I sent a patch to gcrypt-devel mailing list for the preparation of the change of RSA secret key checking.
If enabled, wrong RSA secret key (wrong means: under the Libre/OpenPGP specification) is rejected at import when gpg-agent calls gcry_pk_test_key.

BTW, LibrePGP also demands p < q in "Algorithm-Specific Part for RSA Keys".

added vsd34 for the resetting of the defaults part only

I investigated the introduction of STATUS_CANCELED_BY_USER and GPGME_STATUS_CANCELED_BY_USER:
rG31e47dfad0f4: gpg: Add canceled status message.
rM35ca460019ea: Parse STATUS_CANCELED_BY_USER.

For OpenSSH, ssh-agent spec. defines p, q, and qInv.
FIPS has: FIPS 186-5 and SP 800-56Br2.

existing standards

Filter 16 is the new filter for valid certificates. The problem could be that the version you tested did not yet have this filter.

CRT is used with GnuPG. In libgcrypt, pk_sign and pk_decrypt don't require P, Q, and U in a key (it's optional), but pk_test_key does.

@ikloecker I'd like it if we could backport the resetting of the preferences to vsd34.

Font selection dialog lets the user choose a font size, which is then not respected - can we disable selecting the font size?

On gpg4win-5.0.2-beta-2 @ win11 i can reproduce for signed only mails (smime and pgp):

• drag&drop does work
• move via context menu
  • works for selected mails
  • does not work for unselected mails

Du we have any information on whether the CRT is used and whether u et al. is also wrong? For example due to an OpenSSL generated key?

I cannot reproduce this on gpg4win-5.0.2-beta-2 @ win11 either, so I set this to resolved.

Please briefly try to reproduce on Windows with Gpg4win 5.0.2. At lot has changed since this ticket was created so that it might be fixed already.

I cannot reproduce the empty dialog on Linux with the current build. I always see a correct result dialog for the readable file.

Note: This isn't included in Gpg4win 5.0(.2).

I stand partially corrected. Apparently, pinentry-efl also sets close_button. For Gpg4win that's irrelevant because we ship pinentry-qt which doesn't have this IMHO contra-intuitive behavior (and pinentry-w32 where I don't know how it behaves).

pinentry-tty and pinentry-curses support GPG_ERR_FULLY_CANCELED by Ctrl-C. But other pinentry implementations have no support (only GPG_ERR_CANCELED).

I'd also like to point out that changing the error code from GPG_ERR_CANCELED to GPG_ERR_FULLY_CANCELED could cause regressions in applications.

How do you want to decide whether to show two "Cancel" buttons? How would you call those two "Cancel" buttons? For decryption I can imagine that for example "Try Next Key" and "Cancel Decryption" (or even just "Cancel") would make clear what happens.

I updated the patch of mine above.

If this definition is OK

Here is the patch (as of now):

@bernhard Thank you for the link.

to assume that the -C directory does either not exist or is empty

In T8076#215372, @werner wrote:

If you specify a primary key the primary key shall be deleted. If there is only an offline or token based primary it can't be deleted. This is what the user requested. We can't change this because otherwise subkeys might be unintentionally deleted.

What is an "incomplete team key" - a standard offline secret key (i.e. one with only secret subkeys)?

If you specify a primary key the primary key shall be deleted. If there is only an offline or token based primary it can't be deleted. This is what the user requested. We can't change this because otherwise subkeys might be unintentionally deleted.

I guess the behavior changed with gpg 2.4, i.e. "With gpg 2.4 (or later), ..."

I think the most compatible way is to assume that the -C directory does either not exist or is empty. If that is not the case the extraction shall stop or not extract files which would clobber an existing file. For strong backward compatibility a new option --clobber could be added. We can also check for an empty directory first.

why gpg 2.4? Don't you mean 2.6? I'll add the proper 2.6 tag for avoiding confusion

Hi @gniibe,
thanks for making progress on the issue.

I was wrong. gpg (scdaemon) needed to be fixed with more changes for the interaction with pinentry.

I pushed my patch for gpg, since it does not break anything, just allow empty passphrase input (to skip).
I also pushed my patch for gpgme. I believe that it's correct.

@ebo, I try to answer your question. As I wrote, the behavior of gpg implementations are different (for a reason). I'm not sure if you suggest the change of behavior of gpg 2.4.

From the support angle, the worst of these issues is that the default will not be restored for VS-NfD. But then: nobody has inquired about that yet…

What is fixed, what needs still needs to be done and should go into another ticket?

I cannot reproduce this problem anymore with Gpg4win 5.0.1. The bug seems to have been fixed in the meantime by changes made upstream.

I thought Gniibe's comment meant that gpg does report the errors now correctly…
So what is still to be done in gpg?

I don't think that anything of this can be changed in Kleopatra or even gpgme. Kleopatra relies on proper error codes by gpg.

It is not (easily) possible to check for available keys first, before asking for a passphrase? (Like it is with gpg 2.2.)

I was too optimistic. GPGME is required the following change, too:

diff --git a/src/passphrase.c b/src/passphrase.c
index 140cd03a..d07afa91 100644
--- a/src/passphrase.c
+++ b/src/passphrase.c
@@ -114,6 +114,11 @@ _gpgme_passphrase_status_handler (void *priv, gpgme_status_code_t code,
     case GPGME_STATUS_CANCELED_BY_USER:
       return gpg_error (GPG_ERR_CANCELED);

I'd propose applying the patch of mine above to gpg, and letting us suggest users to input empty pass phrase to skip (instead of cancelling).
This could be a minimum change (only gpg). Or else, gpgme needs to be changed to ignore CANCEL status and to handle complex cases; I think that it's not easy change.

Afaict neither QT nor FLTK offer an equivalent to gtk-2's gtk_init_check() so there is no trivial change to get the same functionality.

I guess those things need to be changed in Kleopatra after @gniibe made the changes in scd. I'll add a Kleo tag for discussion, as we should probably make several tickets from this.

Gpg4win-5.0.1 still shows case 1. (just reproduced.)

Looks good to me on gpg4win-5.0.2-beta2 @ win11.

• local conf after 2 saves (additional entry in local conf):
  
• local conf after 2 saves (additional entry in global conf):
  

It doesn't look like much was improved on Kleopatra side in gpg4win-5.0.2-beta-2 @ win11.

Looks good to me on gpg4win-5.0.2-beta2 @ win11:

gpg4win-5.0.2-beta-2 @ win11:

Additionally, the action is no longer offered for keys with an encryption-capable secret primary key without secret encryption subkey.
And sharing the secret signing subkey isn't offered anymore if this is a card key.

Looks good to me on gpg4win-5.0.2-beta2 @ win11 (no de-vs-compliance filter):

Looks good to me on gpg4win-5.0.2-beta2 @ win11:

Looks good to me on gpg4win-5.0.2-beta2 @ win11.

The missing signature was a problem on my end. The customer mail (to ted / exchange server) works fine if the cert is in the keyring. The testmails (via outlook imap) are fine, too. I still need a better test setup for mails to our exchange accounts, but this is enough to rule out a problem in gpgol. I adjust my former message accordingly.

Hmm ich sehe weiterhin die Signatur.

Right, looks good to me now on gpg4win-5.0.2-beta2 @ win11:

Looks good to me on gpg4win-5.0.2-beta2 @ win11:

Possibly, it was the same cause as T8052 (the bug in libgpg-error spawning a process).

I looked at sm/keydb.c:keydb_set_ephemeral function. It says: