I guess

alwaysTrust ? Context::AlwaysTrust : Context::None | (encryptionFlags() & ~Context::EncryptFile)

is identical to

(alwaysTrust ? Context::AlwaysTrust : Context::None) | (encryptionFlags() & ~Context::EncryptFile)

There are two other methods that also take alwaysTrust as input and that should likely also propagate the other encryption flags.

In T7620#200845, @Saturneric wrote:

I think it would be much better if GnuPG automatically performed a key listing immediately after key generation when a smartcard is involved. This would allow GnuPG to detect the presence of the subkey on the card right away, rather than leaving it marked as a stub until the user manually lists keys.

I found more issues with the success, warning, and error icons we show in various places.

We are using the style already since quite some time for gpg4win-5. I keep this ticket open for now for further adjustments (e.g. removal of workarounds added for other styles).

In T6869#200695, @timegrid wrote:

so the non working automatic match of data.sig -> data is another bug?

You cannot trust any signatures made with a compromised key because the signature creation date can easily be forged.

Then why don't we add at least the red background (and maybe an X) instead of the warning sign symbol and no color?

Backported for VSD 3.3.x

In T6869#200689, @timegrid wrote:

It's weird that in the "multiple / mixed / split" case the full paths of the files is used even though all files seem to be in the same folder. This isn't really that important.

This is always the case, when the sig file is selected for verification (compared to the verified file itself). Makes probably sense, as the file to be verified needs to be selected explicitly and could be in a different path.

In T6869#200688, @ebo wrote:

One thing: The message for the valid signature from a revoked key looks less worrisome from the user perspective as an invalid signature. Is this intended?
One does not see here if the signature was made before or after the revocation. In the latter case the signature can not be trusted for sure. In the first case it might be ok.

Could we maybe add the time of the expiry or revocation in the message?

In T6869#200682, @timegrid wrote:

• the Show Audit Log link will open the log only on the second click

Most of the texts (most are proper sentences) lack a full stop. It's unclear whether this is a bug in the German translation or also in the original texts. This should be fixed.

The status bar is now updated in case the VERSION file is loaded after the main window was created.

Kleopatra does not show version information in the status bar. It does show whatever is stored in the VERSION file under the key statusline in the group [Kleopatra].

For the icon:

The first call of get_key receives the following key listing from gpg:

2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: sec:-:256:19:C4A24EB0B5F2E025:1746474606:::u:::s
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: cESCA:::D2760001240100000006180489130000::brainp
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: oolP256r1:23::0:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: fpr:::::::::DEC0948C398A6E7B50746EC6C4A24EB0B5F2
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: E025:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: grp:::::::::06BDACFBDEDBC5783A75AE5E7251FA3369C4
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 0FF4:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: uid:-::::1746474606::2222D8E2F373B9BDEE0DEA2A20A
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 9402214E9F984::Eric <eric@bktus.com>::::::::::0:
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: <LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: ssb:-:256:19:EAFC5EA29B758B22:1746474606::::::a:
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: ::D2760001240100000006180489130000::brainpoolP25
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 6r1:23:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: fpr:::::::::1AD596DDEC9B8CF3C1AC6C41EAFC5EA29B75
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 8B22:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: grp:::::::::52F0797C0B0439BBD718E2534D46656A6C45
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: 6A78:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: ssb:-:256:18:A874804DB497B91C:1746474606::::::e:
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: ::#::brainpoolP256r1:23:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: fpr:::::::::33B273C7BD46E4EB63DD6874A874804DB497
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: B91C:<LF>
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: grp:::::::::34A1F8D9B2AA0CF07C2E042D70E10F9D4EBE
2025-05-05 21:50:23 gpgme[57059]     _gpgme_io_read: check: E734:<LF>

Note the line

ssb:-:256:18:A874804DB497B91C:1746474606::::::e:::#::brainpoolP256r1:23:<LF>

where the # marks the subkey as stub.

Should be fixed.

For gpgme 2 we changed the data types of the time fields to unsigned: rMf2d40473b522e348d96a70c089d2191d0b978098 . Since this change breaks the ABI we use the above change for the 1.24 branch.

Looks good. Please also add the new flags to the NEWS file (similar to what Werner wrote in https://dev.gnupg.org/rMcd79fc39736fda6ce38f1f79700cf658c47372f9).

By the way, "years" is also "incorrect" once in ~4 years because it uses n*365 days. Werner's advice still applies. Enter an ISO date if you want an exact date. Or use a UI tool like Kleopatra.

The following patch for gpgme 1.24 should fix the test.

diff --git a/lang/cpp/src/key.cpp b/lang/cpp/src/key.cpp
index 42046aa..2b14d90 100644
--- a/src/key.cpp
+++ b/src/key.cpp
@@ -633,7 +633,7 @@ time_t Subkey::creationTime() const

This looks like a problem in gpgme. struct _gpgme_subkey stores the expiration date as long int expires which is a signed 32-bit value on all 32-bit architectures. gpgmepp casts this to time_t, but that doesn't help if the 32-bit value is already negative. The same problem exists with all other timestamps in gpgme (i.e. key creation date, signature expiration date, etc.).

The logs of gpgme would be helpful, i.e. run your test program with GPGME_DEBUG=8:$(pwd)/gpgme-$(date +"%Y-%m-%d-%H%M%S").log to create a log file with gpgme's logs.

In any case, the actual connectivity test needs to be performed by GnuPG. Otherwise we might just test whether the Qt/KDE libraries can reach versions.gnupg.org, but not whether dirmngr can. Werner proposed something like gpg --fetch-key https://gnupg.org/index.html.

Fixed.

Looks like plain old inline PGP. Does GpgOL even support inline PGP?

For reference the related MRs for upstream:
https://invent.kde.org/plasma/breeze/-/merge_requests/540 (pending)

For reference the related MRs for upstream:
https://invent.kde.org/frameworks/kguiaddons/-/merge_requests/170 (merged)
https://invent.kde.org/frameworks/kcolorscheme/-/merge_requests/43 (merged)

Very likely this bug exists since 2017 when support for promotion of local certifications to exportable certifications was added.

Fixed in gpgmepp for gpd5x. I think for VSD 3.3 we'll add a patch to gpg4win.

After further investigation it looks like this bug exists since quite some time.

The state machine in GpgSignKeyEditInteractor expects to see GET_BOOL sign_uid.okay and it should have answered with Y.

The dialog between gpg and Kleopatra looks like this:

[GNUPG:] KEY_CONSIDERED FADC4675146CFAF3D86F137E1D3C5E6E3DB3C71D 0<LF>
[GNUPG:] GET_LINE keyedit.prompt<LF>
sign
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_BOOL keyedit.sign_all.okay<LF>
N
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_LINE keyedit.prompt<LF>
uid D2C00A207DC184562E41517CBC5EF7175E8535E8
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_LINE keyedit.prompt<LF>
uid 648AC172C3EC45F85AA2E68E46D3FEFABD1F5BD7
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_LINE keyedit.prompt<LF>
sign
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] KEY_CONSIDERED FFDFEE2F0C8F278023284D90B0FBC8D8324859B9 0<LF>
[GNUPG:] GET_BOOL sign_uid.local_promote_okay<LF>
Y
<LF>
[GNUPG:] GOT_IT<LF>
[GNUPG:] GET_BOOL sign_uid.okay<LF>

and then nothing else.

Fixed. If high-contrast is active then tool tips now use the same colors as buttons (e.g. white text on black for Kontrast No. 1).

With the above patch for breeze the toolbar and the configuration dialog title now also look correct in high-contrast mode.

The wrong/inconsistent coloring of the icons has been fixed.