Pushed the change to master/2.4.

I'm not familiar with phabricator software so perhaps there is a better way to attach a diff to this ticket. Here is the diff I created: https://dev.gnupg.org/differential/diff/1543/

To be honest, the only backup worthy settings file of kleopatra is the kleopatragroupsrc right now. Most other settings are pretty much only for convenience I would not even bother to back them up. When something important is configured by the administration that should go through the registry. As we recently noticed, through talking to people at froscon and with the BSI the most common case was that our kleopatra settings were actually never updated or only saved by accident.

So should we at the moment only change our backup/migration recommendations? Add %LOCALAPPDATA%/kleopatra and %LOCALAPPDATA%/*rc to the backup?

for comparison, the command without compliance enabled:

Well the icons are there. So I don't think this needs more QA.

Test version is available intern.

Fixed.

This will definitely not be changed for 3.2 it will be a very invasive patch with a big regression risk and which does not make real sense to do before we switch to Qt6 since it involves patching Qt.

I guess that it's a case of specifying static passphrase. If so, here is the patch:

diff --git a/g10/call-agent.c b/g10/call-agent.c
index cb7053396..c44c1cddb 100644
--- a/g10/call-agent.c
+++ b/g10/call-agent.c
@@ -161,6 +161,7 @@ default_inq_cb (void *opaque, const char *line)
             || has_leading_keyword (line, "NEW_PASSPHRASE"))
            && opt.pinentry_mode == PINENTRY_MODE_LOOPBACK)
     {
+      assuan_begin_confidential (parm->ctx);
       if (have_static_passphrase ())
         {
           s = get_static_passphrase ();
@@ -187,6 +188,7 @@ default_inq_cb (void *opaque, const char *line)
             err = assuan_send_data (parm->ctx, pw, strlen (pw));
           xfree (pw);
         }
+      assuan_end_confidential (parm->ctx);
     }
   else if ((s = has_leading_keyword (line, "CONFIRM"))
            && opt.pinentry_mode == PINENTRY_MODE_LOOPBACK
diff --git a/sm/call-agent.c b/sm/call-agent.c
index 883c0c644..7f7205f26 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -222,7 +222,9 @@ default_inq_cb (void *opaque, const char *line)
            && have_static_passphrase ())
     {
       const char *s = get_static_passphrase ();
+      assuan_begin_confidential (parm->ctx);
       err = assuan_send_data (parm->ctx, s, strlen (s));
+      assuan_end_confidential (parm->ctx);
     }
   else
     log_error ("ignoring gpg-agent inquiry '%s'\n", line);

(I also found similar case for gpg as well as gpgsm.)

Pushed the changes for ...sc_op_failure routines to master/2.4.

We would need to revise tools/card-call-scd.c:status_sc_op_failure and g10/card-util.c:write_sc_op_status to catch GPG_ERR_PIN_BLOCKED and GOG_ERR_NO_RESET_CODE.

I found two places in scdaemon which return GPG_ERR_BAD_PIN. GPG_ERR_PIN_BLOCKED is relevant here.

diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 66ec9f4a9..77d428786 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -2859,7 +2859,7 @@ build_enter_admin_pin_prompt (app_t app, char **r_prompt, int *r_remaining)
   if (!remaining)
     {
       log_info (_("card is permanently locked!\n"));
-      return gpg_error (GPG_ERR_BAD_PIN);
+      return gpg_error (GPG_ERR_PIN_BLOCKED);
     }

Possible approach for source texinfo files and yat2m would be:

On Windows, the notifications are currently configured in kleopatra.kmessagebox, or more accurately, the wish not to notify is configured there:

When I created the GnuPG VS-Desktop MSI Package I messed up and forgot about a file that Gpg4win writes where to place the config files.

Tested both on Windows and Linux and it works now.

Another small improvement in the rendering https://invent.kde.org/pim/mimetreeparser/-/merge_requests/23

From a "being nice to end users PoV", I think a QtWE is the best approach
From a "being nice to our selves PoV", I think QTD is easiest, alternatively having a button to open in a browser.

I think there is no configuration option to set the socket directory, it's hardcoded in homedir.c

Just tested QTextDocument for a few html emails and it works almost perfectly as long as the emails were created for the old outlook still using the html4 engine (iirc the same one as Word)

I think this works as intended.

Applied a patch from 2.4/master to 2.2 for SEGV when card gives bogus data. rG600e69b46149: scd:openpgp: Fix a segv for cards supporting unknown curves.