Oh, I just noticed that gpg doesn't say anything about the trust of the key if the key is expired. Compare this to the following output of gpg in case of a not-expired signing key without trusted certifications.

[GNUPG:] NEWSIG
gpg: Signature made Di 06 Jan 2026 16:35:20 CET
gpg:                using EDDSA key 98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE
[GNUPG:] KEY_CONSIDERED 98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE 0
[GNUPG:] SIG_ID mmuLNgiB0C7AfTaVYpNjZbcVQok 2026-01-06 1767713720
[GNUPG:] GOODSIG FC9B2EF2C62AC7BE t7790-expired
gpg: Good signature from "t7790-expired" [unknown]
[GNUPG:] VALIDSIG 98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE 2026-01-06 1767713720 0 4 0 22 10 00 98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE
[GNUPG:] TRUST_UNDEFINED 0 pgp
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
      98FB8E8F8E5F58FA653E17A6FC9B2EF2C62AC7BE

How I reproduced this:

• Create new test key
• Detached-sign some text with the new test key
• Change trust of test key to "unknown"
• Expire the test key (e.g. with gpg --quick-set-expire FPR seconds=1)

Other observations:

• after removing the smartcard reader again it's still not reproducible
• after win restart it's not always reproducible
• best chances to reproduce by killing all gpg related processes and deleting gnupghome and Gpg4Win folders first, then import

after attaching a smartcard reader with a smartcard, i can't reproduce this issue anymore

In T8015#210727, @ikloecker wrote:

Also: What happens if you cancel the ownership question and then change the owner trust of the key on the command line?

Interesting. I also wasn't able to reproduce this anymore, although I even created a new VM to make sure this is reproducible in a clean setup (and it was reproducible every time).
After restart of windows, it is reproducible again. This is the debugview output for an import without status update:

Looks good to me on gpg4win-5.0.0-beta479 @ win11.

I cannot reproduce this on Linux. Here I see that the file system watcher notices that trustdb.gpg was changed and triggers a keylisting.

Also: What happens if you cancel the ownership question and then change the owner trust of the key on the command line?

Please attach the log output of Kleopatra

Done

• progress/busy indicator shown (probably also read, but loading was too fast, so it skipped the text)

alt+m
Manage Smart Cards - Kleopatra  window
Loading smart cards...
tab control
OpenPGP - 0005 00009D58  tab  Alt+  O

Fixed.

Backported for VSD 3.4

The option

[Export]
AllowPublicKeyUpload=true

has been added. If this option is disabled (i.e. set to false) then Kleopatra only allows the upload of OpenPGP keys for which the user has the secret key.

Backported for VSD 3.4

Fixed everywhere where we export some certificate or public/secret (sub)key. Additionally, to space characters we also replace /, \, and : everywhere in the (proposed) file names now.

Fixed and backported for VSD 3.4

What does gpgsm -k --with-colons print for Werner's QES key? The usage / capabilities should contain s (for signing) and q (for qualified signing). If q is missing then something isn't set up correctly.

The issue is resolved in gpg4win-5.0.0-beta479 @ win11:

• no error for opening .eml files
• no error for starting kleopatra while running (also not started twice anymore)

No it is not related to T4030 because that has not yet been implemented. I am just upload a beta479 which should fix problem as wel as other similar problems.

this also happens, when kleopatra is started while already running

maybe related: T4030: GpgEX: Use process calls instead of UIServer protocol

I've created a global trustlist.txt at C:\ProgramData\GNU\etc\gnupg with an entry for the RootCA for Werners QES key with the qual keyword. (The local config would not work, according to the man page.)

Adding a new column to the layout is now remembered.
The with of the newly added column (Key-ID, all others are shown by default) is not set to the width of the content. But I think that is ok, one can increase the width manually and that is then remembered.

I am surprised that the solution with the separate tab was chosen… Looks like this:

works in Gpg4win-5.0.0-beta476

Ok, only 2 confirmations after the one above any more (for a standard key), they look like this:

Ok, my fault, I missed that in the beginning there was logging in the background which consumed gpg's error message.

If no logging is running in the background (that's something that often trips me…) on consecutive runs:

with Gpg4win-5.0.0-beta476

Yes, Kleopatra quits again with the beta from yesterday:

Fixed in gpg4win-5.0.0-beta476

Fixed by applying a patch to our version of MinGW. This affected all Qt programs build with Qt 6.10.

Back to WIP because I had to fix a regression.

https://invent.kde.org/pim/kleopatra/-/merge_requests/428

@timegrid I would not tag this ticket with LDAP, as it is not LDAP specific

State in Gpg4win-5.0.0-beta446 and vsd 3.3.4 is this:

This task is obsolete as we do no longer use the Temp directory for encryption (I believe since vsd3.3.0/gpg4win 4.4.0). Instead the file is written directly to the target location with the ending ".part". It is renamed there after the encryption is completed.

The aim of this ticket is to map the message in Kleo for the corresponding gpg case to the "Not found" error in gpgsm and thus show the other message instead.

ok, yes, looks like this was not thought through. How about "Sign/Encrypt settings"?

for clarity: the current "password based encryption only" and "public key encryption only" are not about defaults, but completely disable the respective functionality. should they really be under "Sign/Encrypt defaults"?

I can see AutomationIds now, but some are missing, e.g.:

• toolbar buttons (looks like buttons in general)
• tab items
• table header / tree items

ok, then this ticket will be for improvement of the usability.

Except for GpgEX which I am currently working on.

This might be obsolete after we have switched to Qt 6.10.

It's mostly obsolete. With T7874, GetThreadUILanguage is used instead of GetThreadLocale if no locale/language related environment variables are set. GetThreadUILanguage returns the configured display language.

Backported for VSD 3.4

The tab order is horrible, but with the right combination of Tab and Shift+Tab it is possible to set custom keyboard shortcuts and the remove them again.

Fixed.

This is still the case in Gpg4win-5.0.0-beta413

It is not entirely clear what was meant here.
Probably it is about a command line option for opening the group config from Outlook/GpgOL or KMail. Which would be useful.