I added --ldapserver to gpgsm because of confusion of what a keyserver is. Right now we see a problem only with this alias but it is a more general problem with aliases. My patch to master was a for public testing - let's discuss this on the phone.

Turns out that the aliasing is a problem; if we allow keyserver as an alias for ldapserver in gpgsm.conf we are not able to get the value unless we add dedicated handling for this. Test in 2.3 but we will have the same problem the other way around in 2.2.

What does kleopatra use to get the list of ldap servers - gpgsm or dirmngr?

The problem comes from the way we handle an alias. That actually depends on the order the options are specified.

Thanks for debugging. Unfortunately I doubled your effort 'cause I didn't looked into the report anymore. (System test done with GPA ;-)

Tip: Use -v to get a human readable list of flags.

There are reasons why we don't used pcsc-shared by default; for example: Not all OpenPGP cards support reading the current verification state (whether a PIN has already been entered) and thus we use a local cache for this. Other shared applications may change the state behind our back or even switch to another application on the card. Thus we use the safe way.

Yes, kleo always maps '+' -> ' '

DANE has been an experimental thing and is imho dead.

Implemented extended headers for filenames and linknames (on Unix).

Thanks

gpgme_key_t is a different kind of object than a gpgme_foo_result_t and thus has different properties.

Please try again with a recent version of GnuPG (2.2.33 or 2.3.4) and libksba (1.6.0) and reopen this bug if the problem persists.

The bug with the long filenames has been fixed but it is not yet released. Release will be in gpg4win 4.0.1 See T5754.

AFAICS, the last commit removes some tests. We should never remove a test just because FIPS does not allow it. The old tests need to be run in non-fips mode.

vitusb: We had this discussion on cryptography@ years ago. No need to start it again - or well, try it over there. This is a bug tracker and not a discussion forum.

ikloecker: gpgconf.conf ist not anymore used since we have the global config files.

This is related to the fix for T5100. We had to to remove the version number from the AID and gpg --card-status takes the version number from the AID. gpg-card was fixed for this but gpg --card-status not.

--apply-defaults is an obsolete option because we now have global config files. I would also like to get rid of --debug-level but that won't be easy. Using --debug LIST_OF_DEBUG_FLAGS is a more versatile way of specifying debug options.

Nope. The double quote indicates a string. See the man page.

Sending a private key with just the local protection is not a good idea. It is better to export the key and then send it in an encrypted mail - for example in symmetric mode with a strong password.

Please no holy wars on the type of curves. NIST as its opinon, Europe has its opinion, DJB has of course a different opinion. Please use the the cryptography ML for such political/technical discussions.

No, these are simply the technically available algorithms. I'll see what I can do.

I don't know about pinentry-mac but it seems to be another name for
one our our regular pinentry variants.

Rename the file and you are done.

Thanks for diving into the history of that code.

Yes, we should introduce an INDICATOR_KDF thing.

The primary version of that script is in libgpg-error. Thus it needs to be fixed therefirst.

We use GetConsoleOutputCP but fallback to GetACP if the former fails. For some reasons one of the functions seems to return 437.

Given that you are already using libgcrypt 1.9, can you please try gnupg 2.3.4.

That is annoying enough that we should do a new release. I close this bug, though.

For the next release I'll change the gnupg.net mappings to use the Ubuntu server also for non-TLS connections.