Sounds like the animation causes/relies on a deferred destruction. Do we/KF6 delete the popup manually?

I had this again yesterday. I don't think that scdaemon is involved. gpg-agent.log has this

2025-03-05 15:54:29 gpg-agent[1248] socket file removed - retrying binding
2025-03-05 15:54:29 gpg-agent[1248] Der Socket kann nicht an `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent' gebunden werden: Unknown error
2025-03-05 15:54:29 gpg-agent[1248] system error code: 0 (0x0)
2025-03-05 15:54:29 gpg-agent[1248] secmem usage: 0/32768 bytes in 0 blocks
2025-03-05 15:55:17 gpg-agent[2088] socket file removed - retrying binding
2025-03-05 15:55:17 gpg-agent[2088] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent' gehört
2025-03-05 15:55:17 gpg-agent[2088] socket file removed - retrying binding
2025-03-05 15:55:17 gpg-agent[2088] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent.extra' gehört
2025-03-05 15:55:17 gpg-agent[2088] socket file removed - retrying binding
2025-03-05 15:55:17 gpg-agent[2088] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent.browser' gehört
2025-03-05 15:55:17 gpg-agent[2088] socket file removed - retrying binding
2025-03-05 15:55:17 gpg-agent[2088] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.gpg-agent.ssh' gehört
2025-03-05 15:55:17 gpg-agent[2088] gpg-agent (GnuPG) 2.5.5-beta11 started

and scdaemon logged

2025-03-05 15:55:19 scdaemon[4100] Es wird auf Socket `C:\\Users\\g10code\\AppData\\Local\\gnupg\\S.scdaemon' gehört
2025-03-05 15:55:19 scdaemon[4100] Handhabungsroutine für fd -1 gestartet
2025-03-05 15:55:19 scdaemon[4100] DBG: chan_0x00000000000002d0 -> OK GNU Privacy Guard's Smartcard server ready, process 4100

i.e. there wasn't any scdaemon running before the second gpg-agent started successfully.

Thanks for the report! That's indeed a regression introduced by the changes for T7527: Keyring/keybox denial of service. Commenting/Removing line https://dev.gnupg.org/source/gnupg/browse/master/g10/getkey.c$343 seems to fix the regression, but (very likely) this would reintroduce the issues reported in T7527: Keyring/keybox denial of service.

The formatted display of the symmetric passphrase is configurable: gpg-agent.conf option pinentry-formatted-passphrase

Not reproducible on Linux (with KF 6.11): When clicking the drop down triangle the popup briefly flashes (opens and immediately closes) before the error window is shown. Maybe the bug was fixed in the meantime. Needs to be checked.

a) and b) are both entirely gpg's responsibility. I'm using --status-fd 2 --command-fd 2 to see which messages would be passed to/parsed by gpgme.

$ gpg --version
gpg (GnuPG) 2.4.8-beta10

Tobias: Maybe add the patch versioned for kwidgetsaddons-6.9.0 for now so that it can be evaluated early.

You could probably check that Kleopatra/gpgme calls gpg with the import option "only-pubkeys". For a real world test you'd have to upload a secret key to WKD.

The certificate can also be downloaded from https://www.bsi.bund.de/DE/Service-Navi/Kontakt/smime.html

Remarks:

• This works now on Windows and with the AppImage. This was achieved by customizing the internal application name of Kleopatra: kleopatra-vsd for GnuPG VS-Desktop, kleopatra-gpd for GnuPG Desktop, kleopatra for everything else.
• As a side effect the different flavors of Kleopatra now use different names for the main config file and for the state file, i.e. Gpg4win uses kleopatrarc and kleopatrastaterc, GnuPG VS-Desktop will use kleopatra-vsdrc and kleopatra-vsdstaterc, and GnuPG Desktop will use kleopatra-gpdrc and kleopatra-gpdstaterc.
• The internal application name is also used for config entries retrieved from the registry. That means that for VSD and GPD different registry paths are used in future releases.
• Testing on Windows requires T7040: Make it possible to install GnuPG VSD and GPD in parallel.

Some remarks:

• All Kleopatras use GNUPGHOME/kleopatra for the config files, but they use different names for the main config file and for the state file, i.e. Gpg4win uses kleopatrarc and kleopatrastaterc, GnuPG VS-Desktop will use kleopatra-vsdrc and kleopatra-vsdstaterc, and GnuPG Desktop will use kleopatra-gpdrc and kleopatra-gpdstaterc. That's a side effect of the changes for T7528: Make it possible to run Kleopatra VSD and Kleopatra GPD in parallel where the internal application name is set to kleopatra, kleopatra-vsd or kleopatra-gpd for the different flavors.
• The Kleopatra configuration files are not migrated to the new location. (The group configuration should already have been migrated.)

By the way, this also works for different GNUPGHOME. Tested with a gpgconf.ctl file with content gnupg = gnupg-gpd next to gpgconf.exe.

Kleopatra now writes/reads all config files to/from GNUPGHOME/kleopatra.

Logs of a recent hang

This is very similar to T5780 except that it concerns a different operation and thus a different window. The fix is likely the same as for T5780.

We do support "Decrypt & Verify" for multiple files (including the presentation of the status) so that it would be easy to do the same for all files in a folder (question is if this should even be recursive). Digging into the history I found that the desktop file was added shortly before Kleopatra 2.0.0-rc1, but that there wasn't any code for iterating a folder, i.e. this can never have worked.

Details should be the first action (since it's likely the most often used action by people who don't know about double-click). And I'd move the "destructive actions" to the bottom. And there are way to many separators.

In T7502#198141, @ebo wrote:

Reminder: we have to keep in mind the workflow of the import of secret subkeys. Do we need different behavior conditional on "is primary key present" or not?

Okay. We now replace the standard Breeze icon of kleopatra with the red head for vsd and with a new blue head for gpd. The replacements are used for the About action and in the About dialog, but kwin (X11) insists on using the standard icon as window icon. And the system tray also shows the standard symbolic Breeze icon instead of the replacements. strace shows that the replacement icons embedded in the AppImage are loaded. No idea why kwin and the system tray still use the standard icons.

Kleopatra with Breeze style:

In T7515#198012, @alexk wrote:

Regarding the suggest list I would change the following:
but keep:

• Enable/Disable Certificate

I did a quick test with a test user running a Wayland session and the AppImage works now.