In T6117#205379, @ikloecker wrote:

I guess this is a typo because the CSR looks like an encryption-only certificate.

I think this will make the dialog less user friendly because with this change one always needs to check the status of all check boxes. Without the change the check boxes always have the same status when the dialog is opened the same way. Predictability is very important for usability and even more for accessibility.

I would like to change this ticket to "Save status of all check boxes in the sign/encrypt dialog".

ok, changed the text in the description of the ticket accordingly, but put two more "team" back in.

Dialogtext (winzige Politur):

We decided to

Looks like there is a rights problem modifying the body of those mails
Every time when we try to modify the HTMLBODY or BODY property we fail with MAPI_E_NO_ACCESS.
The attached mails in those tests where ms-tnef formated (winmail.dat)

omhelp.cpp:lookup_oom_dispid:160 wchar_t alloc 00000155d9abfe80:HTMLBody
07:35:08/5284/oomhelp.cpp:put_oom_string:674 wchar_t alloc 00000155ccf77710:<html><head></head><body><table border="0" width="100%" cellspacing="1" cellpadding="1" bgcolor="#0069cc"><tr><td bgcolor="#0080ff"><p><span style="font-weight:600; background-color:#0080ff;"><center>OpenPGP Nachricht</center><span></p></td></tr><tr><td bgcolor="#e0f0ff"><center><br/>Bitte warten Sie w�hrend die Nachricht entschl�sselt / gepr�ft wird...</td></tr></table></body></html>
07:35:08/5284/oomhelp.cpp:put_oom_string: Putting 'HTMLBody' failed: 0x80020009
07:35:08/5284/DBG_OOM/oomhelp.cpp:dump_excepinfo: Exception: 
              wCode: 0x1000
              wReserved: 0x0
              source: Microsoft Outlook
              desc: Sie besitzen nicht die erforderliche Berechtigung, um diesen Vorgang auszuf�hren.
              help: null
              helpCtx: 0x0
              deferredFill: 0000000000000000
              scode: 0x80070005
07:35:08/5284/TRACE/oomhelp.cpp:put_oom_string:699: return
07:35:08/5284/ERROR/mail.cpp:decryptVerify_o: Failed to modify html body of item.

We got new suggestions for this:

Upstream MR: https://codereview.qt-project.org/c/qt/qtbase/+/676173

I found and fixed a bug (likely a regression in the new code): When CN_prefill or EMAIL_prefill is configured as true and no fixed CN or EMAIL is configured then Kleopatra should prefill Name and Email with values taken from CONFIGDIR/emaildefaults (used by KDE apps on Linux), from the Windows user or from the EMAIL environment variable. This didn't work anymore.

To query the AD I used the GPGME function gpgme_op_assuan_transact_ext with an query string like this:

ad_query --subst --attr=dn,userAccountControl (&(objectcategory=person)(objectclass=user) (|(userPrincipalName={{email}}) (mail={{email}})))

Of course {{email}} must be replaced with the mail address queried, this might probably also be the UserPrincipalName.

Meanwhile we notice this also with OpenPGP Mails. This needs to be further investigated.

We'll keep it as it is, for the improvement see T7814

In T6117#205277, @timegrid wrote:

Notes (probably as intended):

• [$i]mmutable does not work for CN or EMAIL

In T6117#205277, @timegrid wrote:

• All fields (signing only, rsa4096)

Certificate Request:

[...]

X509v3 Key Usage: critical
    Key Encipherment, Data Encipherment

Updated the task description after talking with @ikloecker

In T7758#205218, @timegrid wrote:

Note: If i set an invalid path in "Software\\GnuPG:Install Directory"

• the gpgconf -X output does not change
• the self-test Config File 'libkleopatrarc' fails with Error in archive definition tar: 'pack-command-openpgp' empty or not found

In T7758#205217, @timegrid wrote:

This probably can only be tested with signed releases?

I don't see how this could happen unless you have canceled an export. In this case Kleopatra saved an empty path as last location and then on the next export Kleopatra proposed Documents. The latest changes prevent Kleopatra from saving an empty path as last location and they ensure that Kleopatra immediately writes [Export]LastDirectory to disk.

Sorry, I just found out, that windows caps the filename earlier than max length, so my former tests were invalid.

All mails touched by gpgol should already have a GPGOL_UID_DASL. So to replicate:

1. Send a new encrypted mail (e.g. Edward -> Ted)
2. Don't open that mail, but open the context menu: Move -> Other Folder ...
3. Select a subfolder of INBOX and click OK -> the mail is not moved

fix tested and confirmed with GnuPG 2.5.12 on windows 10

Looks good to me on gpg4win-5.0.0-beta369 @ win10

Looks good to me on gpg4win-5.0.0-beta369 @ win10

Still the same behavior as described in https://dev.gnupg.org/T7240#202915 on gpg4win-5.0.0-beta369 @ win10

Looks good to me on gpg4win-5.0.0-beta369 @ win10:

Looks good to me on gpg4win-5.0.0-beta369 @ win10:

Note: If i set an invalid path in "Software\\GnuPG:Install Directory"

• the gpgconf -X output does not change
• the self-test Config File 'libkleopatrarc' fails with Error in archive definition tar: 'pack-command-openpgp' empty or not found

This probably can only be tested with signed releases?

Current state in gpg4win-5.0.0-beta369 @ win10:

Looks good to me on gpg4win-5.0.0-beta369 @ win10:

Notepad  window
Text to process  edit  Either enter a text you want to sign or encrypt, or an encrypted or signed text you want to decrypt or verify. You can also enter certificates in text form to import them.  blank
t
e
s
t
Signing and encrypting notepad...
Successfully encrypted and signed the notepad

Looks good to me on gpg4win-5.0.0-beta369 @ win10

Looks good to me on gpg4win-5.0.0-beta369 @ win10 (no lines omitted or duplicate readings):

pinentry-qt  dialog  Enter passphrase
Passphrase:  edit  protected  blank
[...]
does not match - try again  dialog
OK  button  Enter

Looks good to me on gpg4win-5.0.0-beta369 @ win10

Looks good to me on gpg4win-5.0.0-beta369 @ win10:

PGP
GPG
P7M
P7S

Tested on gpg4win-5.0.0-beta369 @ win10.

Current state in gpg4win-5.0.0-beta369 @ win10:

Looks good to me on gpg4win-5.0.0-beta369 @ win10.
Can't reproduce it anymore, message is S/MIME decrypted instantly:

Looks good to me on gpg4win-5.0.0-beta369 @ win10: The dialog with the progress bar is showing up instantly now.

Looks good to me on gpg4win-5.0.0-beta369 @ win10:

Uses gpgme-2.0.0 with the above mentioned patches. I have seen no problems in my quick tests.

Key Approval dialog used by GpgOL (VSD only) looks good to me on gpg4win-5.0.0-beta357, Outlook LTSC Standard 2024 @ win10 (compliance mode):

How to test this? The follwing happens for an attachment of an encrypted mail on gpg4win-5.0.0-beta357, Outlook LTSC Standard 2024 @ win10:

Moving an encrypted message on Gpg4win-5.0.0-beta357, Outlook LTSC Standard 2024 @ win10 into an inbox subfolder of Ted.Tester and back works for me, too. Does this confirm, that it's working now?

i've included logfiles for gpg-agent and scdaemon with debug-level 10. the files include

Notes for testing (and maybe documentation update):

• A few features (?) of the old CSR creation have been removed:
  • The different choices offered after CSR creation (e.g. save to file, send to CA, create signing/encryption CSR with same settings, etc.) have been removed; now a file save dialog pops up when the CSR has been generated
  • Custom labels for the RSA key sizes ([CertificateCreationWizard]RSAKeySizeLabels); we use GnuPG's algorithm IDs as labels (items in the drop down box)
  • Custom key type ([CertificateCreationWizard]CMSKeyType); CSR creation supported (and still supports) only RSA as "key type"; by marking the config key as immutable one could force the creation of signing+encryption CSRs which makes little sense for S/MIME and might have been "copied" from OpenPGP key creation where forcing the generation of keys for signing & encryption does make some sense.
  • Specification of the CA's email address ([CertificateCreationWizard]CAEmailAddress); the generated CSRs are now always written to disk; the users will have to create an email themselves

We will do a new gpg4win beta soon.

@m.eik Could you please enable debug option for gpg-agent and get the log output for the crash?

I fixed the problem (which I identified above) in gniibe/t7759 branch. There might be other causes/problems for the particular symptom, so, I don't know the fix resolves the symptom or not, though. Anyhow, I believe that this is an improvement.