Since this is hard / impossible to test for, but the fix was obvious I am closing this directly. The fix for this is in GpgOL 2.5.12.

For the record. The code used to detect early on if the dark or bright icon theme should be loaded as a resource caused a crash during startup on at least Windows Server 2016 Enterprise. Our new fix avoids such API but I have created T6921: Kleopatra / Qt6: Improve accessibility detection for "Desert" high contrast scheme and fix it upstream to keep track of this since our fix is not fully complete in that it does not properly detect the Bright (Desert) High contrast mode and it should either be merged into KIconThemes or fixed in / with Qt6.

I did not relaize that when we originally implemented that feature we already exposed it through GPGME. So this has been fixed since 2020.

In T6900#180549, @andrewgdotcom wrote:

Hi, Andre.
...

Thanks for the explanation. To me this sounds very reasonable and I think that I am starting to better understand your use case in Hockeypuck.
Having a test example key + the intended revocation update would help at least me to dig into it a bit and see how this might conflict with RFC4880.

Hi,
so I talked to werner about this, and of course GnuPG accepts minimal revocations.
A revocation certificate. So that was my point. As he understood you, you wanted to revoke not the whole key but only a single user id but without the user id packet? Sorry I am not really the protocol expert. But for me a revoked key without any user ids sounds to me just like a "standard" revocation certificate revoking the whole key. And as said, that is well within the the Standard and accepted, and even used by GnuPG. E.g. in case of a keyrollover we attach such a minimal revocation certificate to WKD keys when we deliver key updates.

In T5709#180540, @bernhard wrote:

Would it be a workaround idea to double the attachments, so that the original ones would be used as reference for embedded viewing? And the other to be shown?

Yes they can, the workaround, which GpgOL even suggests in the error message is that the mail may not be visible as plain text while changing flags or categories. This usually means that you have to select a different mail and then use right click on the mail you wish to mark for followup or add a category to. The whole problem is that while the plaintext is visible in Outlook we have to prevent changes to the mail from beeing synced to the server or otherwise it will also sync the plaintext.

From a technical standpoint I think the most minimal revocations which are technically possible should be accepted and thus I endorse the feature request.

Just to clarify, above ticket does not reflect my Opinion. It is a direct quote from a different ticket. It is my expert opinion that a combination of "Name <email> + Cryptographic Data" is not a personalised dataset since anyone can create it. But let us please not argue about that.

In T4393#180500, @andrewgdotcom wrote:

Perhaps we need to open a new issue for this, to keep the discussion more focused?

In T6891#180474, @ikloecker wrote:

I'm also wondering why syncing a handful of new messages takes so long. Or, actually, why syncing takes so long even if nothing at all changed on the server (the new messages were already shown by KMail). Maybe it's just the bad IMAP implementation of Exchange. Or maybe Akonadi has marked the folder as bad, so that it always syncs the entire folder.

@ebo told me that she can reproduce the problem by just moving around e.g. 1000 unread mails to a different folder and then e.g. marking them all as read while they are syncing. At least if I understood her correctly. @ebo could you please describe your test case?

Both the company and me are running debian dovecot.

I have yet to reproduce this so I had not yet triaged this. The usual case to forward attached mail in Outlook is with .msg files but I recently noticed that Outlook on the web allows you to save mail also as .eml. Also .eml should in theory be much simpler to handle.

Your comment on speed might also be why I do not see this issue. Nearly all of my mails and all my large folders go through my private mail server that stands at a dedicated hoster. While our company mail server is located in the office and only reachable through the office internet connection with VPN afaik. I had a tool / command to deliberately slow down connections on some port maybe you can use something like that? I don't think that we can give you access to the company mail server / VPN since you are not a regular employee.

Oh yeah! I was looking for a way to Integrate LLMs / GPT Models into our code. Let us change gpgme_data_indentify so that it queries an online service about what to do with such a file 😅 I guess that is how Microsoft would implement such a feature nowadays. Gathering training data in the help of humanity.

