When no card is inserted, usage of an ssh client simply fails to request insertion of the card for the stub keys present in ~/.gnupg/.

Logfile:
18:24:30/11956/enabled debug flags:
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'enableSmime' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'encryptDefault' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'signDefault' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'inlinePGP' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'replyCrypt' val '1'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'preferSmime' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'autoresolve' val '1'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'autoretrieve' val 'null'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'automation' val '1'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'autosecure' val '1'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'autotrust' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'searchSmimeServers' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'smimeHtmlWarnShown' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'syncEnc' val '0'
18:24:30/11956/common.cpp:load_extension_value: LoadReg 'syncDec' val '0'
18:24:30/11956/gpgoladdin.cpp:~GpgolAddinFactory: Object deleted
18:24:30/11956/gpgoladdin.cpp:OnConnection: this is GpgOL 2.3.2
18:24:30/11956/gpgoladdin.cpp:OnConnection: using GPGME 1.12.1-beta43
18:24:30/11956/gpgoladdin.cpp:OnConnection: in Outlook 16.0.0.9126
18:24:30/11956/gpgoladdin.cpp:addGpgOLToReg: Found gpgol reg key. Leaving it unchanged.
18:24:30/11956/gpgoladdin.cpp:addGpgOLToReg: Found gpgol reg key. Leaving it unchanged.
18:24:30/11956/oomhelp.cpp:delete_category: Deleted category 'gpgol_string_1'
18:24:30/11956/olflange.cpp:install_forms: form `C:\Program Files (x86)\Gpg4win\share\gpgol\gpgol.cfg' installed
18:24:30/11956/olflange.cpp:install_forms: form `C:\Program Files (x86)\Gpg4win\share\gpgol\gpgol-ms.cfg' installed
18:24:30/11956/olflange.cpp:install_forms: form `C:\Program Files (x86)\Gpg4win\share\gpgol\gpgol-cs.cfg' installed
18:24:30/11956/olflange.cpp:install_forms: form `C:\Program Files (x86)\Gpg4win\share\gpgol\gpgol-form-signed.cfg' installed
18:24:30/11956/olflange.cpp:install_forms: form `C:\Program Files (x86)\Gpg4win\share\gpgol\gpgol-form-encrypted.cfg' installed
18:24:30/11956/storing option smimeHtmlWarnShown' value=0'
18:24:30/11956/gpgoladdin.cpp:check_html_preferred: No type or key for ReadAsPlain
18:24:30/11024/keycache.cpp:do_populate: Populating keycache
18:24:30/11024/keycache.cpp:do_populate_protocol: Starting keylisting for proto OpenPGP
18:24:31/11956/application-events.cpp:Invoke: ItemLoad event. Getting object.
18:24:31/11956/application-events.cpp:Invoke: ItemLoad event without mailitem.
18:24:31/11956/application-events.cpp:Invoke: ItemLoad event. Getting object.
18:24:31/11956/application-events.cpp:Invoke: Creating mail object for item: 000002035e0f7df0
18:24:31/8604/windowmessages.cpp:do_async: Do async with type 1108 after 0 ms
18:24:31/11956/mapihelp.cpp:mapi_change_message_class: checking message class `IPM.Note.GpgOL.PGPMessage'
