Before making subtickets for each application: I wonder if it is not all Kleopatra anyway? Isn't the security approval dialog basically Kleopatra?

The equivalent for invalid S/MIME certificates are not-certified *PGP certificates.
(Valid/invalid are not ideal as technical terms as they have a broad general meaning, too. I hope my usage here is correct ;-) It is what I gathered from an explanation given by Werner.)

Invalid certs (as stated in the status column in Kleopatra) are mainly S/MIME certs (e.g. with missing root cert, CRL check failed, etc). I haven't seen invalid pgp certs yet (might be e.g. very old ones with missing self signature).

Invalid and expired are different cases.

Issue 1) should be implemented as already described (on error -> dialog to retry with "always trust" flag)

@ebo and me talked about this and T6701: GpgOL: Use GPGME_ENCRYPT_ALWAYS_TRUST. We think, it's best to have a short meeting to discuss further changes.

Ticket for the hang on file encryption: T8187: Kleopatra: File encryption with invalid S/MIME certificate hangs indefinitely

According to Werner, that should be:

Maybe those smime certs will do:

It needs to be clarified which kind of errors should be handled and which kind of S/MIME certificates should be allowed to be used for encryption:

• Valid certificates where the CRL check (or OCSP check?) fails
• Invalid certificates (e.g. because of incomplete chain/missing CA)
• Expired certificates

Do we have a test certificate for this? The certificate in T6702#176845 is expired.

To clarify, the state in Kleopatra Ingo described a year ago has changed, with T7579: Kleopatra: improve menu items the refresh option in the Tools menu was removed. Both actions to update certificates - in the context menu and in the details - are/work the same.

Removing kleopatra tag since Kleopatra already does what's requested.

Pushed the change of gpgme: rM8b89678aed6d: Fix passphrase cancel handling.

It is clearly not implemented for S/MIME: rKLEOPATRA9eed4a45ed93 but it should be.

I consider again about Ben's change. It could be simply support of the detection of the cancel situation where gpgme should return GPG_ERR_CANCELED (not related to single cancellation vs. whole cancellation).

I can't remember why Ben introduced the new status. OTOH, I wish that the Qt-Pinentry also emits a button_info line for closing the window. Normal users don't notice the difference but if you have a lot of private keys and you get a mail which has only hidden recipients the full_canceled is pretty useful. Also for other tasks like allow-mark-trusted: On Windows with the qt-pinentry I am always cursing about this but on my box I only need to close the pinentry window to get a fully_canceled

Follow up for Q1 is T8166: Kleopatra: Add "Save Secret Team Key" button to success message after creation of "Team Key"

FYI: We had a VSD support case today where the user complained that they thought the Admin PIN would work because of the tooltip text but it was not accepted. They needed to give the PUK, which is consistent with the state given in this ticket.

So this is all done, then. As for the open issue there is T7565: Kleopatra: Add tooltips in sign/encrypt window if an encryption type is greyed out

Looks almost good to me on gpg4win-5.0.2-beta2 @ win11.

I've made the above ticket for Q2. Regarding Q3 we leave it as is, if customers should complain we could then consider changing that.
Regarding Q1: we should talk about that next week. But I'll close this ticket.

Looks good to me on gpg4win-5.0.2-beta2 @ win11.

@ikloecker said (paraphrased by me):

Looks good to me on gpg4win-5.0.2-beta2 @ win11:

Looks good to me on gpg4win-5.0.2-beta2 @ win11:

Looks good to me on gpg4win-5.0.2-beta2 @ win11:

Looks good to me on gpg4win-5.0.2-beta2 @ win11:

Looks good to me on gpg4win-5.0.2-beta2 @ win11:

Tested with Gpg4win-5.0.2-beta2

config file: Sorry, I got confused, it has to be %APPDATA%\GnuPG VS-Desktop\kleopatrarc in this case (VS-Desktop-4.0.90.1203-Beta), of course. And this one works.
Registry entry SOFTWARE\GnuPG VS-Desktop\Kleopatra\CMS\SaveCSRAsPEM does not work, though. But this is a separate issue, seems all Registry entries do not work in that build.

• config file: According to T7717: Location of qt-application config files %APPDATA%/Gpg4win/kleopatrarc should work.
• registry: According to T5707: Kleopatra: Use windows registry additionally to config files this should be SOFTWARE\Gpg4win\Kleopatra\CMS\SaveCSRAsPEM now

Works with VS-Desktop-4.0.90.1203-Beta when putting this in C:\Program Files\GnuPG VS-Desktop\share\kleopatrarc
CSR is then saved as .pem file with ascii-armored content.

Also backported for VSD 3.4.

Now also available in Gpg4win 5.

Ready for testing in VSD 3.3

What about always using PEM for all generated CSRs? As far as I can see, gpgsm command line always uses PEM when generating CSRs.

I haven't tested it, but it looks good