Please try with the latest GnuPG version (2.2.17) - it is unlikely that we can give support for an old version with Ubuntu's own set of patches. It is also advisable to post to the gnupg-users ML because over there you have hundreds of Ubuntu users.

See https://minerva.crocs.fi.muni.cz/ for a description of the timing attack.

See also apt-get show libpam-poldi

Also in another terminal?

Do you have

GPG_TTY=$(tty)
export GPG_TTY

if you run

You should always run gpg with --verbose if you run into an unknown error. It shows more information; in your case info about the requested pinentry. The strace does not show this. You probably have no permission to launch the X version opf the pinentry because the xauth does not work. As a quick test use ssh -X root@localhost instead.

Please provide a full description of what you did. What command line did you use, have you su-ed or logged in regular.? What is the output of "gpgcof --list-dirs" ?

Do not use this legacy debug stuff. Use --debug CATEGORY. For example

It is not just about being annoying but for security reasons. It would be too easy for other applications *think webbrowser or Acrobat) to take a screenshot and pop up a modified version of that screenshot with data entries to act as a MitM.

Can you check which dirmngr version you are running

gpg-connect-agent --dirmngr 'getinfo version' /bye

It does not work either. Your problem is the use of a wildcard DNS for archlinux32.org:

The test above was with gpg master but I got the same result with current 2.2:

Thanks. Here is a dirmngr log:

Does your ngix configuration mean that there is no fallback to standard http?

The message has not been encrypted to you. Ask the sender to encrypt to you.

There is no need to use the new CTB format for a packet with tag 3. OpenPGP implementations need to support all packet header encodings. We do not plan to make this configurable.

Agreed.

Given that 1.5 already had that problem, I would suggest to ignore that bug for the 1.6 release. We can work on that later.

You mean the default key is expired?

This seems to be closely related to T4319 and due to to some, ahem, interesting configuration.

BTW: I have the problem that I want to know the keys of all cards. "getinfo card_list" along with --demand can be used for this. gpg-card works this way. It does not work if plug in addtional cards becuase card_list shows only the cards for which a SERIALNO command has been used. A new feature to scan the buses for all readers and cards would be quite useful.

Thanks for the detailed implemention plan. For the include-historic et al things it might be better to make use of the filter-syntax. I am not sure what is bets but that get clearer during coding. First step will be to add a parser and to silence 2.2 about this. I can imagine to later backport some basic functionality to 2.2

Thanks for the sample certs. I noticed the posts but had not the time to look into them.

Sorry, we don't use or support PIP. Please ask whoever packaged that for PIP.

The Python doc build system we implemented the last year is a complete mess - I had so much trouble the last time I did a release :-(.