The thing is that any n.m.k-something version should behave versionwise the same as n.m.k. That is okay, because beta versions etc are not considered to be released. This is required to allow testing beta version _before_ doing the release.

From the FIPS Certs draft for RHEL 8.5, I have the following sentence:

Thanks for creating the issue.

Kleopatra now also handles a version like Gpg4win-3.1.16-beta15, but gpgconf --query-swdb seems to ignore pre-release identifiers:

$ gpgconf --query-swdb gpg4win 3.1.15-beta16
gpg4win:3.1.15-beta16:u::0:20211012T161328:20211019T103252:3.1.16:20210611T000000:0::

We are currently using "implict" service indicators but eventually we may change Libgcrypt to support explicit indicators.

Good point. I have added support for semantic versioning to Kleo::gpg4winVersionNumber().

It seems like this warning does break some usages of gnupg on macOS.
We found one when packaging this in Homebrew: https://github.com/tadfisher/pass-otp/issues/147

(Ah seems I needed to do any comment, before the inline comment was published at all.)

@ikloecker I've added the following inline comment above (but I am not sure if it was visible, it still says "unsubmitted", whatever that means)
I've also experimentally pressed "raise concern" hoping it would by inline comment visible. Anyway I've meant to only make a suggestion:

Hello Mr. Koch,

Thanks.

@Reiner: Any news; were you able to run the the command with redirection to some file?

I put my initial try by rG752422a792ce: scd: Select a reader for PC/SC..

I found this: https://gist.github.com/PatrickLang/7be00ba46a43eca3ef64ffe64b494749#user-content-conflicts-with-windows-hello--virtual-smart-card

I understand the point in the 1706920, but I'm afraid that the patch itself would not be directly related for the bug. My point: It surely may catch a most serious failure, but not many failures (if we need to check here).

Fair enough. Unfortunately, the separation is not completely clear from the dist git history, so please, excuse any inaccuracies I will provide here. I will try to reference particular bugs so we can get back to them if needed:

The notation data is filtered through notation_value_to_human_readable_string by mistake, note the [ not human readable (32 bytes: .... ].

So what is your bug report? Note that the NOTATION_FLAGS are only printed for human readable or critical notations.

At this moment, we agreed on keeping the current behavior and not allowing the SHA1 for verification either. But we might need to revisit that in the future if this will cause issues. Or we might go the way of switching the service to non-fips if needed, rather than creating some more middle ground.