I checked FIPS 186-4 (and FIPS 186-5-draft). It is Appendix A 1.3.

I've just had an issue probably related to this.
Outlook was showing an error message like the following: "Empty messages cannot be encrypted" (I am translating, so the exact message may differ)

Works for Kleopatra.

Done. I have also tried to make this dialog as accessible as possible as prototype for other form-like dialogs. The error reporting could still be improved by specifying what exactly is wrong instead of simply saying what could be wrong, but QValidator is too limited for this.

Seems we can close this bug.

We have not seen this problem anymore in recent versions. Thus closing.

We have a solulion for this bug. For further improvements we will use T5882.

• Fixed in 2.3
• assert replaced by a fatal error message

Printing a note as we do in --edit-key is a good idea.

Passing fds etc adds complex extra code to gpg-agent. This was not the original design goal, although we violated this anyway by have some OpenPGP specific code there. This needs more thinking. Due to our internal use of OCB we can't make it FIPS compliant without large changes.

I have not yet tested OpenSSH 9 and thus the patch to master is here just as a test. Please better use gnupg 2.3 (stable) instead of 2.2 (LTS) because it is unlikely that we will backport all this new ssh stuff.

Thanks, good explanation!
It is hard to find a word for exact description.
Thus just keep the original verb and add 比特 to confirm 位 is binary bits.

In computer, binary representation is used (generally), binary digits 0110 1110 (hex value 6e, 110) is rounded up to 1000 0000 (hex value 80, 128), when only one significant binary digit (bit) is required.
https://en.wikipedia.org/wiki/Rounding

Thanks for your explanation.

Patches applied and pushed. For the common/t-ssh-utils, I applied my fix for the use case with key on command line when FIPS mode is enabled (MD5 error is OK, in this case).

For anyone stumbling across this issue I created a docker image containing gpg with the patch above applied: https://github.com/smlx/gnupg-piv-agent

I was pointed by Daiki to the following patch in Fedora binutils, which allows listing the fdo packaging metadata, but it does not list any other unknown objects and unfortunately fails hard:

We once figured that we should use this for gpgme, where we use a helper to close handles. We have not yet found the time to do this and frankly "never change a running system" ;-) We also still support Windows XP SP3 with GnuPG for users with air-gaped machines. Not sure whether this is still justified, though.

The reason for this is probably that we expect that several UIDs are added and running a check-trustdb for eachleads to some extra waiting time.

I just copied the value of 0xcafe2a8e and the name .note.fdo.integrity from Daiki's implementation. No other reason.