I realized that suspend/resume is not supported yet on GNU/Linux: https://anonscm.debian.org/cgit/pcsclite/PCSC.git/tree/TODO#n7
So, I can't test myself.
Here is an attempt to improve:

It looks like SCardGetStatusChange doesn't return failure after wake up.
Here, what we need is catching the event of wake up, which requires reset of the card.
I think that we can check by the dwEventState field.
I'll try on GNU/Linux environment, then ask you to try.

@werner there had to be some mix up, as the log snippet is not mine.

This seems to be the relevant part of the log:

2017-11-18 07:45:15 scdaemon[8918] DBG: ccid-driver: CCID: card inactive/removed
2017-11-18 07:45:15 scdaemon[8918] ccid open error: skip
2017-11-18 07:45:15 scdaemon[8918] pcsc_establish_context failed: no service (0x8010001d)
2017-11-18 07:45:15 scdaemon[8918] DBG: ccid-driver: CCID: interrupt callback 0
2017-11-18 07:45:15 scdaemon[8918] DBG: ccid-driver: CCID: card removed

That will be the IP of proxy.x.com - the log shows that it finds that. But the log also shows that it can't find the address for the other names. "No Name" is EAI_NONAME.

I did some digging with Wireshark:

1. there are DNS queries for proxy records A & AAAA (ipv4 & ipv6 - both regardless of --disable-ipv6)
2. DNS reply returns correct IP address in A record
3. there are no outgoing connections to proxy IP address

Well, if your proxy inhibits GnuPG to retrieve information about the keyservers, GnuPG can't do anything about it.

Just to clarify:
1.I'm behind corporate network
2.Network resolves only local addresses, so this is correct: dirmngr[7416]: resolving 'hkps.pool.sks-keyservers.net' failed: No name
3.Network address of the proxy is resolvable (I can see it's address and it responds to ping
4.Internet browser without proxy will not work
5,Internet browser with the proxy below works
6.When using gpg on this computer outside of corporate network everything works

The stripped down log is

@werner Problem persists (same results with disabling ipv4 or ipv6

@Ainahir thanks for the info. However, your problem might be different because you are on Windows and not on Linux.
Please use for dirmngr --debug=ipc,dns instead of --debug-level=guru

same behavior on gpg 2.2.1

It's in GnuPG 2.2.4, now.

This is similar to T3622, but it's not the same thing.

Will go into 2.2.6

No more info received - assuming this has been fixed after 1.2.20

Will go into 2.2.5

I changed the wording to suggest the use of proper transport security.

The problem seems to have to do with the locking of the TOFU database.

Still trying to pinpoint the bug, but I am afraid I am stuck.

Fixed in rGca138d5bf36a: gpg: Fix reversed messages for --only-sign-text-ids..

Thanks for your report. I'm going to fix the messages.

Sorry, I don't understand. Can you describe your use case in more detail?

You have a token with one spare key which you want to use for encryption and certification. And being able to replace the encryption subkey eventually.

a key that is signed as its own subkey, in a construct where the key and subkey have the same fingerprint? what ever could be a valid use case for such a scenario?

I can't see why this should be out-of-spec. In fact I did this my self several times to create keys from other keys.

I did a few more tests and here are some more observations:

That might be the case. I suggest to use

My apologies , after the system upgrade, multiple things around gnupg broke and I got distracted and forgot to check the fetched public key, which somehow didn't contain subkey data.
This particular issue has been resolved by updating upstream public key.
Thank you for your assistance.

I use Debian stretch. It works for me with GnuPG 2.2.4.
The stub is created at the time when --card-edit accesses the card.
When I type RET after fetch command, it shows the key information.

You can't use the curve Ed25519 with ECDSA; you need to use EdDSA, The error checking when using the parameter file does not catch all errors. It should do this of course.

One of these TOFU bugs. Thanks for the good bug report.

Well, that was a bit tricky to fix but it has been done and will go into 2.2.5.

Thanks for having a look :)

Thanks for the patch. The "fixme" indicates that I probably was just too lazy to add and test support.

Fixed for 2.2.5. Thanks for the report.

Agreed, Signing subkeys can be useful for checking historical signatures. And even encryption subkeys *can* be useful after their expiration, e.g. when doing historical auditing.

Running tests with a modified keybox, so that the the keybox has only the meta data and the actual keyblocks are stored in separate files improved --list-keys by a factor of 10. This can be explained by reducing the size of pubring.kbx (which is sequentially scanned) from 95 to 2.5 MIB.

I added "futuredefault" as an alias and also made the matching case-insensitiv. Changing the rendering is not easy because using a non-breaking hyphen in @code{} would not look very nice.

When i read the manpage, nroff-formatted against an 80-column terminal, it says, literally:

It is

future-default

and not

futuredefault

Any fix for this should be included in the test suite to avoid a regression :)

I can see the case for encryption subkeys. Signing subkeys are still useful after their expiration.

Tested it on Windows, with the sleep test patch in Libassuan it does not hang anymore when it hanged without this change.

It's in gniibe/scd-kdf-support.
I think it's good to add to GnupG 2.2 branch.

If more fine-grained control is needed with suspend-to-ram, we need to write kernel driver for USB access.

I learned suspend-to-ram functionality. Currently, for Linux, if we have USB driver in kernel, there are methods to handle suspend-to-ram and resume events. For user space driver by libusb, there is nothing and it should all work well by reseting after resume.

IIRC, I red some hints on using a powershell module to switch the output to binary. I tries to find that mode, or weel its source or scrip) but to no success. It seems to be a common problem with powershell because it is not a real shell as we are used to (where many commands have a /b switch but that switching could also be done using setmode() ).

I can reproduce the problem.

Fixed in 2.2.3, too. Closing.

You know... I think connman and DNS have something to do with this. Connman does some weird DNS thing. And it auto-generates /etc/resolv.conf to use localhost as the DNS server.

Shall we close this?

Okay, I took your suggestion but also improved the documentation. Fixed in 2.2

Oh that is not good. A passed arg should not be closed by the called fucntion unless that fucntion is documented as gaining ownership of it. Let me check.

Merged into master. Lets test it for a few days before I backport it.

FWIW, I added a gpgtar.1

Pushed to 2.2

You could use the --directory option. However< I agree that your suggested changes is less surprising then the current behaviour. Thus I would consider this a bug fix. Can you please apply to 2.2?

I'm not sure why a special case should be needed -- failure to create
the .kbx should not be a failure for a decryption operation in general.

So, to protect against this attack, the client needs to do both of the following:

Here are two examples:

@werner suggests using an ephemeral home directory. this is an important point.

@justus asked for examples.

OK, i've pushed 0471ff9d3bf8d6b9a359f3c426d70d0935066907 and 149041b0b917f4298239fe18b5ebd5ead71584a6 to branch T3490-proposal1. It cuts GnuPG's own simple test suite down from about 3 minutes to 1.5 minutes for me. I haven't tested the speedup for the full test suite yet.

To clarify, i'll push them to a separate branch for you to decide whether to merge.

I'll push some patches for proposal 1.