those should by definition be signature certificates only, afaik.

Backported for VSD 3.4

Done. Example (with default text in English and German translation):

[Welcome]
welcome-text[$i]=<h2>Hello, World!</h2>
welcome-text[$i][de]=<h2>Hallo, Welt!</h2>

Backported for VSD 3.4