Tested on Windows with Kleopatra and 2.2 and with gpgme and 2.4 on Unix.

Okay, I known do the same what we do for a single root certificate, that is mark it as "not trusted" ('n').

We already have the ECDH parameters for OpenPGP in the gpg-agent API. The question is how large the data for PQC will be - likely we need to use an inquire already for this reason.

That is a feature. Consider the case that ~/.gnupg is on network file system and thus possible in use on several boxes. Thus before we remove stale lock files we do not only compare the PID but also the hostname. Granted, this is rare but we have had such cases in the past with locks.

See also T6465

We always try to update the stub files because meta data of the key material might have changed due to the use on another box. On Windows the file system watch might be triggered by the remove of a key file right before writing it (cf. the usual Windows rename file problem) which is the cause for the loop. The new patches now detect whether a key file actually changed and avoid writing it back to disk.

Confirmed with two other cards. in the gpg-agent log I also see MARKTRUSTED not supported lines while the card is inserted - this is cause by the loop in Kleo.

This is a generic parent task and does not require workboards for specific branches.

FWIW, the Fileversion is actually the Git revision in decimal

You can't decrypt using the Esign application on such a card. Please provide more information off-tracker.

Testing in 2.4 will not be easy because it requires code modification just for testing. However, de-vs is not supported by 2.4 and the greater plan is to get 2.6 approved for de-vs.

I'd prefer to not use the spawn helper at all. All currrent Windows versions allow to decide which handles are to be inherited and thus there is no more need for the helper.

@gniibe: This is a pretty old bug; given all the changes of the last year, should we close it now?

You are creating a signed archiv? Why - gpgtar is used for encryption.

That's right: -K is merely a -k which prints only keys which have at least one secret key or a stub key (for smartcards) available.

Thanks for commenting from the other account. This allowed me to disable the account. Deleting and account is hard in Phabricator thus we do it only very rarely. But disable is basically the same.

I just verified the new account. Please delete (i.e. disable) it yourself - I can't easily figure out whether it is really your account.

Problem seems to be that there is no ~/trustedkeys.gpg file and that the fallback to the kbx file does not anymore work. I can replicate that with 2.40 and 2.4.4-beta.

That version of gpg is too old that I will look at it.

That sounds very good.

I disagree. We already talked about this and we should proceed as planned.

Further investigation showed that this was due to a bogus key creating during I wrote the code.