@vsrinu26f No worries, looks like we are on the same page :)

Sorry i think i blabbered without understanding context.

I wish gnupg natively supports creating backup cards. To be able to import
private key material to do another keyto card. And every time it moves that
to card and removes from gnupg.

For exactly same key material on tokens. Just before writing first token
backup .gnupg folder or export all key info. Do key to card. Delete .gnupg
folder and restore from backup and keytocard second token.

Both tokens should have same material.

On the other hand if we want to track which token is used by having multiple unexpired signing subkeys and each token have its own subkey is a possible usecase where multiple admins have the tokens.

I think if we have to update one token then we have to update backup token as well if moved to new subkey.

@vsrinu26f Yes I'm using subkeys with YubiKey.

Sorry, ignore my comment if there is something with subkeys and you are
already using latest gnupg.

This is already implemented by yutaka.

Sorry for jumping in out of the blue but the idea of automatically selecting the available signing key sounds also very appealing to me.

Great. Let me know when the newest gpg4win is released.

fwiw, a comment over on T4422 contains a bash script that tries to force GnuPG to do its certificate/signature re-ordering. this doesn't produce anything canonical yet, but it's the closest i've come so far to getting GnuPG to do something repeatable with a certificate after merging (but even that is not quite stable).

See also
https://lists.gnupg.org/pipermail/gnupg-devel/2018-December/034131.html
for a first patch to implement this.

werner wrote:

Great. Thank you.

We are aiming for this week.

When will the new gnupg program be released so I can install it?

Charles

So where can I get the corrected file to install? I suppose I need the
new gpg4win, it hasn't been updated yet. If I need the signature or TAR
from your website how can I implement that?

Charles

Where can I get the new thing file to install?

Thanks! I've confirmed that it works for me.

The secret import code actually had a bug in that it silently imported the secret key anyway, so that after importing the public key the secret key showed up. That was not intended because we do not want to allow importing arbitrary keys or subkeys if the don't have a corresponding public (sub)key with the mandatory key-binding signature. This has now been fixed. A fix for the actual problem will come soon.

In T4346#122371, @gouttegd wrote:

Regarding the quality evaluation, several months ago I proposed to optionally delegate that task to an external tool (specified by a new gpg-agent option passphrase-checker). I posted a first draft as D442 and then submitted a proper patchset to gnupg-devel, but although @werner expressed interest it was never merged. I have just checked that the patchset still applies cleanly to both the master branch and the STABLE-BRANCH-2-2. I can re-submit it to the mailing list if needed.

There is a solution for it:

Reading through this issue and the related documentation: Thanks for writing this all down and adding links!

Ok. Let me know so I can try it out.

Yes, I think that if I see an import result with "secret-keys-read && w/o userId's" I can just do a second try.

Checking the OpenPGP specs again, there is actually an "exit" clause for this PGP bug. Or well, what I would consider to be a bug. A fix for this is not easy because it would require to detect this at an outer level (the ascii armor) which we don't do because gpg is build along a streaming concept as almost all Unix tools. What we can do is to allow import of a secret key in that PGP format iff a public key is already there. In practise this would mean to run the import two times and ignore the errors from the first import.

See T4400.

I meant the abbreviations. PGP is based on a code base dating back to 1992; for example we mostly used the term keyblock instead of certificate in the code.

Those terms are not arbitrary, they are in the RFC.

Thanks. [I wonder why the looong established terms public-keyblock and key-signature must be replace by arbitrary new terms.]

• TPK: transferable public key (an "OpenPGP certificate")
• TPS: Third-party signature (any certification within a TPK that is not made by the primary key, and is not a cross-sig made by a subkey over the primary)

TPK ?
TPS ?

In T4393#123047, @dkg wrote:

i don't understand why "import-drop-uids" is useful --

i don't understand why "import-drop-uids" is useful -- it sounds to me like the functionality you're looking for is something more accurately named "accept-certs-without-uids". is that right?

Something to add: This also affects deleted drafts. If I write a new email and decide to delete & not send it, Outlook saves the aborted draft in the trash without encryption.

Somehow I thought that storing drafts locally was not only configurable but the default. But you are right, I also can't find a way to change the storage location.

If there is a way to disable sychronisation of the draft folder in Outlook 2019 when using IMAP, it could mentioned in the meantime, but I couldnt find it.

The other option would also work for me. Thank you!

As a workaround you could also forward the mail to yourself and remove the attachments in the forwarded mail. This would basically work the same as I've described in the previous message.

The next version will have a "decrypt permanently" option. Afterwards you could remove the attachments. Will this help in your use case? You could for example copy the mail into a local folder and remove the attachments then.

Thanks for that summary.

Since it seems there is a renewed interest in adding ECC support to GpgSM (as indicated by the T4098 feature request), I would like to write down here more details about this task.

Pinentry already has a ttyalert option which may be set to beep or flash to ring the bell or flash the terminal, respectively (see commit 1dba96fafa123f3631c0a50bb01835306c23b903).

Sure, but lets use that ticket for this. if you have another topic, feel free to open another ticket.

Good idea.

for user ID selection, you could also potentially match on substring, so uid dkg could select/deselect all user IDs that contain "dkg".

Mnemonics can be made language independent by implementing wordlists for every language. In bip39, each word represents a number, 0 through 2047 (their index in the wordlist).

How scdaemon responds when there is no card available?

Though not directly related to our issues, this bug report on the MSYS2 site reported by their users encountering trouble with GPGME provides additional weight to irreconcilable differences between MSYS2 and GnuPG:

yes. that's why i wrote it in '['-brackets.
but usually, in info-documents a synopsis is written about it.
I think that it's not self-evident, that "you can either give a file or let the tool read from stdin or output to stdout" and therefore should be written explicitly.

The --auto-expand-secmem option is available in 2.2. and master for quite some time. It works if libgcrypt 1.8.2 or newer is used.