Also setting fixed for VSD 3.4 assuming that gpg4win-tools will be updated for VSD 3.4. (There are no branches in gpg4win-tools.)

Immutability should now be respected for all settings on the GpgOL config page. Additionally, the "autoencryptUntrusted" option was sometimes enabled even if "autoresolved" was unchecked.

I tried but couldn't reproduce it any more. Therefore setting it to invalid.

Before making subtickets for each application: I wonder if it is not all Kleopatra anyway? Isn't the security approval dialog basically Kleopatra?

The equivalent for invalid S/MIME certificates are not-certified *PGP certificates.
(Valid/invalid are not ideal as technical terms as they have a broad general meaning, too. I hope my usage here is correct ;-) It is what I gathered from an explanation given by Werner.)

feedback of @mmontkowski needed

Invalid certs (as stated in the status column in Kleopatra) are mainly S/MIME certs (e.g. with missing root cert, CRL check failed, etc). I haven't seen invalid pgp certs yet (might be e.g. very old ones with missing self signature).

Invalid and expired are different cases.

Not a good idea. Because then the user will open it with the browser and the browser loads all kind of additional data including drive-by malware. If HTML *mail* is shown by a MUA no links should be followed to keep information and the fact that it was read confidential.

With signing only, the retry option is not offered and directly either hangs or shows the "Invalid CRL object" / "Unknown error" error.
Is this intentional?

In vsd 3.3.6 the option is now greyed out.

Moving smime encrypted/signed mails with attachments both works with drag&drop and via context menu on gpg4win-5.0.2-beta2 @ win11 with IMAP, so I'm setting this to resolved.

gpgol.log (call trace + data)

On gpg4win-5.0.2-beta-2 @ win11 i can reproduce for signed only mails (smime and pgp):

• drag&drop does work
• move via context menu
  • works for selected mails
  • does not work for unselected mails

I can't resend the mail though.

Luckily I tested T5374: GpgOL: Can't move a signed mail in Outlook from In-Mail folder to any other folder afterwards and found out, that with my current settings in gpg4win-5.0.2-beta2 @ win11 I can reproduce this every time by sending signed only mails (pgp and smime does not matter).
Regarding my settings, I only activated the security dialog:

I have no idea how to reproduce this, there is no pattern. It could as well be, that some server side thing is involved, which is not under our control.
Either I'm lucky and it just happens while the logs are enabled, or I'll try some auto loop with appium one day.

I can't reproduce this on gpg4win-5.0.2-beta2 and vsd-3.3.4.

There is already a hint in the "1st steps" web page and already a ticket to add a hint on incompatible Add-Ons in the documentation.

We need tests to reproduce this.

We need a test $GNUPGHOME with different secret keys to test this scenario:

• expired key
• 2 usable keys (not expired)

Marcus suggestion: offer the HTML mail content as attachment.

The missing signature was a problem on my end. The customer mail (to ted / exchange server) works fine if the cert is in the keyring. The testmails (via outlook imap) are fine, too. I still need a better test setup for mails to our exchange accounts, but this is enough to rule out a problem in gpgol. I adjust my former message accordingly.

Hmm ich sehe weiterhin die Signatur.

The missing signature indication can also be seen now in the customer mails sent via kmail (ted:INBOX, e.g. 18.02. 12:52). This was fine before.

The basic fix for the msg box looks good to me on gpg4win-5.0.2-beta2 @ win11.
There's only no signature shown anymore, not even for the formerly working case 1.
Note: I also tested those mails sent to an exchange server with the same result as via IMAP.

The new German tool tip is shown in Gpg4win 5.0.2 (Beta)

As the migration to keyboxd will happen not too far in the future, we'll close this ticket.
Keylisting should meanwhile already be faster due to other changes.

Note for mails with 2 attachments, where the warning is displayed: Those mails can't be moved in Outlook/GpgOL

Regarding 8. encrypted/signed vcard attachment:

This ticket is now obsolete, as we will force the setting of autoencryptUntrusted=0 via the registry in Ticket T8090