Backported for vsd33 (as discussed with ebo)

This bug exists since Kleopatra offers "Trust root certificate" (i.e. since 2010). allow-mark-trusted seems to be default since Gpg4win 2.1.0. If admins really want to prevent users from messing with the trustlist then they anyway have to use the no-user-trustlist option.

I can still reproduce case 2 with gnupg 2.4. I have to check how my local setup differs from gpg4win-Beta-64.

If you use a tabbed layout you will always have the problem that some tabs have lots of whitespace and other tabs have little whitespace or even a scrollbar.

I just saw that gpg-agent has a MARKTRUSTED command which takes care of asking the question and of modifying the trustlist.txt. I guess it makes sense that Kleopatra uses this command for the "Trust root certificate" action.

In T7349#192860, @werner wrote:

Kleopatra should also not offer to add a root CA if gpg-agent's mark-trusted feature has been disabled.

In T7329#192861, @ebo wrote:

Regarding the removal of the stretch: Now there seems to be no space at all before the description. Could we have a one-line space before it?

I have confirmed that rA69069bc63e6b fixes the build on macOS.

Passing ticket to werner to consider backports.

The line

Please use https://bugs.kde.org to report bugs.

seems to be hard-coded into the Authors tab. I see it in all KDE applications. Maybe it can be customized.

We could simplify the copyright lines to (if we make sure that the current names are listed as authors)

Copyright 2002-2024 The Kleopatra authors
Copyright 2002, 2004, 2007-2009 Klarälvdalens Datakonsult AB
Copyright 2016-2018 Intevation GmbH
Copyright 2010-2024 g10 Code GmbH

alternatively using © instead of "Copyright". (Using both as in KMail is nonsense because © is the official abbreviation of the word "Copyright".)

Making pinentry issue "fully canceled" if the user clicks Cancel breaks decryption of data that is encrypted with multiple keys of the owner. The user woudn't be asked for the password of their second key if they canceled the pinentry for the password of the first key.

The new API isn't used anywhere. For now it can only be tested with the test runners. -> setting to resolved

Note for testing:
If the environment variable GNUPG_ASSUME_COMPLIANCE is set to "de-vs" and de-vs compliance is enabled then Kleopatra should show "VS-NfD compliant (beta)" instead of "VS-NfD compliant" everywhere. ("Not VS-NfD compliant" doesn't get the (beta) suffix.)

The technical background is that opening the certificate details triggers an update of the certificate and this triggers an update of the drop-down. The drop-down should still keep the currently selected certificate even if it is not offered by default.

The fix should probably be backported to gnupg 2.2 and 2.4.

I'm wondering if/how we can get rid of the checkbox before "Encrypt for me". Do we even need to distinguish between "for me" and "for others"? It has always felt wrong to me that we have completely different UI for selecting my single (!) key and multiple other keys. What if I want to encrypt to two keys of me? Makes no sense to enter my second key under "Encrypt for others". What if somebody always wants to encrypt everything to two of their keys, e.g. because they use different keys on different devices? But that also applies to the file encryption dialog so maybe that's a different discussion.

In T5957#192598, @ebo wrote:

But what I don't understand is: why do we need the buttons? For other encryption actions in Kleo you can choose from all available keys, regardless of their protocol.

I confirm the fix. Using gnupg master the unit test ran 544 times without any failures or suspiciously long run time.

My last comment makes things look more complicated than they are.

Okay, then we keep the protocol radio buttons for now, but I guess there's no reason not to make it less prominent. I would even argue that the label "Protocol:" isn't really helpful and could be removed.

In the second case, gpg emits a FAILURE gpg-exit 33554433 status at the end. I think this makes gpgme consider the operation failed. I think this is a bug in gpg because gpg does not emit a FAILURE status if a wrong symmetric passphrase is entered.

In the first case, gpg emits a CANCELED_BY_USER status. This makes gpgme abort the operation. We may have to wait/watch for BEGIN_DECRYPTION / END_DECRYPTION.

When looking at Carl's first MR I had a few ideas/thoughts:

• Does the notepad really need to support S/MIME? People might want to use inline PGP with Kleopatra, but S/MIME???
• I wondering whether we should move the checkboxes to the group box titles and get rid of the group boxes and instead use KSeparators to separate the different sections, i.e.

[ ] Prove authenticity (sign)
Sign as:
------------------------------
[ ] Encrypt
Encrypt for me:
Encrypt for others:
------------------------------
[ ] Encrypt with password
Anyone ...
------------------------------
[Sign and Encrypt]

I found one reason for the intermittently failing concurrent initial keylisting. gpgsm sometimes uses the wrong socket file to (try to) connect to gpg-agent.

I don't think gpg/gpgsm tell gpgme "the keyblock used for decryption". They simply log all public keys used for encryption via STATUS_ENC_TO in the order the packets appear in the encrypted file.

In T7334#192524, @werner wrote:

For a subkey the user id of its primary should always been show.

In case of an unknown encryption subkey we could check if it's the ADSK of a known recipient and then display something like

Unknown ADSK for "Some key with ADSK <with-adsk@example.net>"

instead of

unknown recipient

I can reproduce this with gnupg 2.2.45-beta27 (STABLE-BRANCH-2-2 69a8aefa) on openSUSE Tumbleweed.

Is this R-flag part of the status logging, i.e. do we need to add handling for this in gpgme?

I have reproduced this with libkleo from our gpg4win/24.05 branch and with gpg (GnuPG) 2.4.6-beta102 (HEAD of STABLE-BRANCH-2-4) and current master of gpgme and all GnuPG libraries. It took just 8 runs until a unittest failed.

gpgme logs for a failed test where the keylisting with gpgsm failed

If the keylisting (of OpenPGP and S/MIME certificates; technically, that's two independent keylistings) fails without giving any results then it makes sense to show a error message instead of the welcome page.

This is also relevant for VSD 3.3. Backport is not needed, but gpg4win/VSD needs to include current gpgme.

Yes, the fix is included in the Gpg4win 4.3.1.