18:24:31/11956/mapihelp.cpp:mapi_create_attach_table: message has 1 attachments
18:24:31/11956/mapihelp.cpp:mapi_create_attach_table: attachment info:
18:24:31/11956/ 3435237 mt=4 fname=gpgol_string_2' ct=(null)' ct_parms=`(null)'
18:24:31/11956/oomhelp.cpp:get_unique_id: '000002035e0f7df0' has now the uid: '3bb0889d-49b1-4644-8527-cfc0a8a52f69'
18:24:31/11956/mail.cpp:setUUID_o: uuid for 0000020350c563e0 set to 3bb0889d-49b1-4644-8527-cfc0a8a52f69
18:24:31/11956/mail.cpp:setUUID_o: uuid for 0000020350c563e0 is now 3bb0889d-49b1-4644-8527-cfc0a8a52f69
18:24:31/11956/mail.cpp:setUUID_o: Resetting uuid for 0000020350c563e0 to 3bb0889d-49b1-4644-8527-cfc0a8a52f69
18:24:31/11956/oomhelp.cpp:get_unique_id: '000002035e0f7df0' has now the uid: '3bb0889d-49b1-4644-8527-cfc0a8a52f69'
18:24:31/11024/keycache.cpp:do_populate_protocol: Starting keylisting for proto OpenPGP
18:24:31/11956/mimedataprovider.cpp:collect_data: found PGP Message marker,
18:24:31/11956/mimedataprovider.cpp:collect_data: Fixing up a possible broken message.
18:24:31/11956/mail.cpp:updateOOMData_o
18:24:31/11956/oomhelp.cpp:get_sender_SenderEMailAddress: Sender found
18:24:31/11956/oomhelp.cpp:get_sender_SentRepresentingAddress Found sent representing address "gpgol_string_3"
18:24:31/6572/mail.cpp:do_parsing: preparing the parser for: 0000020350c563e0
18:24:31/6572/parsecontroller.cpp:parse:0000020350c55810 decrypt: 1 verify: 0 with protocol: OpenPGP sender: gpgol_string_3 type: 10
18:24:31/11956/windowmessages.cpp:gpgol_window_proc: Recieved user msg: 1108
18:24:31/11956/windowmessages.cpp:gpgol_window_proc: clearing last mail
18:24:31/11024/keycache.cpp:do_populate: Keycache populated
18:24:32/6572/parsecontroller.cpp:parse:0000020350c55810 decrypt / verify done.
18:24:32/6572/parsecontroller.cpp:parse:0000020350c55810: decrypt err: 0 verify err: 0
18:24:32/6572/parsecontroller.cpp:parse:0000020350c55810 Decrypt / verify done errs: 0 / 0 numsigs: 1.
18:24:32/6572/windowmessages.cpp:do_in_ui_thread: Sending message of type 1102
18:24:32/15496/keycache.cpp:do_update updating: "gpgol_string_4" with protocol OpenPGP
18:24:32/11956/windowmessages.cpp:gpgol_window_proc: Recieved user msg: 1102
18:24:32/11956/keycache.cpp:getFromMap using "gpgol_string_4" for "gpgol_string_4"
18:24:32/11956/keycache.cpp:getByFpr Cache hit for gpgol_string_4.
18:24:32/11956/mail.cpp:updateSigstate: No signature with enough trust. Using first
18:24:32/11956/categorymanager.cpp:registerCategory: Register category gpgol_string_1 in new store gpgol_string_5 ref now 1
18:24:32/11956/oomhelp.cpp:get_oom_object: no object
18:24:32/11956/oomhelp.cpp:get_oom_object: no object
18:24:32/11956/mail.cpp:updateBody_o: Did not find body charset. Using internet Codepage 65001.
18:24:32/11956/mail.cpp:installFolderEventHandler_o: Install folder events watcher for gpgol_string_6.
18:24:32/11956/mail.cpp:parsing_done: Delayed invalidate to update sigstate.
18:24:32/15496/keycache.cpp:insertOrUpdateInFprMap Lost secret info on update. Merging.
18:24:32/15496/keycache.cpp:do_update Update job done
18:24:32/11956/gpgoladdin.cpp:GetCustomUI_MIME: GetCustomUI_MIME for id: Microsoft.Outlook.Explorer
18:24:32/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: ribbonLoaded
