It's true that for KEYTOCARD command, there is optional argument for ECDH.
My point is that for PKDECRYPT command, it will be needed to add mechanism for getting such a parameter (when we use KEM API in gpg-agent).

Nope, The gpgconf --kill keyboxd hangs too, if I see right, while waiting for agent:

$ strace gpgconf --kill keyboxd
[...]
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f2d74fe2a10) = 3244
wait4(3244, 0x7ffc9836e364, 0, NULL)    = ? ERESTARTSYS (To be restarted if SA_RESTART is set)

We already have the ECDH parameters for OpenPGP in the gpg-agent API. The question is how large the data for PQC will be - likely we need to use an inquire already for this reason.

Considering the design of gpg-agent which focuses on private key operations and data, it would be better to enhance the gpg-agent protocol to inquire public key data of any format defined by the client (including ECDH KDF parameters of OpenPGP). I mean, instead of storing data in the key file (originally designed for private key + some additional data), we will enhance the protocol.

That is a feature. Consider the case that ~/.gnupg is on network file system and thus possible in use on several boxes. Thus before we remove stale lock files we do not only compare the PID but also the hostname. Granted, this is rare but we have had such cases in the past with locks.

Oh sorry, no that did slightly not make it in when I created the tarball for the current beta.

Now the Learn Certificates button is shown if at least one card key is unknown. And the list of certificates is shown if at least one certificate of a card key is known.

No change in VS-Desktop-3.1.90.295-Beta

VS-Desktop-3.1.90.295-Beta: now there is no button any more... So still no learn key possible.

Merge request was merged for both MimeTreeParser and MessageLib

We should really fix that quickly.

I guess this was high priority.

Suggested patch{F5300480}

Applied to 2.4, too.

Testing in 2.4 will not be easy because it requires code modification just for testing. However, de-vs is not supported by 2.4 and the greater plan is to get 2.6 approved for de-vs.

works in VS-Desktop-3.1.90.277-Beta

The fix is in 1.10.3.

Fix is in 1.10.3.

Thanks for commenting from the other account. This allowed me to disable the account. Deleting and account is hard in Phabricator thus we do it only very rarely. But disable is basically the same.

and before you say there's just a "remove my account" button on the home screen, using it gives an error:

It's virtually impossible to find any "delete account" (or "disable account") button.

I just verified the new account. Please delete (i.e. disable) it yourself - I can't easily figure out whether it is really your account.

Problem seems to be that there is no ~/trustedkeys.gpg file and that the fallback to the kbx file does not anymore work. I can replicate that with 2.40 and 2.4.4-beta.

I have prepared a first patch:

See T6736#177624 for the possible cause of the off-by-one day problem.

Pushed the changes for ...sc_op_failure routines to master/2.4.

We would need to revise tools/card-call-scd.c:status_sc_op_failure and g10/card-util.c:write_sc_op_status to catch GPG_ERR_PIN_BLOCKED and GOG_ERR_NO_RESET_CODE.

I found two places in scdaemon which return GPG_ERR_BAD_PIN. GPG_ERR_PIN_BLOCKED is relevant here.

diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 66ec9f4a9..77d428786 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -2859,7 +2859,7 @@ build_enter_admin_pin_prompt (app_t app, char **r_prompt, int *r_remaining)
   if (!remaining)
     {
       log_info (_("card is permanently locked!\n"));
-      return gpg_error (GPG_ERR_BAD_PIN);
+      return gpg_error (GPG_ERR_PIN_BLOCKED);
     }

I think there is no configuration option to set the socket directory, it's hardcoded in homedir.c

Applied a patch from 2.4/master to 2.2 for SEGV when card gives bogus data. rG600e69b46149: scd:openpgp: Fix a segv for cards supporting unknown curves.

exactly this UID comparison is not enough within fakeroot environment! thanks for redirecting me to homedir.c!

That is convenience. Before we did this people were complaining that they first need to create a directory for the sockets. You should not need to use --create-socketdir unless you want to start something like watchgnupg on a socket in just this directory (using the shortcut socket://).

@desultory Thank you for your report.
Please open a new ticket for your problem. If you can, please show the result of https://dev.gnupg.org/T5963#157724

This is still an issue for me:

exactly, as soon as I need a socketdir other than GNUPGHOME I would use gpgconf --create-socketdir and remove it afterwards via gpgconf --remove-socketdir. But it seems that the socketdir /run/user/UID/gnupg is created by default.

What is your problem with socket below /run/user ? In fact you will need it anyway if your socket file name is longer than something like 104 characters.

The second retry counter is used by current cards for the Reset Code error counter. It is zero if no reset code has been set. It was used by card specs 1.x for the CHV2 only available there.

This may be related to the output PIN retry counter : 3 0 3, i.e. the PUK counter is 0. No idea what this means.

The same is true for trying to unblock the card with the PUK. Again I have to enter 3 PINs in 3 windows before being informed that the entry in the first window was wrong. Additionally, the text in window 1 is borked

If you try "Change PIN" next, you will be asked for the PIN and 2x for the New PIN in altogether 3 pinentry windows before being informed that the PIN is blocked.

After the 3rd entry of the wrong PIN, this is exactly the same.
Here I would wish for not only the popup "wrong PIN" but additionally this popup should declare "PIN blocked".

This is inconsistent, as usually a separate window would pop up for pinentry errors.

For reference, here is a link to the gpgme homebrew formula:
https://github.com/Homebrew/homebrew-core/blob/master/Formula/g/gpgme.rb

Just to clarify, PIP wasn't used to install the .egg package. The package was built and installed via Homebrew. The error message occurs when using basic PIP commands such as pip list or pip freeze. PIP is picking up the gpgme egg from the shortcut included in the site-packages directory.

as this really bugs me, I raise the prio.
And add the Kleo tag, as Werner said it might be that Kleopatra is responsible.

We don't use or suggest the use of PIP or other insecure software distribution systems.

With VS-Desktop-3.1.90.258-Beta I ran again into the last issue with "Wrong PIN". I had not realized that I had entered the PIN wrong before (as you have to enter the PIN several times anyway when generating a new key on a card and you do not get an error message on wrong PIN but instead only a new pinentry window...).