The error

gpg: decryption failed: Bad session key

is only logged if the sanity check "algo given in decrypted session key is a valid OpenPGP algo" passes even though a wrong password was given (which happens with a chance of 11:256). If the sanity check detects a bad algo then gpg logs

gpg: decryption of the symmetrically encrypted session key failed: Checksum error

If AEAD is used, then other logging will happen.

I tend to avoid such changes to keep the translations valid. But for master this is okay.

The links for the Windows installer as given in the mail was wrong. The corrected links are

I confirmed that the patch above works with newer Gnuk (>= 1.2.16).

For the record the Task for the fingerprint copy was T5776

I tend to disagree. The fingerprint is a very long and cryptic looking thing. Most users of Kleopatra will never share their fingerprint as they tend to work on a TOFU model, just accepting a given key and using it. For another bunch of users the long keyid, which we show, is more then enough security. And for the VS-NfD case with very high security where users compare a full fingerprint it is accessibile enough.

With newer Gnuk Token, following patch should work:

diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index 05e1f3977..439052f8c 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -5490,6 +5490,11 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr,
           exmode = 1;    /* Use extended length.  */
           le_value = app->app_local->keyattr[2].rsa.n_bits / 8;
         }
+      else if (app->app_local->cardcap.cmd_chaining && indatalen > 254)
+        {
+          exmode = -254; /* Command chaining with max. 254 bytes.  */
+          le_value = 0;
+        }
       else if (indatalen > 255)
         {
           if (!app->app_local->cardcap.ext_lc_le)