Okay. So the product prefix has been added intentionally to the version.

The below change makes the function report a general error if gpgconf didn't write any output on stdout:

diff --git a/src/engine-gpgconf.c b/src/engine-gpgconf.c
index 28f91158..21211366 100644
--- a/src/engine-gpgconf.c
+++ b/src/engine-gpgconf.c
@@ -1245,6 +1245,13 @@ gpgconf_query_swdb (void *engine,
         }
     }

Well, the debug output

org.kde.pim.kleopatra: No update for: "Gpg4win-3.1.15"

and, even more clearly,

GPGME 20211019T134123 07DC        _gpgme_io_spawn: check: path=0x031deff0 argv[ 0] = C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
GPGME 20211019T134123 07DC        _gpgme_io_spawn: check: path=0x031deff0 argv[ 1] = --query-swdb
GPGME 20211019T134123 07DC        _gpgme_io_spawn: check: path=0x031deff0 argv[ 2] = gpg4win
GPGME 20211019T134123 07DC        _gpgme_io_spawn: check: path=0x031deff0 argv[ 3] = Gpg4win-3.1.15

reveals that Kleopatra via gpgme ran the command

gpgconf --query-swdb gpg4win Gpg4win-3.1.15

i.e. that current is "Gpg4win-3.1.15".

I tried to reproduce this. Experimentally, I added P15CardWidget::searchPGPFpr() to OpenPGPKeyCardWidget, commented out the code that checks for an LDAP keyserver and called the function with a fixed fingerprint.

Yes, the text can be selected (with the mouse) and then be copied to the clipboard.

Kleopatra runs

gpgconf --query-swdb gpg4win 3.1.15

i.e. with the current version. Here, on Linux, I get

gpg4win:3.1.15:u::0:20211012T161328:20211019T103252:3.1.16:20210611T000000:0::

as result. The u in field 2 indicates that an update is available. The (current) code should work as far as I could see by a quick glance.

gnupg_bindir() uses unix_rootdir() falling back to the builtin configure time path if unix_rootdir() returns NULL. So, there is no difference.

Dialog showing the list of available smartcard readers:

In the global kleopatrarc add the following config entry to enable the symmetric encryption only option by default:

[FileOperations]
symmetric-encryption-only=true

I'm pretty sure that the first 3 messages are always decrypted with the first key because the passphrase of the first key is still cached. I don't think you can tell gpg to only use a specific key for decryption. The only way to make sure that gpg does not try to use the first key for decryption is to remove the private key of the first key. Alternatively, clear the cache after using the first key, but gpg might still ask the user for the passphrase of the first key.

The information is shown on the primary tab of the About dialog. Displaying the information in the Libraries tab requires bleeding edge KDE frameworks because the possibility to show custom information on this tab has been added very recently.

No, the error is harmless. I guess it shouldn't be printed (except when debugging).

Wouldn't it be safer to use gpgv for verifying the signature than to add a code path to gpg to circumvent the hard de-vs compliance check?

Sure.

Removing an intermediate cert from your local system doesn't help because any correctly configured server will send you all necessary intermediate certs together with the server cert. You'd have to remove the expired root certificate instead (see Workaround 1 on https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/). The problem is that this will break certificate verification for any servers that still use the old intermediate cert, e.g. keyserver.ubuntu.com.

Works for me:

$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4-unknown
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

The usual procedure for downgrading is

1. Uninstall the currently installed version
2. Install the older version

Thanks. This fixes the invalid packet errors when using --list-packets or when trying to decrypt the file without secret key.

Works if one puts

rootdir = $APPDIR/usr

in the gpgconf.ctl file.

Patch has been applied to Kleopatra. See T5619: Kleopatra does not create the UI-Server socket in the socketdir.

Somehow this looks like a bug in gettext or our usage of it. It seems as if the last characters of strings appended to translated texts are sometimes doubled as if the string was built twice, once with 1 or 2 more characters and then overwritten with a slightly shorter string. Very strange.