Tested both with the policies key and with the normal key and with HKLM fallback. Works as expected. There was also an issue where the error handling in case setting the HTML body failed did no longer work, probably since the verification preview changes. This was fixed with 76b43345cdd3e932dae7b677e5c021ca52191f8e

I just wanted to add one more note that i just found out that the tests --disable-hwf or gcry_control GCRYCTL_DISABLE_HWF have no effect in case the global_init() is called from constructor.

In T5598#151696, @aheinecke wrote:

I compiled the Appimage with the scripts in Gpg4win and it runs Kleopatra and works :-)

I compiled the Appimage with the scripts in Gpg4win and it runs Kleopatra and works :-)

Also applied to gpgme.

Since there is no problem with libgpg-error 1.43, I applied it to other libraries: npth, libassuan, libksba, and ntbtls.

I'll fix regressions: failures of pubkey and pkcs1v2.

Friendly ping @werner

Yes, keep the internal SHA-3.

We will have rnd-getentropy.c

Blowfish is not part of OpenPGP and according to its creator not the best cipher. Sorry to say no. You may nevertheless be interested in the recent discussion threads on PQC on the cryptography ML.

Applied and pushed symmetric algo for basic.

Let me clean up rndlinux.c for current use case, at first.

I decided to use 3.3.0 disabling pthread feature.

Any news here? Is this issue going to be fixed or not? It's really annoying.

Thank you for merging the important parts of the patches and implementing similar stuff for DSA. You are right that DSA is supported in the 140-3 specs so it is fine to keep it enabled with the keylength constraints.

Applied parts except part 2.
The part 3 are modified version, so that memory can be released correctly.

Closing. In case the audit will request more, we can re-open this task.

I think we can close this. In January we will have an external audit (BITV) which hopefully will confirm our tests. They auditor will also provide a list of things to improve (if any).

Implicit indicators mean that we need to go through the all algorithms and verify that they work if they have approved key sizes/parameters and do not work when they do not.

Yes, no, maybe. :-) Thanks for asking!

Firstly, applied uncontroversial part in rC976673425784: doc: Reference the new FIPS 140-3

I use unsigned long instead of nfds_t, so that a user doesn't need to include <poll.h> when he doesn't use poll/ppoll API.

Don't apply tests/gpg/t-support.h, it's only for testing this patch.
When test, before running 'make check' please do:

Update to include the change of tests.
Also include a change for tests/gpg/t-support.h to run tests under artificial environment.

I have been using pgpdump for a long time, but it is out of date with regards to ECC. I have looked at its source code but would rather spend my time on my own code.

Please no new levels. And also consider the problems with global config files, conditionals and values taking from the registry. We can't simply do everything in the GUI - it would get too complex and we end up supporting the supportive config dialogs. Maybe a syntax checking editor would eventually be better.

OpenPGP folks now the algo number by heart ;-)

Fixed and tested on Linux. Thanks.

How would you handle a combination of X509 Certificates and PGP Certificates in that case? Wouldn't that require two files?

I suppose you have rebooted the PC after installing GnuPG 2.3.32. Just to make sure. And double check that there is only one dirmngr.exe with version 2.2.32 installed on your system.

I was planning to export the certificates in the usual textual formats (.asc, .pem) with the information about the groups added as armor headers for OpenPGP and explanatory text for CMS. This would allow the certificates to be imported with any software supporting OpenPGP or X.509 certificates. When importing certificates Kleopatra simply looks for the additional group information and adds/updates the groups (probably after asking the user).

Has been merged into master.