thanks for the clarification. i was not objecting to the workflow, i was trying to understand so that i can interact with the bug tracker appropriately. I was unaware of the difference between "milestones" and other project tags. I'll try to get that right in the future.

Please do not add milestone tags.

I put "scd" tag and let me claim this ticket.

For Beta-75 it looks similar judging from my first tries.

I managed to get the same "loading certificate" message several times in a row on this test instance by stopping and starting Kleopatra in a row twice. After removing the Signature Card 2.0 this did not happen again in 5-6 tries, although I collected 2 lingering listing processes again (not both started on the same startup). Even import of a X.509 certificate worked.

Next I managed to have one gpg and one gpgsm process each left over from the last execution of Kleopatra.
After starting Kleopatra new anyway, again "loading certificate cache" and an additional pair of gpg and gpgsm listing processes start.

Had a occurrence of the never ending "loading certificate cache" issue again.
There was a leftover gpgsm process from the previous tests (although Kleopatra warned when I closed it, that processes still running in the background were there and would be aborted).

@ebo Thank you for your continuous testing.

Unfortunately, this seems not to have ended the sporadic hangs.
I just saw a hanging initial keylisting with gpg4win-beta-70 which hast gpg 2.4.6

Backported to 2.4 to go into 2.4.6

Fix backported to 2.4

Passing ticket to werner to consider backports.

Tested with VS-Desktop-3.2.94.2-Beta.
Works as expected on the cli.

gpgme should handle lists correctly. In Kleopatra those options are not shown in the configuration dialog because they are GC_LEVEL_INVISIBLE, i.e. Kleopatra can read them programmatically but they are not shown to the user.

In T6882#191854, @werner wrote:

While testing this I noticed that only the last adsk or trusted key is listed. Thus several assurances of this options are not properly represented. See T7313

Fixed for master. Let's first test this with kleopatra.

Done for 2.2. It is already in 2.4.

Will do.

It is reproducible bug even with master branch.

werner: Can you also backport listing of "default-new-key-adsk" with gpgconf so that Kleopatra can check whether a default ADSK is set?

Backported to 2.2

I have a look at the log file of gpg-agent.log. I can see that six PKDECRYPT requests are handled simultaneously. I think that it's out of secure memory to decrypt the private key which results pinentry request.

We won't do that for Windows.

Fixed in 2.2 with: rGc33523a0132e047032c4d65f9dedec0297bfbef3

Please go ahead and apply to master. I'll take then care of backporting.

Found another thinko; When there is no clients with DEVINFO --watch, the pipe to be notified is not consumed at all (no read). It eventually results blocked by write(2), when the pipe is filled.

I see. the systemd race of having two gpg-agent processes. The second gpg-agent should eventually go away but than it is already too late.

I mean: two gpg-agent requests simultaneously running DEVINFO --watch.
Single scdaemon, two threads handling DEVINFO --watch simultaneously, by pselect + read.
Two threads waken up, but it was only one thread which can read(2), another was blocked (before the fix).

You mean it is possible that the initialization function is called by several threads - or that two scdaemon's are running before they realize that one of them is in the way?

Fixed in rGfc30f7059650: scd: Fix DEVINFO to allow multiple clients.

I realized that I put a bug on POSIX; When multiple clients do DEVINFO --watch, it is possible for scdaemon to hang (waiting pselect and read, read by one, read by another is blocked).

Fixed GnuPG 2.4 in: rG730593affa91: common:w32: Don't expose unused functions.

libgpg-error fix is done in: rEc2a713fe11e3: w32:spawn: Remove unused function get_max_fds.

This has now been implemented for gnupg26 for public key encryption. However, symmetric key encryption, a man page, and the gpgme support are missing right now.

Thanks.

I made a ticket on bugzilla with ready-made tests for S/MIME, but on close inspection a different structure appears for S/MIME and another for qualified signature (openssl could not verify token extracted from CAdES-BASELINE-T signature). However, these tests can be very useful.

Status is testing for 2.4, no backport yet for 2.2, so there it stays in the backlog column

Asking a change of gpgme would need more time... So, I decided to change gpg-agent side.
gpg-agent part was done in: rGb3f1f2cd192b: agent: Handle SCD DEVINFO --watch command in a special way.

scdaemon part was done in: rG36d8cffc6cd2: scd: Finish DEVINFO --watch command on input close.

Maybe we can support this directly in gpgme's assuan API.

Did some experiment and I concluded (for now) that new command for gpg-agent would not be needed.
Instead, it might be better doing following in GPGME.

I confirmed that this is present in version 2.2.40 on debian as well.

Thanks for your answer, @werner

Do not use the pcscd but the integrated CCID driver. This is actually the default form Unix. Or are you on Windows?

Hello all. I think I am affected by this problem (I get asked for the yubikey PIV pin every time I make a git commit).
Is there a known workaround?

Backported to 2.4 and relevant parts also to 2.2

In T7129#186556, @werner wrote:

In PATCH GnuPG 12/15] sm: Avoid use of uninitialized variable I can't see where ERR was not initialized.

All except the above mentioned applied to master - will be backported to 2.4

In PATCH GnuPG 12/15] sm: Avoid use of uninitialized variable I can't see where ERR was not initialized.

Fair enough. This is more theoretical and could happen only on huge reads. Using ssize_t for read() return value is safe option, but really does not make sense to adhere to it in cases where the reads must be smaller.

I do not understand why there should be an integer overflow: