with Gpg4win-5.0.0-beta479 the listing after creating the new key with ADSK looks ok now:

I think we won't fix that for 2.2

It looks similar if the key is in a WKD: First search fails without error, only "no certificates found" is shown. Clicking "Search" again results then in the expected key being found and shown.

Traditionally we have considered expired and revoked more or less similar. The idea is that an expired key might have been compromised but the owner did not found a way to revoke it. We may want to change this policy because some users don't care too much about expired keys (cf. T7990) .

Interestingly, gpg also prints the warning about the missing trusted key signature when verifying a signature made with a revoked key that has a valid certification by a trusted key. This could be intentional (because the revocation invalidates all certifications), but it's still a bit surprising.

Frankly, he OpenSSH support for Windows was experimental and I have never tested it. If it can be confirmed that this really works and is useful, it will be easy to add the opeion to gpgconf.

Regarding my comment T1825#191055 : The mane page has long been updated and gpgme support is also available. For the symmetric session key, see the feature request T8016

Looks good to me on gpg4win-5.0.0-beta479 @ win11:

• gpg --show-only-session-key --decrypt FILE shows only the session key
• gpg --add-recipients -r UID1 FILE adds recipients (tested with one or more uids)
• gpg --change-recipients -r UID FILE changes the recipients (tested with one or more uids)

Looks good to me on gpg4win-5.0.0-beta479 @ win11.
I can't reproduce ebo's nor pl13's issue.

Frankly, he OpenSSH support for Windows was experimental and I have never tested it. If it can be confirmed that this really works and is useful, it will be easy to add the opeion to gpgconf. Note that the gpgconf option feature handles only a subset of all options on purpose.

The problem was the keyserver configuration, which does not include a scheme (ldap:):

keyserver ldap.gnupg.test:389:uid=LordPrivySeal,ou=GnuPG Users,dc=gnupg,dc=test:pass:dc=gnupg,dc=test:

This has likely a similar cause as T1794

I have been able to reproduce this on linux with gnupg 2.5.14.
I had two users (named Alice and Bob in the example), each generating a key pair.
These are the steps:

• Both users have the "use-keyboxd" option in their common.conf (i could not reproduce the bug without this option)

Well, I tested this again. I created a new key and saved a copy. The I updated the expiration date to 2035 and sent the key to the LDAP server. Then I deleted the updated key locally and imported the old copy. Thus I have now:

Yesterday I was able to reproduce it once. But despite more than a dozen more tries yesterday and this morning, I could not anymore replicate it. I tested on Unix and one oddity was that I forgot to kill the keyboxd for a clean new test and thus it could serve old keys despite that the pubring.db was already deleted (but the inode still open by keyboxd).

This is really weird behavior. It seems other secret keys in the keyring may also change to "undefined" validity when the certification is done with another key. And something about the key which is certified is important.
But it can also happen that it is enough to just import a secret key without certifying anything with it for it to be shown as "undefined" validity.

This relates to T7917: Check for revocation of the ADSK's original subkey

The expected behavior is that only "Ted" (the key from where the ADSK originates) is listed, regardless of ADSKs, on every listing.
Because for regular keys there can only ever be one, "gpg -k" shows always only one key.
Subkeys which are ADSKs shall therefore never be listed with this command.

Tested with Gpg4win-5.0.0-beta446, identically to the procedure from the description:

setting this to resolved, werner already tested this

I also don't think, that a backport to 2.2 is neccessary.
As gnupg26 was tested in gpg4win5 beta413 as well, I also move this to done on the gnup26 workboard and mark this issue as resolved.

If we need to backport the locking fixes to 2.2, these two will be the start of changes:

I would say this is done.

This seems not to work in Kleopatra/gpg in gpg4win-5.0.0-beta413 @ win11.

Tested on gpg4win-5.0.0-beta413 @ win11 with the following entries in dirmngr.conf:

Yubikeys allow that. See my mail to the mailing list.

The extension .part is used by Mozilla/Firefox. Curl uses .tmp. Is that OK for Windows machine to use .part?

Seems like the OpenPGP Card Specification does not allow the change of retry counters.

That is a feature not a bug. Make also sense if your threat model is store-trafic-no-decrypt-later. If you can get the key you will also be abale to get the cleartext. Any nobody can remember a passphrase on par with the claimed Kyber security level.

Yes, sorry, a typo, I corrected it.

In T7759#208677, @timegrid wrote:

Forgot to note: Setting S/MIME debug level in kleopatra via GnuPG System will write the right key to gpg.conf (if I understood it right, this was also a problem)

As this looks good to me on gpg4win-5.0.0-beta413 @ win11, I move this to done on the gpd5x board.

Forgot to note: Setting S/MIME debug level in kleopatra via GnuPG System will write the right key to gpgsm.conf (if I understood it right, this was also a problem)

I think last time I didn't test the actual problem.

When --output option is used and the user uses temporary file and is ready for checking an error, that is, it's already prepared, it's redundant and useless, indeed.

With the next gpg release (2.5.14) the keyboxd has an extended fingerprint table which carries a flags column. A bit in this column can eventually be used to mark subkeys with the "R" key flag and the search funtion can be enhanced to ignore keys with that flag set. This way we can more easily lookup the actual ADSK key (with the "E" key flag) and check whether this subkey has been revoked.

@ikloecker says that Kleo already support this feature. (I didn't know that.)
So, compatibility flag to switch on/off the feature would be needed,
or this feature is not needed in GnuPG at all.

Here is my attempt to do that:

Fix applied. Thanks.

This is not a composite key specific thing despite that this is an extra challenge. The creation date is used to reconstruct a key if the public key has been lost and only the fingerprint is still available. A solution might be to test the all combinations of stored creation dates to match the fingerprint.