18:24:32/11956/gpgoladdin.cpp:Invoke: enter with dispid: 11
18:24:32/15500/windowmessages.cpp:do_in_ui_thread: Sending message of type 1101
18:24:32/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: getIsDetailsEnabled
18:24:32/11956/gpgoladdin.cpp:Invoke: enter with dispid: 13
18:24:32/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:24:32/11956/oomhelp.cpp:get_unique_id: Found uid '3bb0889d-49b1-4644-8527-cfc0a8a52f69' for '000002035e760970'
18:24:32/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: getSigLabel
18:24:32/11956/gpgoladdin.cpp:Invoke: enter with dispid: 1b
18:24:32/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:24:32/11956/oomhelp.cpp:get_unique_id: Found uid '3bb0889d-49b1-4644-8527-cfc0a8a52f69' for '000002035e7e9d30'
18:24:32/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: btnSigstateLarge
18:24:32/11956/gpgoladdin.cpp:Invoke: enter with dispid: 1d
18:24:32/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:24:32/11956/oomhelp.cpp:get_unique_id: Found uid '3bb0889d-49b1-4644-8527-cfc0a8a52f69' for '000002035e7e9470'
18:24:33/11956/windowmessages.cpp:gpgol_window_proc: Recieved user msg: 1101
18:24:33/11956/windowmessages.cpp:gpgol_window_proc: Invalidating UI
18:24:33/11956/gpgoladdin.cpp:invalidateRibbons: Invalidating ribbon: 000002035ddb5750
18:24:33/11956/gpgoladdin.cpp:invalidateRibbons: Invalidation done.
18:24:33/11956/windowmessages.cpp:gpgol_window_proc: Invalidation done
18:24:33/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: getSigLabel
18:24:33/11956/gpgoladdin.cpp:Invoke: enter with dispid: 1b
18:24:33/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:24:33/11956/oomhelp.cpp:get_unique_id: Found uid '3bb0889d-49b1-4644-8527-cfc0a8a52f69' for '000002035e921b60'
18:24:33/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: btnSigstateLarge
18:24:33/11956/gpgoladdin.cpp:Invoke: enter with dispid: 1d
18:24:33/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:24:33/11956/oomhelp.cpp:get_unique_id: Found uid '3bb0889d-49b1-4644-8527-cfc0a8a52f69' for '000002035e921b60'
18:24:33/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: getIsDetailsEnabled
18:24:33/11956/gpgoladdin.cpp:Invoke: enter with dispid: 13
18:24:33/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:24:33/11956/oomhelp.cpp:get_unique_id: Found uid '3bb0889d-49b1-4644-8527-cfc0a8a52f69' for '000002035e921b60'
18:24:34/15092/cpphelp.cpp:in_de_vs_mode: Checking for de-vs mode.
18:24:34/15092/gpgoladdin.cpp:init_gpgme_config: init_gpgme_config de_vs_mode 0
18:25:16/11956/application-events.cpp:Invoke: ItemLoad event. Getting object.
18:25:16/11956/application-events.cpp:Invoke: Creating mail object for item: 000002035ea410b0
18:25:16/16324/windowmessages.cpp:do_async: Do async with type 1108 after 0 ms
18:25:16/11956/mapihelp.cpp:mapi_change_message_class: checking message class `IPM.Note'
18:25:16/11956/mapihelp.cpp:change_message_class_ipm_note: content type is 'multipart/mixed'
18:25:16/11956/mapihelp.cpp:mapi_get_body_as_stream: OpenProperty tag=83ca0102 failed: hr=0x8004010f
18:25:16/11956/mapihelp.cpp:get_msgcls_from_pgp_lines: Detected non whitespace T before a PGP Marker
