After recompiling, it works!

I backported the work of Andre for qt6 to master/kf5. It's in the branch work/carl/product-name-kf5

The technical background is that opening the certificate details triggers an update of the certificate and this triggers an update of the drop-down. The drop-down should still keep the currently selected certificate even if it is not offered by default.

The fix should probably be backported to gnupg 2.2 and 2.4.

The only thing that's a bit ugly is that there's no checkbox in front of "Encrypt for others" because it's mostly superfluous/redundant to the presence or absence of "other" certificates.

I'm wondering if/how we can get rid of the checkbox before "Encrypt for me". Do we even need to distinguish between "for me" and "for others"? It has always felt wrong to me that we have completely different UI for selecting my single (!) key and multiple other keys. What if I want to encrypt to two keys of me? Makes no sense to enter my second key under "Encrypt for others". What if somebody always wants to encrypt everything to two of their keys, e.g. because they use different keys on different devices? But that also applies to the file encryption dialog so maybe that's a different discussion.

In T5957#192598, @ebo wrote:

But what I don't understand is: why do we need the buttons? For other encryption actions in Kleo you can choose from all available keys, regardless of their protocol.

I confirm the fix. Using gnupg master the unit test ran 544 times without any failures or suspiciously long run time.

I played a bit with the right pane to make it less wide. Here is how it looks (still WIP)

My last comment makes things look more complicated than they are.

I'd have no objections against making it less prominent.
Instead of the "Protocol" label we could then maybe add a tooltip/info to the buttons with something like "the protocol to be used".
I know, tooltips are not popular with you ;-)

Okay, then we keep the protocol radio buttons for now, but I guess there's no reason not to make it less prominent. I would even argue that the label "Protocol:" isn't really helpful and could be removed.

In T5957#192566, @CarlSchwan wrote:

Does the notepad really need to support S/MIME? People might want to use inline PGP with Kleopatra, but S/MIME???

Agree

Good catch, @ikloecker !
I located the bug in GnuPG, and the fix is: rG71840b57f486: common: Fix a race condition in creating socketdir.

In the second case, gpg emits a FAILURE gpg-exit 33554433 status at the end. I think this makes gpgme consider the operation failed. I think this is a bug in gpg because gpg does not emit a FAILURE status if a wrong symmetric passphrase is entered.

In the first case, gpg emits a CANCELED_BY_USER status. This makes gpgme abort the operation. We may have to wait/watch for BEGIN_DECRYPTION / END_DECRYPTION.

Does the notepad really need to support S/MIME? People might want to use inline PGP with Kleopatra, but S/MIME???

When looking at Carl's first MR I had a few ideas/thoughts:

• Does the notepad really need to support S/MIME? People might want to use inline PGP with Kleopatra, but S/MIME???
• I wondering whether we should move the checkboxes to the group box titles and get rid of the group boxes and instead use KSeparators to separate the different sections, i.e.

[ ] Prove authenticity (sign)
Sign as:
------------------------------
[ ] Encrypt
Encrypt for me:
Encrypt for others:
------------------------------
[ ] Encrypt with password
Anyone ...
------------------------------
[Sign and Encrypt]

I found one reason for the intermittently failing concurrent initial keylisting. gpgsm sometimes uses the wrong socket file to (try to) connect to gpg-agent.

I don't think gpg/gpgsm tell gpgme "the keyblock used for decryption". They simply log all public keys used for encryption via STATUS_ENC_TO in the order the packets appear in the encrypted file.

There is no such concept of a primary keyblock for a subkey. Using the same subkey for several primary keys is non frequent but nevertheless seen use-case. Thus this behaviour is not ADSK specific. I would suggest to first search the keyblock used for decryption to get the name of another subkey - only if that is not found search the keyring for that subkey and thus the primary key and its user id.

In T7334#192524, @werner wrote:

For a subkey the user id of its primary should always been show.

Summarizing out-of-band discussion (please correct where i remember things wrong):

It is not of the recipient's business to know which certificate also uses a subkey. For all the user needs to know that it is a subkey which belongs to a primary key. In this regard this is not different from a shared encryption subkey as used by many sites for role addresses. For a subkey the user id of its primary should always been show.

In case of an unknown encryption subkey we could check if it's the ADSK of a known recipient and then display something like

Unknown ADSK for "Some key with ADSK <with-adsk@example.net>"

instead of

unknown recipient

Thinking about this some more, I don't think we can anything different from what's done in my patch:

Both subkeys belong to Alice from gpg's point of view

What is wrong in your opinion?

I can reproduce this with gnupg 2.2.45-beta27 (STABLE-BRANCH-2-2 69a8aefa) on openSUSE Tumbleweed.

We have this data already. The problem on kleopatra's side is that in the key cache, we add the ADSK subkey for each key that has it as an ADSK, causing a somewhat broken index and ultimately the problem seen here.

Is this R-flag part of the status logging, i.e. do we need to add handling for this in gpgme?

Yes. I think that Kleo does not yet fully support the R-flag indicating an ADSK.

systemd based Linux?

I have reproduced this with libkleo from our gpg4win/24.05 branch and with gpg (GnuPG) 2.4.6-beta102 (HEAD of STABLE-BRANCH-2-4) and current master of gpgme and all GnuPG libraries. It took just 8 runs until a unittest failed.

gpgme logs for a failed test where the keylisting with gpgsm failed

If the keylisting (of OpenPGP and S/MIME certificates; technically, that's two independent keylistings) fails without giving any results then it makes sense to show a error message instead of the welcome page.

This is also relevant for VSD 3.3. Backport is not needed, but gpg4win/VSD needs to include current gpgme.

This is a super old bug report, this is likely fixed with a new version of Kleopatra, so I am closing this. If this happen again in the future, feel free to reopen this bug report.

This is no longer possible. The sign/encrypt button is disabled and an info box is displayed.

No reply for a very long time, so I am closing this ticket. This is likely fixed now. Feel free to reopen if this happen again.

No reply for a very long time, let's close this.

This report is a bit old. I just tested gpg --keyserver https://keys.openpgp.org --search-keys mail@mhammerbacher.de on my laptop and this work fine.

gpg4win 4 has been released with unicode support. Closing.

I created https://invent.kde.org/pim/kleopatra/-/merge_requests/287 for the appstream file.

This is now done and it is much simpler now

When I last talked about this ticket I had not thought of the fact that we need to have this in some kleowrap wrapper and that currently stdout and stderr are not printed in a process which forwards its call an already running kleopatra.

I thought about this and any change here has a regression risk and the release is already overdue. If we change this now as a band aid before a release with keyboxd we really need this only for one release.

Regardless of the migration. At least we need to set GNUPGHOME early in Kleopatras main to the value returned by GpgME so that the qt.conf patch works in KF6.

Andre, didn't we conclude that there's nothing worth migrating except the groups configuration (which is migrated)?

I see no commits that change the behaviour or do the migration. Then this is not fixed. To clarify. For me this issue is about General config files of KDE / Qt. Not only about the kleopatragroupsrc Since the kleopatragroupsrc was fixed in the last release already.
In the state I left it for VSD 3.3 (master) qt.conf is only written for Gpg4win. And not for VS-Desktop. So testing with Gpg4win has different results. This was the underlying reason since qt.conf was written with FileWrite and not packaged. I only changed that in Gpg4win master.