Note that Kleopatra already has clipboard integration via its tray icon, i.e. you can directly sign/encrypt/decrypt/import the clipboard content from there. Unfortunately, it uses a complete different UI for selecting the recipients. Lots of room for improvement/consolidation.

Kleopatra (master; KF6)

https://invent.kde.org/pim/kleopatra/-/merge_requests/309

Kleopatra just checks if the option "default-new-key-adsk" is set (i.e. it doesn't matter if it's an option with scalar value or list value). The other two options that were changed are not used by Kleopatra.

The possibility to drag certificates from Kleopatra to somewhere else has been disabled for Windows builds. The change has also been backported for vsd33. In the vsd33 AppImage it should still be possible to export certificates by dragging them from Kleopatra to, for example, Dolphin. Maybe we still want to remove the vsd33 tag.

Kleopatra now asks the same questions as the GnuPG backend. The choices the user can make are a bit different because the user already told Kleopatra that they want to trust (or distrust) a root certificate. Therefore, the first dialog only has "Yes" and "Cancel". And the fingerprint dialog (which is only shown for Trust but not for Distrust) only has "Correct" and "Wrong". Another difference is that in GnuPG clicking "Wrong" makes GnuPG mark the certificate as untrusted (which is a bit surprising). In Kleopatra the certificate is left unchanged if the user selects "Wrong".

If gpg-agent's option "no-allow-mark-trusted" is set then the actions "Trust root certificate" and "Distrust root certificate" won't be available. If the option is set while Kleopatra is running then it needs to be restarted to get rid of the actions. If one tries to use the actions then Kleopatra will tell you that you are not allowed to do this. Similarly one needs to restart Kleopatra to make the action available again after the option was unset.

In T7322#192972, @ebo wrote:

Which is of course technically correct but why can't we have the much more clear "invalid ADSK ... specified"? I think this would help troubleshooting.

Backported for vsd33

Backported for vsd33

Backported for vsd33 (as discussed with ebo)

This bug exists since Kleopatra offers "Trust root certificate" (i.e. since 2010). allow-mark-trusted seems to be default since Gpg4win 2.1.0. If admins really want to prevent users from messing with the trustlist then they anyway have to use the no-user-trustlist option.

I can still reproduce case 2 with gnupg 2.4. I have to check how my local setup differs from gpg4win-Beta-64.

If you use a tabbed layout you will always have the problem that some tabs have lots of whitespace and other tabs have little whitespace or even a scrollbar.

I just saw that gpg-agent has a MARKTRUSTED command which takes care of asking the question and of modifying the trustlist.txt. I guess it makes sense that Kleopatra uses this command for the "Trust root certificate" action.

In T7349#192860, @werner wrote:

Kleopatra should also not offer to add a root CA if gpg-agent's mark-trusted feature has been disabled.

In T7329#192861, @ebo wrote:

Regarding the removal of the stretch: Now there seems to be no space at all before the description. Could we have a one-line space before it?

I have confirmed that rA69069bc63e6b fixes the build on macOS.

Passing ticket to werner to consider backports.

The line

Please use https://bugs.kde.org to report bugs.

seems to be hard-coded into the Authors tab. I see it in all KDE applications. Maybe it can be customized.

We could simplify the copyright lines to (if we make sure that the current names are listed as authors)

Copyright 2002-2024 The Kleopatra authors
Copyright 2002, 2004, 2007-2009 Klarälvdalens Datakonsult AB
Copyright 2016-2018 Intevation GmbH
Copyright 2010-2024 g10 Code GmbH

alternatively using © instead of "Copyright". (Using both as in KMail is nonsense because © is the official abbreviation of the word "Copyright".)

Making pinentry issue "fully canceled" if the user clicks Cancel breaks decryption of data that is encrypted with multiple keys of the owner. The user woudn't be asked for the password of their second key if they canceled the pinentry for the password of the first key.

The new API isn't used anywhere. For now it can only be tested with the test runners. -> setting to resolved

Note for testing:
If the environment variable GNUPG_ASSUME_COMPLIANCE is set to "de-vs" and de-vs compliance is enabled then Kleopatra should show "VS-NfD compliant (beta)" instead of "VS-NfD compliant" everywhere. ("Not VS-NfD compliant" doesn't get the (beta) suffix.)

The technical background is that opening the certificate details triggers an update of the certificate and this triggers an update of the drop-down. The drop-down should still keep the currently selected certificate even if it is not offered by default.

The fix should probably be backported to gnupg 2.2 and 2.4.