For settings in VSD 3.x best look at https://dev.gnupg.org/source/kleo/browse/gpg4win%252F24.05/src/kcfg/settings.kcfg (gpg4win/24.05 branch).

This looks questionable:

HKEY_LOCAL_MACHINE\Software\Wow6432node\GNU\Kleopatra
HKEY_CURRENT_USER\Software\GNU\Kleopatra

Either both keys use the 32-bit compatibility path Wow6432node\ or both keys don't. 32-bit builds (like VSD 3.x) will use the compatibility path (without being aware of the redirection). 64-bit builds (like Gpg4win 5.x) don't use it. Since Windows mirrors some settings between both registry paths it may not matter.

Allright, then the dash notation for those two groups are intended and the documentation needs to be adjusted

I suspect that the author of the documentation confused the (internally used) "name" of the settings with the "key" that's used in the config files (and the registry). For reference: Many settings are defined in https://dev.gnupg.org/source/kleo/browse/master/src/kcfg/settings.kcfg .

Fixed. Kleopatra and the GnuPG System configuration and error messages coming from GnuPG should now always use the configured Windows display language regardless of the Preferred languages or the Regional format. (GnuPG on the command line will still use the Regional format.)

Note: The tab name is displayed after restart, if

• The tab was renamed manually
• The filter was changed (leading to a rename)

For gpgrt/argparse this could be an option (to remove hard-coded /etc):

Here is a patch (revised since the email of mine):

For t-stringhelp.c, here is a fix.

For

openpgp_oid_from_str has a wrong memory-safety assumption

For Integer Overflow in literals_seen, I think that the claim is wrong.
When literals_seen becomes two, GnuPG stops processing to return an error.
It's not possible for GnuPG to keep processing.

For Integer Truncation of Arguments report, since the int value is limited to one-octet value, we could add check for the length of input when we use strtol.

The language settings of Windows have strange influence on Kleopatra and GnuPG.

We have fixed it but the commit also states:

I agree because the original purpose from the 90ies to enable the use of signed patch files in the Linux kernel community was never actually used and GnuPG stopped the distribution of patches from version to version many years ago. Thus I agree we should hide this option behind a compatibility flag.

Werner said we leave it as is for vsd3.3.3 and only change reading order of the configs for the change to the next mayor release.
So I retag this ticket for gpd5x. timegrid has made a separate ticket for updating the documentation.

Fixed.

Added a compatibility flag in: rGad0c6c33c3d6: gpg: Do not use a default when asking for another output filename.

Fixed in rG115d138ba599: gpg: Fix possible memory corruption in the armor parser.

Fixed in rGdb9705ef594d: gpg: Avoid potential downgrade to SHA1 in 3rd party key signatures.

Fixed in rG8abc320f2a75: gpg: Error out on unverified output for non-detached signatures.

This feature should be only enabled with a compatibility flag.

Mitigation would be: adding context validation in add_onepass_sig function, which checks WHAT of armored input.

Pushed the revised change to master.

I'm fixing this in Kleopatra similarly to gpg-card.

That's a good question. Looking at https://datatracker.ietf.org/doc/draft-koch-librepgp/, it doesn't really specify what encoding is used for "human-readable" notation, so I'd personally lean towards encoding it to stay on the safe side. Unless I'm mistaken, status-fd will only be used locally, so escaping overhead should not be a problem.

Will be in 2.5.14 but I am not yet sure whether or when we put support into gpgme

There will be a new "pfc" record to emit the used preferences after a "uid" record. --list-options show-pref must be given.

VS-Desktop-3.3.90.31-Beta shows no warning any more for the export of a newly generated key.

For argparse we use /etc as a default but applications may use gpgrt_set_confdir to set a different one. Howeever if we already have a new get_sysconfdir function, it is easy and useful to change the default on Unix.

In GnuPG we use CSIDL_COMMON_APPDATA and append "\GNU\etc\gnupg". If this can't be found we use the rootdir, that is he installation directory of the binary or one up if installed below a bin directory. The reason for using GNU and not POSIX or Unix is merely to avoid name clashes with other software ported to Windows. There was no real standard for this on Windows.