FWIW: Okay, gmime is still a wrapper around gpgme. After decryption it has the ability to get the used session key from the gpgme result structure. Thus, I have been on the wrong trail. The actual problem is not gpgme but more GnuPG's use of Libgcrypt or an actual regression in Libgcrypt. Well, Friday 13th.

This has been specified in 1997 by PGP 5 for a good reason. We talked often enough about this and it does not help to repeat your ideas over and over again. RFC9580 specifies a different protocol than OpenPGP as specified by RFC2440 and RFC4880 but alas grabbed the name OpenPGP for this.

I can't speak for gpgmpp but for gpgme. And the gpgme manual says:

Has now been backported to be released with 2.2.53

Yeah sure.

keys.openpgp.org has two problems: a) it is a centralized service due to the requirement to confirm mail addresses. b) For non-confirmed keys it returns broken OpenPGP keys (ie. without a user id and thus without important information). For these reasons and the general problems with the keyserver-(networks) there is no more default.

Shall we change log_* functions also emit message to console, when file/socket is specified?

Any hints where to find the actual crypto code which uses libgcrypt?

I'm surprised that nobody did detect these problems during the long beta phase...

Please do not use the portable installation - it is dangerous to use it. We will eventually remove this option.

I also updated the software page. Thanks for the hint.

Done. See T7449

Noteworthy changes in version 0.11.1 (2026-02-12)

Won't fix for vsd3x

According to the ML @gniibe tried to replicate the problem without success.

Is that on a 32 bit machine or 64? The latter would be a problem for 32 bit with 32 bit time-t I'd say: we won't fix it.

At least for an expired data signature I would suggest to have an info button to further expliah this. Maybe to a FAQ or KB article. The case is too rare that we should not discuss endlessly the pros and cons of expiring signatures. I hope that Kleo does not provide an option to crerate such a signature.

Your fix is okay.

AFAICS all conditions are protected by isascii(3) which

Physical experiment feature support should better not be widely used.

Although it is technicall possible to use all combinations, we should limit in the menu them to those as listed above. Too many algorithms pose an interop problem. Thus we provide brainpool because it is required in Germany and the two IETF curves for the general internet (for those who are playing mitigation against against physical experiments).

With the recent changes to the build system the current version numbers for the Beta versions of the MSI packages are 4.0.90.<somenumber> for VSD, 5.0.90.xxx for GPD and Gpg4win. Thus we override the standard micro version with 90 to indicate beta versions. Obviously this will require to de-install a MSI beta version before installing the regular version. But we are somewhat constraint by the Windows versioning scheme.

Will go into 1.12.1

Thanks. Will go int the next version.

Take care: Too many attributes (color, font) are bad style.

Oh yeah, the mentioned patch is bogus because it assumes that fgets has already set the eof flag while reading the last line. This seems not to be the case.

AI scraper DoS --- sorry, we had to shut it down.