We decided to use the blue symbol for such a not compliant key in the VSD version

We discussed and decided that "can encrypt" should determine if an encryption subkey exists for a key in the keyring associated with the given email address.

Form the Gnupg-2.2 commit rG936954a18a2df made sure that the hkps:// prefixing from kleopatra is ignored.

That has been done modulo the bug which existed for both versions, I fixed today (T6536)

@ebo: Du have the Ted Tester key (i.e. the ADSK key) also in you keyring?

works. In current VSD-testing-Beta.

Okay, I found and fixed the import problem in 2.4 and will backport this to 2.2

According to werner the gnupg tools use GetCommandLineW even when they are not build with -municode.
So a solution could be to build gpgme-w32-spawn with -municode and start the child process with CreateProcessW, this would also solve the problem that GnuPG could itself be installed into Paths which are not representable in the local 8 bit encoding.

I think that if we know that GnuPG is not encrypting to expired keys we need to use the X icon for that key and disable the sign/encrypt button until this key is removed.

So I think we need to somehow show this. This gives users the option not to encrypt to the one or two expired keys and maybe ask them from updated keys or continue the operation anyway. (Although I am unsure if gpg would not throw an error in that case even with trust model always). From a User Experience standpoint I think we need to make it visible that you had a key for a person once but that this key is expired now. Regardless of wether or not it should then still be used. The "No Key" is a bit of a wrong information here. So show such keys as the first entries and then disable the ok button until the user somehow solves the issue.

I'll create a branch for this work. Then, I'll incorporate changes to master.

OK. I pushed: rG227b3b14f4be: tests:tpm2dtests: Modify tests with SWTPM and relax the condition.
... which doesn't require swtpm_ioctl and tssstartup any more.

The tag of the last displayed user ID that has a tag is chosen. And that's tag tagC1 in the above scenario.

Works, the expected behavior from the description is shown.

With the current Beta VS-Desktop-3.2.0.0-beta229/231 the tags in the tags column in the certificate list are always shown, regardless of the configuration option "show tags of certificates". Only the tag of the primary UID is shown there (which makes sense, IMHO).

The new "no 509 certificate" message box comes up always when restarting Outlook and then immediately composing and sending a message, even when the user has a certificate.
-> add a check if the cache is already loaded in GpgOL

For the Berta Key in the Testversion: *After* entering the Password for the signature, the new GpgOL message does show. When I choose "Retry" in spite of the warning, the mail is send out encrypted.
So I was only confused because I did expect another order of events. Something seems redundant and confusing here:
First you are shown the security confirmation dialog an click on OK (with the small warning sign and "not compliant" next to it), then you are asked for your password (if it is not in the cache) and then you get the new Warning message with the option to "Retry". Although you already in the first dialog chose to encrypt non-compliant.
Btw: The error message from gpg is for me not "end of file" instead it is: "Syntax error in URI"

If I repeat this with a totally empty keyring, I get the new message regarding the missing signing certificate.

Sorting problematic keys to the front make sense to me, but might be complex since we just add the certificatelineedits and then would need to do some kind of dynamic layouting regarding on the return value of the linedits key.

I pushed rG321f9c0a3f28: tests:tpm2dtests: Fix tests with TPM2D. and rG98dd6f7af6aa: tests:tpm2dtests: Fix tests with SWTPM. (and other small changes).
Now, it works with two cases:

• tpm_server
• swtpm, swtpm_ioctl, and tssstartup

With this certificate I do get the security confirmation dialog without "always show" on, but still no new message box.

Yes, the wording for this line should be improved, I agree.
In the current release and the releases up to now this action did not work at all when it was not used in combination with encrypt. That usually happens only if an administrator activates the "always_sign" option, prefers S/MIME and then does not issue users with S/MIME certificates. For OpenPGP we have the "Generate" option preselected in that case.

Without "always show" I get a pinentry immediately after hitting "Send". So no warning.

In T6683#176424, @ebo wrote:

I realized that I still had "always show confirmation dialog" on... When I turn that off I get the default error message, but with encoding errors:

I do not see the default error message, not even with a new, totally empty keyring.
I immediately get:

For sent mails folder there is no solution. The problem is that if the mail never leaves the exchange server it is not converted to a standard compliant PGP/MIME but left in Microsofts internal MAPI format where it looks like this. I think thunderbird has support to fixup a message if the mimetype of the first attachment application/pgp-encrypted. Which reminds me that we need to change the filename of our internal attachment, too to use .mim as an extension. Then you will at least also be able to open such messages on other clients with Kleopatra directly to view the contents of the mail. And a side effect of this might be that Enigmail might then be able to open the mails. If not we would need to talk to enigmail how to solve this.

Uploading two patches for review:

MRs:
https://invent.kde.org/pim/messagelib/-/merge_requests/143
https://invent.kde.org/pim/akonadi-calendar/-/merge_requests/74

After some investigation it turns out there are several bugs in the thing that eventually produces an email with the counter proposal.

Do you have any hint how I can test this? I installed Chinese-Simplified (zh_CN) but I fear switching the display Language. Maybe I should just use _wasctime and convert to utf8