18:25:16/11956/mailitem-events.cpp:Invoke: Non crypto mail 0000020350cf3560 opened. Updating sigstatus.
18:25:16/11956/mailitem-events.cpp:Invoke: Canceling write event.
18:25:16/11956/mailitem-events.cpp:Invoke: Removing Mail for message: 000002035e0f7df0.
18:25:16/11956/oomhelp.cpp:lookup_oom_dispid: error looking up dispid(Categories)=6828: hr=0x8c540108
18:25:16/11956/categorymanager.cpp:removeCategory Failed to remvoe category.
18:25:16/11956/categorymanager.cpp:unregisterCategory: Unregister category gpgol_string_1 in store gpgol_string_5 ref now 0
18:25:16/11956/categorymanager.cpp:unregisterCategory: Deleting gpgol_string_1 for store gpgol_string_5
18:25:16/11956/oomhelp.cpp:delete_category: Deleted category 'gpgol_string_1'
18:25:16/11956/parsecontroller.cpp:~ParseController
18:25:16/11956/mimedataprovider.cpp:~MimeDataProvider
18:25:16/11956/mimedataprovider.cpp:~MimeDataProvider
18:25:16/11956/windowmessages.cpp:gpgol_window_proc: Recieved user msg: 1108
18:25:16/11956/windowmessages.cpp:gpgol_window_proc: clearing last mail
18:25:16/1544/windowmessages.cpp:do_in_ui_thread: Sending message of type 1101
18:25:16/11956/windowmessages.cpp:gpgol_window_proc: Recieved user msg: 1101
18:25:16/11956/windowmessages.cpp:gpgol_window_proc: Invalidating UI
18:25:16/11956/gpgoladdin.cpp:invalidateRibbons: Invalidating ribbon: 000002035ddb5750
18:25:16/11956/gpgoladdin.cpp:invalidateRibbons: Invalidation done.
18:25:16/11956/windowmessages.cpp:gpgol_window_proc: Invalidation done
18:25:16/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: getSigLabel
18:25:16/11956/gpgoladdin.cpp:Invoke: enter with dispid: 1b
18:25:16/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:25:16/11956/oomhelp.cpp:get_pa_string: Property `http://schemas.microsoft.com/mapi/string/{31805AB8-3E92-11DC-879C-00061B031004}/GpgOL UID/0x0000001F' is not a string (vt=0)
18:25:16/11956/oomhelp.cpp:get_unique_id: No uuid found in oom for '000002035f0cb670'
18:25:16/11956/mapihelp.cpp:mapi_get_uid: Failed to get prop for '000002035f31b6c8'
18:25:16/11956/ribbon-callbacks.cpp:get_mail_from_control: Failed to get uid for 000002035f0cb670
18:25:16/11956/ribbon-callbacks.cpp:get_sig_label: No mail.
18:25:16/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: btnSigstateLarge
18:25:16/11956/gpgoladdin.cpp:Invoke: enter with dispid: 1d
18:25:16/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:25:16/11956/oomhelp.cpp:get_pa_string: Property `http://schemas.microsoft.com/mapi/string/{31805AB8-3E92-11DC-879C-00061B031004}/GpgOL UID/0x0000001F' is not a string (vt=0)
18:25:16/11956/oomhelp.cpp:get_unique_id: No uuid found in oom for '000002035f0cb850'
18:25:16/11956/mapihelp.cpp:mapi_get_uid: Failed to get prop for '000002035f31b6c8'
18:25:16/11956/ribbon-callbacks.cpp:get_mail_from_control: Failed to get uid for 000002035f0cb850
18:25:16/11956/gpgoladdin.cpp:GetIDsOfNames: GetIDsOfNames for: getIsDetailsEnabled
18:25:16/11956/gpgoladdin.cpp:Invoke: enter with dispid: 13
18:25:16/11956/ribbon-callbacks.cpp:getContext: contextObj: _Explorer
18:25:16/11956/oomhelp.cpp:get_pa_string: Property `http://schemas.microsoft.com/mapi/string/{31805AB8-3E92-11DC-879C-00061B031004}/GpgOL UID/0x0000001F' is not a string (vt=0)
