The flag value is now 144 and not 146, but that extra bit (value 2) did not make sense for the option. So I think things are okay now.

@werner should the pros and cons of mkportable be discussed here or on a mailinglist?

A second report came in via https://wald.intevation.org/forum/forum.php?thread_id=2044&forum_id=84&group_id=11

Hi, I have the same problem, in Italian Language becouse this is the system language!
Kleopatra 3.1.15 on Windows 10

Hello,
it seems that the log got lost in the way for me at least, can you confirm you received it?

More than a year in testing, and I have not seen problems myself anymore.

Note: If you want to set this early in your program you need to make sure that there is only one thread running.

Maybe have gpg-wks-client(or also --export-filter) print a warning if the filtered result has a key expiration different than the original key? That seems the simplest way tp approach the problem.

That is a problem on the macOS side, for example with their PINentry tool. Sorry, we can't help you here.
In any case we won't support a gpg4win version released nearly 4 years ago.

That it. Things works nicely for me. Won't be backported to 2.2 because this introduces minor changes in the behaviour.

So far -- unlike the previous patch -- this seem to help (but since the issues are infrequent I can't be entirely sure yet).

Ingo, as you are currently working on the config dialog, maybe you could also fix this issue on the way.

Here are example files produced by GnuPG 2.3-beta:
S part has preceding zero:

fixed

In T5250#143872, @kaie wrote:

It seems gpgme-json is intended to execute in the Web JavaScript sandbox of a browser.

I said "we're offering the optional use of GPGME

At the time I started to add an optional binding from Thunderbird to GPGME, I wasn't aware of gpgme-json.

In T5250#141705, @werner wrote:

Sure that TB uses GPGME - they claimed they won't use it due to license incompatibility (LGPL). I assumed they use gpgme-json via naticve messaging.

We could add compatibility mode for Ed25519 signature to conform well-formed MPI (expecting recovery).

Thanks for the information!
We'll update our CI.

MSYS builds are not supported. All kind of stuff may go wrong. Just don't use it. Please use the standard installer as listed at gnupg.org or install gpg4win (which includes this installer).

thanks, @werner!

Sure, here is output:

2021-02-24T20:19:46.8671882Z + gpgconf --show-versions
2021-02-24T20:19:49.6868215Z * GnuPG 2.2.25-unknown (0000000)
2021-02-24T20:19:49.6871468Z MSYS
2021-02-24T20:19:49.6888515Z 
2021-02-24T20:19:49.6889344Z * Libgcrypt 1.8.7 (baacfb40)
2021-02-24T20:19:49.6889956Z version:1.8.7:10807:1.39-unknown:12700:
2021-02-24T20:19:49.6890454Z cc:90300:gcc:9.3.0:
2021-02-24T20:19:49.6891633Z ciphers:arcfour:blowfish:cast5:des:aes:twofish:serpent:rfc2268:seed:camellia:idea:salsa20:gost28147:chacha20:
2021-02-24T20:19:49.6892539Z pubkeys:dsa:elgamal:rsa:ecc:
2021-02-24T20:19:49.6893424Z digests:crc:gostr3411-94::md4:md5:rmd160:sha1:sha256:sha512:sha3:tiger:whirlpool:stribog:blake2:
2021-02-24T20:19:49.6894177Z rnd-mod:linux:
2021-02-24T20:19:49.6894666Z cpu-arch:x86:
2021-02-24T20:19:49.6895791Z mpi-asm:generic/mpih-add1.c:generic/mpih-sub1.c:generic/mpih-mul1.c:generic/mpih-mul2.c:generic/mpih-mul3.c:generic/mpih-lshift.c:generic/mpih-rshift.c:
2021-02-24T20:19:49.6897734Z hwflist:intel-cpu:intel-fast-shld:intel-bmi2:intel-ssse3:intel-sse4.1:intel-pclmul:intel-aesni:intel-rdrand:intel-avx:intel-avx2:intel-fast-vpgather:intel-rdtsc:
2021-02-24T20:19:49.6898968Z fips-mode:n:n:
2021-02-24T20:19:49.6899492Z rng-type:standard:1:2010000:1:
2021-02-24T20:19:49.6899888Z 
2021-02-24T20:19:49.6900359Z * GpgRT 1.41-unknown (0000000)
2021-02-24T20:19:49.6900739Z 
2021-02-24T20:19:49.6901208Z * Libassuan 2.5.4-unknown (0000000)
2021-02-24T20:19:49.6901605Z 
2021-02-24T20:19:49.6902048Z * KSBA 1.4.0-unknown (?)
2021-02-24T20:19:49.6902420Z 
2021-02-24T20:19:49.6902843Z * GNUTLS 3.6.15

Okay, okay, I had in mind that we print them because we used to put such certificates into the ephemeral certificate storage because it is not possible to check the signature. But I reliazed that this changed quite some time ago and we can view these error messages as informative only. They are now not anymore printed int quiet mode. Well, for 2.3 - not sure whether I should backport this to 2.2.

Thanks for the fixes, @werner!

Can you please run

As suggested in the linked question on stackexchange, I think that even if the error comes from the pinentry program, GnuPG could echo a more informative error than gpg: decryption failed: No secret key, such as terminal to little to show the pinetnry program, or something similar.

Done in 2.2 and 2.3. The issuer certificate thing is a real error message and thus it should be printed.

Other ways that gpgsm --quiet is not quiet:

Hi Werner,
Thanks for the reply. Will try to reproduce this and get back to you. Our CI wasn't have an option to upload artifacts in case of failure.

Thanks for the report. Frankly the curses pinentries are not that widely tested.

Sure

Fixed in libgcrypt 1.9.2. Thanks!

Ingo, can you take care of this one?

With 2.2 the second works if the first passphrase prompt was canceled. Test invocation:

Plesae run gpg with the option --verbose and put

Hm, got something similar on macOS runner as well (however, in this case secret key is generated by RNP, and then successfully imported by GPG) :

2021-02-19T10:49:42.8239220Z /tmp/rnp-local-installs/gpg-install/bin/gpg --homedir /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/rnpctmp3ciohli5/.gpg --pinentry-mode=loopback --batch --yes --passphrase key2pass --trust-model always -o /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/rnpctmp3ciohli5/cleartext.dec -d /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/rnpctmp3ciohli5/cleartext.rnp
2021-02-19T10:49:42.8240980Z gpg: AES256.CFB encrypted session key
2021-02-19T10:49:42.8241480Z gpg: encrypted with 1 passphrase
2021-02-19T10:49:42.8242430Z gpg: encrypted with 1024-bit RSA key, ID 23295470BD33EA4A, created 2021-02-19
2021-02-19T10:49:42.8243090Z       "key2@rnp"
2021-02-19T10:49:42.8243580Z gpg: public key decryption failed: Corrupted protection
2021-02-19T10:49:42.8244650Z gpg: encrypted with 1024-bit RSA key, ID 3A9FE68E283F7439, created 2021-02-19
2021-02-19T10:49:42.8245220Z       "key1@rnp"
2021-02-19T10:49:42.8245690Z gpg: public key decryption failed: Bad passphrase
2021-02-19T10:49:42.8246250Z gpg: decryption failed: Bad session key

Attaching the full log:

Well, it's a (hard) requirement unless you explicitly disable efl, i.e. ./configure (without --disable-efl) fails with an error if elementary or ecore-x is not found.

I don't think the patch made elementary and ecore-x dev headers an absolute hard requirement; in particular, ./configure --disable-efl works fine to build pinentry without having these headers installed.

The following patch makes the efl requirements optional unless pinentry-efl is explicitly enabled:

diff --git a/configure.ac b/configure.ac
index bc67c14..ce170c9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -423,7 +423,24 @@ AC_ARG_ENABLE(pinentry-efl,
             pinentry_efl=$enableval, pinentry_efl=maybe)

rP19a18ba5fee0 makes elementary and ecore-x hard requirements for pinentry. I don't think that's intended.

Thanks for the verification, @wltjr. I've pushed 19a18ba5fee049aac87b5114763095aaeb42430f to the master branch for future releases.

Btw, ecore-x was also needed, so that should remain. Just to be clear, the final version should be

PKG_CHECK_MODULES(EFL,[elementary >= 1.18,ecore-x])

Give or take the >= vs >.

@dkg it was the 2nd one, the EFL vs efl. That worked fine after uppercasing it! The >= may not be necessary, but might as well. I am on a much newer EFL, 1.25.1, so not really able to test that part of it. I should be running one of the latest autotools,

[ebuild   R    ] sys-devel/automake-1.16.3-r1:1.16::gentoo  USE="-test" 0 KiB
[ebuild   R    ] sys-devel/autoconf-2.69-r5:2.69::gentoo  USE="-emacs" 1,438 KiB
[ebuild   R    ] sys-devel/libtool-2.4.6-r6:2::gentoo  USE="-vanilla" 951 KiB

Pushed the change. Please test.

See the comment in rE13918d05a333: Allow building with --disable-threads. for ABI incompatibility.

hm, actually, maybe the efl should be EFL in order to produce and substitute the EFL_CFLAGS and EFL_LIBS variables.

@wltjr maybe it needs ecore-x as well as elementary > 1.18 in the PKG_CHECK_MODULES line? oh, and looks like i screwed up and used > where i should have used >= sorry! fixing those would make the PKG_CHECK_MODULES line be:

With the third case it accesses the settings file, but does not write anything.

When does it work and when not:

• It works: if I change columns, column widths, sorting column or window size. Then close Kleopatra and restart it within the same environment (screen size).

Kleopatra running on Linux (Ubuntu 20.10, 21.04; Fedora 34, 35 (rawhide)) does this. Closing Kleopatras window saves columns and column widths as shown (it even works if I change the systemwide used font).
On Windows 10 this does not work. Closing Kleopatra via the windows "Close Button" or by selecting "Close Window" or "Exit" from the main menu settings will not be saved. Opening the window again will show columns as they where after installing (way to small for displaying the dates created and expired and the hash of the key). The sorting column is lost too on Windows, but not Linux.
I am unsure if this bug is triggered by my company setup, or if it exists on any Windows 10 installation.

Looks like its missing an include

x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I..  -pthread -I/usr/include/libsecret-1 -I/usr/include/gio-unix-2.0 -I/usr/include/libmount -I/usr/include/blkid -I/usr/lib64/libffi/include -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include    -I/usr/include/ncursesw -I../secmem -I../pinentry -Wall  -O2 -pipe -march=amdfam10 -mcx16 -msahf -mabm -mlzcnt -Wall -Wno-pointer-sign -Wpointer-arith -c -o pinentry-efl.o pinentry-efl.c
pinentry-efl.c:32:10: fatal error: Elementary.h: No such file or directory
   32 | #include <Elementary.h>
      |          ^~~~~~~~~~~~~~
compilation terminated.

@dkg for sure, I will test out the patch ASAP. Thanks for the ping.

I think you're saying "GnuPG will reject all subpackets marked with a critical flag unless there is a specific known semantic for *criticality* for that subpacket" Am I understanding that right? Is there a published list of criticality semantics that GnuPG is willing to accept? How do those semantics differ from standard semantics for the packet in question?

fwiw, i think a patch like this ought to work with reasonably-modern versions of autotools:

@wltjr maybe you could take a look at this?