We were hoping before christmas. But it is unlikely due to some other stuff we had to do. Early Jan. Definitely a priority for us right now to get it out.

But I guess syncing a second client should do the trick to get the server state. At least ebo has afaik both claws and kmail configured with the same server.

No, our webinterface is telnet :)

The issue was obvious but I looked at the wrong place. I looked for a ref counting error but the issue was that the control only returned a temporary pointer that had exactly one reference.

If I understand you correctly we will then have the hirarchical keylist model, the flat keylist model and then as a new model the userid keylist model in libkleo/src/models/keylistmodel ? To be honest you probably know best how to implement this in the most useful way.

I just rechecked we are actually not including the root certificate but we are including the intermediate certificate. Since there never were any complaints about this let us not change this. The original reporter must have somehow deleted the intermediate certificate or it was with an older certificate from us.

Shouldn't that be the difference between SizeAdjustPolicy AdjustToContentsOnFirstShow and AdjustToContents?

I do not think it could cause any harm, if a certificate is re-issued we can adapt and worst case we would ship a very small obsolete intermediate. And it would be just one less of a potential problem when verifying our signature that on this PC at the time the intermediate certificate is not available. Having a self contained chain in the signature is also helpful for scripted verification checks where you would then just need to check that the root CA is trusted and then can check everything offline.
And we take a bit of pride in the fact that we can easily be run on offline systems and there this might actually create a bit of a hassle to get the certificate in there. This would also allow for a more easy verification using osslsigncode itself independent of Microsoft tools.

Gpgpass already installs a desktop file I just overlooked it.

For Kleo I think we have it handled, different subtasks for the Appimage and Gpg4win do not make sense IMO since both rely on the same packaging and I feel confident enough to also update the AppImage. A subtask for Okular will make sense though since Sune already spent some time on it and that way we can keep an eye on it.

We could also use this for T6874: Kleopatra subkey management improvements

Ingo could you add more subtasks here that need to be done? So that we might assign them to Tobias.

Tobias could you create an MR for this?

This does not need to be checked again for Gpg4win since the installation of this file is generated from the Gpg4win installation script.

I think we should not fix this issue because T6846: Kleopatra: learn TCOS cards automatically replaces it. If we don't have a Load certificates button anymore we also don't need a better progress for it.

I am moving this back to WIP (my assignment to QA was wrong) since this is only done for me when the translations are accepted / commited in Kleopatra upstream so I can drop the patch.

Should be fixed for the next release.

Checking if the key is not otherwise used is unrelated and should be a diifferent Task since this also relates to OpenPGP. For me this Task is about creating a similar API for gpgsm (--delete-secret-key) that we have for OpenPGP.

Wishlist as the other tasks realted to that are also wishlist and this would be a new feature.

In T6867#179911, @ikloecker wrote:

What if the second signer cannot verify the first signature because they don't have the required public key?

Actually prio is rather low or even Wontfix. Since it has been this way forever and no one really complained. I think deleting secret keys esp. for S/MIME where you can't just create a testing key but need to have it signed by a CA is not really there.

I know I discussed this with werner several times and never really understood it because it makes for an inconsistent user interface / user experience. You delete an OpenPGP Secret key and then the keyfile is gone, you delete an S/MIME secret key and then the keyfile still exists. But it has been so forever T960
Maybe kleopatra should for the very rare cases where a key is used by multiple certificates do a search for the keygrip and warn if this also deletes the secret portion of another secret key? But that would then be also true for OpenPGP.

Ack, I was not sure if we fixed it and forgot to add the commit here.

I think this works as intended now with the new certify interface. Also if you grant a key full ownertrust as now is the only option the self certification automatically becomes valid so this then shows as certified.

I did this. da403fe8e4bbc5701ae1d65dd4b0a7267ab43892

Ingo do you know if we have fixed this?