Especially when an LDAP is configured, keys should be automatically refreshed in short intervals (5 days? Configurable?) to notify users about revoked keys or signatures from a trusted key.
Keys that are close to their expiration dates should be prioritized.
Maybe users want to configure for what mail domains a lookup on a configured LDAP should be done.

I think it is save to say that we will not implement pgp/inline encryption with attachments

The problem here is that we don't have the sha-2 fingerprint in our SQL tables. Thus we would not only need to do a full table search but also parse the actual blob to compute the sha-2 fingerprint.

I have done testing using my QES certificate with all combinations of the two options.

Thanks for reporting/requesting.

Well, I will re-use this as a feature request to add this feature. Workaround is to list the key with --with-keygrip and backup the ~/.gnupg/private-keys-v1.d/<keygrip>.key files.

Looks good to me on gpg4win-5.0.0-beta357 @ win10 for the following migrations (as stated in the description):

• gpg4win 4.3.1 -> gpg4win 5.0
• gpg4win 4.4.1 -> gpg4win 5.0

Pushed the changes in {gniibe/synch-spawn} branch.
It consists of three commits:

• rGb8b8afc5cf6f: build: Require libgpg-error 1.56 or newer.
• rG15b8bc7495db: w32: Synchronous spawning gpg-agent/dirmngr/keyboxd.
• rG6bd6826aa6ff: common:w32: Care about the NUL device for start_new_service.

There is a new --keyserver-option update-before-send which is enabled by default.

Done for gpg4win 5 and backported for VSD 3.4 (provided that the gpg4win-4-branch will be used for VSD 3.4).

Deselect email and select again (email gets decrypted again) attachments are back.

Several releases since the last commit and no specific bug reports. We can close this task.

Add gpd5x tag to ensure testing with Gpg4win.

Fixed with new GPGRT_PROCESS_STDIO_NUL flag.

Pushed the changes:

• Inheriting HANDLEs has been not working accurately
  • Before the fix, all HANDLEs were inherited
  • Only specified HANDLEs are inherited by: rE0b01950237ab: w32:spawn: Fix inheriting HANDLEs.
• HANDLEs by w32_open_null were leaked
  • fixed by: rEf28bf71b86ba: w32:spawn: Fix resource leaks for HANDLEs by w32_open_null.

T7723 fix by rE311fb769d1dd: w32:spawn: New flag GPGRT_PROCESS_STDIO_NUL.

Before implementing this feature, it's better to fix T7723: gpgrt:w32: Fix for inheriting stdin/stdout/stderr with "NUL", and do some clean up.

If we will fix gpgconf using GPGRT_PROCESS_STDIO_NUL, we will need to fix gpg-connect-agent to see if it's NUL or not.

Here is an experimental change to support the feature.

I'm testing the following patch with experimental change of libgpg-error.

Can't you just use file descriptors everywhere and use _get_osfhandle once you need a HANDLE. That is what I am used to seeing in Windows code in Gnulib (although I do not touch it much).

Regarding 64bit handles https://learn.microsoft.com/en-us/windows/win32/winprog64/interprocess-communication
tells us:

This seems to be a good opportunity to replace paperkey with a new tool to take advantage of the smaller ECC keys which allow us to re-generate most stuff.

Ingo tested this and it worked.

But we have the same problems on Unix as described by T7699. (funny, the other bug mentioned above has 76 reversed)

We decided in T7579: Kleopatra: improve menu items to remove this action. Users will instead have to mark certificates they want to update and use the Update Certificates action in the "Certificates" menu.

After several gpg4win-5 betas be can set this task to resolved.

I claim this resolved given several gpg4win-5 betas.

I claim this resolved given that we had several gpg4win-5 betas and no reported problems was related to this.

The actual project we had in mind for this was more or less canceled and thus I re-prioritize this task.

This was release with 2.5.7.

We do this now also for gpg-wks-server. Further gpg-wks-client now sends the current language to the server so that the server can get back to the user with a proper translated text (if configured).

Alright. We use utf-8 in our template files and switch to QP encoding when needed.

Just as a reminder, knowledge transfer, because this is easily overlooked in testing but at least one customer would have gotten very annoyed if we had ever deployed an "Update all certificates" function which "added" new certificates. Even with the update of a single cert, we had a "funny" issue, like if you had expired certificates from anywhere and not from WKD (which old keyrings have a lot, maybe with many uids). Suddenly an update would pull in new keys which come from WKD but maybe there they all only have one UID. Because for keyservers the identifier was the fingerprint and for WKD the identifier was the userid.
Or even worse, you explicitly threw out the OpenPGP keys from WKD because you wanted to use only S/MIME, then such a function may not search on any OpenPGP Sources.
When I worked at Kleopatra we didn't want such a feature in GnuPG. Our strategy was to update keys when they are used, about to be used or close to expiry. The whole locate-external-key thing.
I think the feature we had to update in the certificate details is good. But i recommend especially keeping the S/MIME / OpenPGP difference in mind. I would also call it "Search updated certificates" with a tooltip that it might also find "new" certificates for the user. And then an option to disable this either for S/MIME or for OpenPGP.

Tools / Refresh OpenPGP certificates runs gpg --refresh-keys. I don't think that this command knows anything about WKD.

Done by T7649: gnupg: Use KEM interface for encryption/decryption

Please solve this the same as our solution in T7630: add a button in the results window to open a new window with all the imported certificates.

Fixed in most cases.
Edge cases will be examined further.

In T5993#201111, @werner wrote:

For example Poppler uses GnuPG comment packets to lower its own attack surface by leaving all OpenPGP handling to gpg. The patch (or at least the version we noticed in Fedora and Debian) entirely breaks this use.

(The commits had a wrong bug it in their message)

It might be useful to have samples of compressed keys: