Re-opening to address the missing "Loading certificates ..." overlay.

For various reasons dirmngr requires and implements a full resolver and implements that. This way all DNS queries are passed through Tor. Thus this is a feature and not a bug. The error message could be better but we can only return what SOCKS tells us.

Didn't you mention in another ticket that the work on this caused Kleopatra no longer to show the "Loading certificates,..." overlay? I still have that issue Kleopatra only shows its window once the keycache is fully loaded. I cannot find the ticket where this was mentioned anymore though.

gpg's output indicates that gpg exits on the first invalid signature. This cannot be changed by Kleopatra. And I think it's irrelevant whether there are valid signatures if one signature is invalid. If you have a contract signed by multiple people then the contract won't be valid because two of three signatures are valid.

If no (OpenPGP) key servers (i.e. set to "none") and no (S/MIME) directory servers are configured then the lookup only allows queries for email addresses. Otherwise, any query with at least one non-whitespace character is allowed.

Yes, It was not my intention that WKD should not work when searching for keys, when keyserver is None. Although such a search could be handled by just entering the email address in the recipient dialog in the file encryption widget to trigger a locate key or in the case of GpgOL to enter the recipient mail but I think that feature is very hidden / not really discoverable for users. And yes an improvement for the search Window in that case would be to then switch to "Enter Email" and use an email validator on the input field for example. So let us handle this as part of T6493

I had a quick look at "Lookup on Server" with regard to doing WKD even if no key servers (neither for OpenPGP nor for S/MIME) are configured. This requires more work because WKD lookup is only possible if an email address is entered while key server lookup also works for arbitrary search terms. The users have to be informed about this restriction which is out of scope of this ticket. I think this fits nicely into T6493.

In T6761#179919, @ebo wrote:

This is not as intended. When doing a search, we wanted No error message and only WKD search should be executed.

This is not as intended. When doing a search, we wanted No error message and only WKD search should be executed.

The following operations were changed:

• Export OpenPGP key to key server now shows an error if key server is set to "none".
• Refresh OpenPGP keys now shows an error if key server is set to "none".
• If key server is set to "none" and no S/MIME directory servers are configured then you'll get an error when you try Lookup on Server.
• Kleopatra no longer stores the special value "none" as "hkps://none".

The fallback wasn't used/offered for any GnuPG versions after 2.1.19.

What if the second signer cannot verify the first signature because they don't have the required public key?

Use same priority as T6761

Fixed.

Hi Werner,
after I enabled more detailed logging, I found that the issue is whithin an "old" file what was encyrpted using an outdated key. Somehow the gpg-agent got stuck here while trying to decrypt the file. After removal of the file the issue is gone, thank you for your input!