I do not have a mind to really analyze this today, but when the checkbox in the logging options for "include data" is not set. There should be no much as an IP Address or Fingerprint mentioned in the logs. This was important to me and if you find that there are issues with that it would be a different bug also.

We have tested this a lot of course. But I will have to analyze your logs. Thanks.

In T6111#160993, @ikloecker wrote:

Please give this a try on Windows.

:)

I agree. We have to get rid of auto check trustdb and such stuff. I always found that impossible to program around because it either takes a long time (check-trustdb) or it might return invalid results (no check).
The solution for this is keyboxd.

Real Passphrase is "test"

The workaround is easy: Change the passphrase , export, import and then set a longer passphrase again.

In T6014#163086, @ikloecker wrote:

In T6014#163083, @aheinecke wrote:

I think it is problematic that the WKD errors are shown to the user at all. Doing some random searches gives an error each time something can't be accessed.

Can you give an example other than the Syntax error issue? So far, I haven't seen any errors when doing random searches with ASCII-only "email addresses". I simply get zero results, but I don't see error messages, e.g. if the host cannot be found.

I think it is problematic that the WKD errors are shown to the user at all. Doing some random searches gives an error each time something can't be accessed.

There is probably an umlaut or special character in <domain> or <user> which makes the URL invalid. If I search for "test@ä.de" I also get Syntax error in URI.

--import [files]
       Import  the certificates from the PEM or binary encoded files as well as from signed-only messages.
       This command may also be used to import a secret key from a PKCS#12 file.

Mh, this has not changed anything for me. With GnuPG 2.3.8-beta32 i get either Invalid Object or no error at all. With this certificate

That would make sense on a Linux desktop. But my main use case for this is Windows. I have the feeling that more Linux users have a decent MUA.
If we had a MUA with good MIME Support then we would not need this feature at all. If a user has Outlook for example that could be used with GpgOL but not everyone has that. I know that some users decrypt such messages already with Kleopatra and then open the Output in Thunderbird. But again, if they had Thunderbird, they could use that with included PGP/MIME support.
Windows 10 has a default Mail app, but if you open a file with that it does not show it but asks you to configure an account.

Instead of using KDE for MIME parsing, and as I would also only do simple parsing we could use the mimeparser from gpgol. This also has the advantage that we do not open new attack surfaces as we already have that code in use. The mimedataprovider can already be compiled on Linux and used with a FILE, I did this to allow fuzzing for it. And the API implements the GpgME::DataProvider interface https://dev.gnupg.org/source/gpgol/browse/master/src/mimedataprovider.h and then just offers simple functions to access the parsed content.

For Gpg4win we will soon release a 4.0.4 Version that will contain the latest Kleopatra updates and GnuPG 2.3.x, but the 3.1.x series of Gpg4win is something that we only release in binary form as part of our Product GnuPG VS-Desktop.
The reason for this is that for VS-NfD there are some responsibilities for the supplier, and so the VS-NfD user needs a responsible supplier. We do not promise that for Gpg4win, which is the free community version anyone can download. If we would provide Gpg4win-3.1.24 also in binary form we would make it harder for us to argue that VS-NfD users have to purchase GnuPG VS-Desktop with the required support.

@ikloecker yes as mentioned in my response the current hints are only for symmetric.

Well it is good that we have it now and we should not remove it. But when asked I would probably have said that this dialog / page should be removed altogether. I would bet that if we did a user survey this dialog is not used at all. Or very very rarely.

I can confirm the fix.

I was looking for this when writing the update NEWS for the latest release and noticed that this has not been pushed yet. I really think that it would be nice to have that. Especially for Smartcard use cases.

Ok. That is about the Invalid Crypto Engine. But this does not explain why a .p12 export via Kleopatra leads to this error when we export a valid certificate. The same thing I do with Kleopatra on the Command Line works:

Added now

I think there was a misunderstanding here. We already set .pinentry.constraints.hint.long and .pinentry.constraints.hint.short in GnuPG-VSD but firstly they are only about symmetric.
And the issue for which @ebo opened this ticket is in my opinion that you have to fail first before you see the hint.

I agree that this will be less important when T5836 is done. But on the other end, someone personalized a smartcard for you. Ideally when inserting the smartcard it will fetch the public key from LDAP but if that is not configured or available you will have the same case of a smartcard that creates the secret key stubs and then importing the public key. As I think that in the case of exactly one key imported a keylisting through the agent of this one key won't be that expensive we should fix this as a minor issue.

tested and this works.

Tested and this works.

This is now in

Another point where this is very problematic are S/MIME certificates for signing and encryption. While the certificate line edit and the certificate combo box filter the usage, Groups are problematic. If you want to create an encryption group and include one "signing only" certificate the whole group is no longer visible for example in Outlook when encrypting. Both me and Eva thought that S/MIME Groups did not work at all in Outlook because of this.

Ok. So I never assumed that you had actually 100 gpgol_enc_number.dat files lying around.

Thanks a lot. Due to your log I have tried with a long username and umlauts and a dot in my username. My test name was Längül!ödiföäada.dad which is the longest that Windows allows. But It still works for me. Even if I create one or two gpgol_enc.dat files in %TEMP% It still works:

The fix did not work, the hangs occured later in testing again. After further debugging we found the issue to be that we did not Close the handles we inherited to the child.

After internal discussion this will be moved to Wontfix.

I think this is a duplicate of T4779 I am merging them because if it is not a duplicate T4779 is still the right issue because we need better error messages for PKCS #12 import

strange, I have not received one. Did it bounce somewhere maybe because of size? Encryption should compress this though.

Please, Last chance to add a log with Included file names (Include data checkbox) before the next release. Me and a colleague reviewed the function and don't find an issue with it. Otherwise I will only add a MessageBox error in that case for the next release.

Not for this release. This needs changes in GPGME and we should check and parse the KEY-ATTR-INFO directly. My Yubikey 5.4 returns this, too. I think Ingo should implement this properly and well tested.

As discussed with werner we want to have it for the next release as yubikey is very important for us.

Fully done in my opinion.

This is in for so long we can mark it as resolved. I had tested it on Windows.