18:25:16/11956/oomhelp.cpp:get_unique_id: No uuid found in oom for '000002035f0cb850'
18:25:16/11956/mapihelp.cpp:mapi_get_uid: Failed to get prop for '000002035f31b6c8'
18:25:16/11956/ribbon-callbacks.cpp:get_mail_from_control: Failed to get uid for 000002035f0cb850
18:25:22/11956/application-events.cpp:Invoke: ItemLoad event. Getting object.
18:25:22/11956/application-events.cpp:Invoke: Creating mail object for item: 000002035ef62ca0
18:25:22/6948/windowmessages.cpp:do_async: Do async with type 1108 after 0 ms
18:25:22/11956/mapihelp.cpp:mapi_change_message_class: checking message class `IPM.Note'
18:25:22/11956/mapihelp.cpp:change_message_class_ipm_note: content type is 'multipart/encrypted'
18:25:22/11956/mapihelp.cpp:change_message_class_ipm_note: protocol is 'application/pgp-encrypted'
18:25:22/11956/mapihelp.cpp:mapi_change_message_class: saving old message class
18:25:22/11956/ERROR/mapihelp.cpp:mapi_change_message_class: can't save old message class: hr=0x80070005
18:25:22/11956/mapihelp.cpp:mapi_create_attach_table: message has 2 attachments
18:25:22/11956/mapihelp.cpp:mapi_create_attach_table: attachment info:
18:25:22/11956/ 3435173 mt=0 fname=gpgol_string_7' ct=application/pgp-encrypted' ct_parms=`(null)'
18:25:22/11956/ 3435205 mt=0 fname=gpgol_string_8' ct=application/octet-stream' ct_parms=`(null)'
18:25:22/11956/mapihelp.cpp:mapi_mark_moss_attach: Marking 3435173 as MOSS attachment
18:25:22/11956/ERROR/mapihelp.cpp:mapi_mark_moss_attach: can't set GpgOL Attach Type property: hr=0x80070005
18:25:22/11956/mapihelp.cpp:mapi_mark_moss_attach: Marking 3435205 as MOSS attachment
18:25:22/11956/ERROR/mapihelp.cpp:mapi_mark_moss_attach: can't set GpgOL Attach Type property: hr=0x80070005
18:25:22/11956/oomhelp.cpp:put_pa_variant: failure: invoking SetProperty p=0000000000000000 vt=0 hr=0x80020009 argErr=0x0
18:25:22/11956/oomhelp.cpp:get_unique_id: failed to set uid '73470a24-55fc-4be4-8621-cc7d64ff68a0' for '000002035ef62ca0'
18:25:22/11956/mail.cpp:setUUID_o: uuid for 0000020350cf37c0 set to (null)
18:25:22/11956/mail.cpp:setUUID_o: Failed to get/set uuid for 000002035ef62ca0
18:25:22/11956/mailitem-events.cpp:Invoke: Failed to set uuid.
18:25:22/11956/windowmessages.cpp:gpgol_window_proc: Recieved user msg: 1108
18:25:22/11956/windowmessages.cpp:gpgol_window_proc: clearing last mail
18:25:22/11956/gpgoladdin.cpp:GetCustomUI_MIME: GetCustomUI_MIME for id: Microsoft.Outlook.Mail.Read
18:25:24/11956/windowmessages.cpp:gpgol_hook: Got WM_CLOSE
18:25:25/11956/windowmessages.cpp:gpgol_hook: Got WM_CLOSE
18:25:25/11956/windowmessages.cpp:gpgol_hook: WM_CLOSE windowmessage for explorer. Shutting down.
18:25:25/11956/gpgoladdin.cpp:shutdown: Releasing Application Event Sink;
18:25:25/11956/gpgoladdin.cpp:shutdown: Releasing Explorers Event Sink;
18:25:25/11956/gpgoladdin.cpp:shutdown: Releasing Explorer Event Sinks;
18:25:25/11956/storing option smimeHtmlWarnShown' value=0'
18:25:27/11956/mailitem-events.cpp:Invoke: Removing Mail for message: 000002035ea410b0.
18:25:27/11956/gpgoladdin.cpp:~GpgolRibbonExtender: cleaning up GpgolRibbonExtender object;

A list of SHA-1 fingerprints for the valid certificates. With our without colons.

@werner what should the contents of the file look like?

Perhaps, it's better to remove -no-install flag in tests/Makefile.am, so that test programs will be wrapper script by libtool.

Asked to raise the priority on this. The quality bar issue is T2103

It seems it's Ubuntu specific: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1796563

I had to look it up in the code and man page too ;-)

See T4293

With GCRYCTL_AUTO_EXPAND_SECMEM we won't anymore run out of secure memory. This has even silent been backported to 1.8.x (using the numerical value of that constant) and is for long an option of gpg-agent. Thus closing.

Closing, given that we implemented a general solution; see the parent task.

I have seen no responses on your two mails to the ML and given th athere is no concrete protocol bug, I close this issue. If you can show a concrete bug please re-open this issue again.

I don't think that this is a good solution for a problem we could solve much easier but fear to do that due to kind of crypto politics.

Good to know. I thought that ocsp-signer was only used if ocsp-responder is explitly set. I've suggested the workaround in the Message Board.

Is using

I think that all that we can do is to improve documentation.

Apparently, it's an error from your installed /usr/local/opt/libgpg-error/lib/libgpg-error.0.dylib (you have some configuration to prefer this library), while your configure is for /usr/local/lib (because you specify no --prefix).

Please let us know the version of GnuPG, the output of gpg --card-status when inserted, and how gpg is not working well, etc.

How scdaemon responds when there is no card available?

that error means that the message was somehow corrupted during transfer. Are you maybe using ftp in text mode on a binary message for example?
You could ask your communication partner to send you messages in text (ASCII Armor) mode which is more robust.
In Kleopatra you can change that in Settings -> Configure Kleopatra -> Crypto Operations -> Create signed or encrypted files as text files.
On the command line you need to add "--armor" option.

In Wald someone reports that this also appears to happen when decrypting. https://wald.intevation.org/forum/message.php?msg_id=6377 Probably run-threaded will help to flush this out.

Even with the logging changes this still happens. I just retested it. Can't run Kleopatra on Linux with GPGME_DEBUG=9.

In FreeBSD, getrandom(3) became available, when getrandom(2) was added. <-- This is my theory.
If this is true, just use getrandom(3), not using getrandom(2) by syscall.

It became common, because many people now use larger keys.
For RSA-4096, three simultaneous connections for decryption may cause the failure.
In the experimental patch of D472: Limit active connections for gpg-agent, I limit gpg-agent to accept two connections only.

increment the counter is better done by the looping main thread.

This is an experimental patch. So, I just reuse SIGUSR1 to wake up "select"-ing thread by kill(2).
I put limit-active-connections 2 in gpg-agent.conf for the test with run-threaded of gpgme.

Agreed this looks like it should be made default behavior. This has affected many people I work with, and even with searching, this ticket never came up. I only found out about it by making a ticket myself. This issue looks like it has generated at least 3 tickets in this bug tracker, and the agent is raising memory errors during normal usage, which still smells like a bug to me.

Though not directly related to our issues, this bug report on the MSYS2 site reported by their users encountering trouble with GPGME provides additional weight to irreconcilable differences between MSYS2 and GnuPG:

So if your DNS resolver does not tell us the IP addresses, we can't do anything about it.

The usual reasons for corruptions of binary data are FTP transfers in text mode; or opening a file with a Windows editor.

NEWS are:

Got another reliable report in the Wald Forum about this. https://wald.intevation.org/forum/message.php?msg_id=6371&group_id=11

No I do not think so. Because that would already be currently the case. If you had a subverted Root CA of course you can attack. But we are only talking about CRL / OCSP here. A root CA that does not provide a CRL for certificate X is OK. As long as the Root CA that issued X issues a CRL for that. Well the usual CRL / OCSP denial of service is still possible but I don't see any subversion.

Interesting idea but it does not help against attacks because all root CA are considered equal (virtually cross-signed). Thus a single not checked root CA allows to subvert all certificates.

I wonder if the best thing here might be another flag in the trustlist to disable CRL/OCSP checks for a single root certificate chain. I had such a request in the Gpg4win forums. Someone had a single unreacable CRL / OCSP and had to disable globally all checks for all other certs, too.

yes. that's why i wrote it in '['-brackets.
but usually, in info-documents a synopsis is written about it.
I think that it's not self-evident, that "you can either give a file or let the tool read from stdin or output to stdout" and therefore should be written explicitly.

Adding the patch here.