Instead of using gpg --quick-set-expire with the * wildcard for the subkeys to update, the subkeys to update are now listed explicitly. This way the last three options from my comment could be implemented, i.e.

• Subkeys without explicit expiration are not updated. Note: This doesn't work for already expired subkeys because gpgme has no way to know whether an expired subkey has an explicit expiration set because gpg --list-colon always prints an expiration date for subkeys of expired keys.
• Not yet expired subkeys with explicit expiration are updated.
• Expired subkeys which expired at the same time (+/- 10 seconds) as the primary key are updated.
• All other expired subkeys are not updated.

There are pros and cons for both key generation versions. I can't remember whether or why I decided that --quick-gen-key should behave different. Maybe because the creation of the subkey was added a bit later or because a new internal API is used here.

I had two arguments about using gpg_op_createkey, first it was only available on "recent" gnupg versions. That is obsolete now.
Secondly it required you to add each subkey one after another. With rentering the passphasre. This could lead to error behaviors are was just confusing. But otherwise I am all for it. But I think changing this now is a bit too invasive.

works

Starting to understand KIO architecture a bit better. We can easily add more protocols if we want to. For now I have just added the file plugin. I tested with moving.

Adding @werner @aheinecke to get their feedback especially on the options at the end of the previous comment.

@Angel thanks for the valuable feedback

I will review the issue. A likely outcome will be to follow your suggestion but to add an option for the old behaviour to avoid further security discussions.

Option #1 is good from a descriptional POV, but in most cases both the main key and the subkeys will be expired, so it would end up not updating any subkey.

The user tried to sneak in an ad link and he has thus been banned. Here is his probably AI generated comment for documentation:

That comment was used to sneak in an ad. For documentation here is the comment w/o the link:
The changes made to the code have improved the workflow when verifying detached signature [redacted] without a corresponding signed file from Kleopatra's UI, which should make the process more intuitive for users. It is possible that users who experienced this issue in the past may express their satisfaction with the fix in the comments, while others may provide feedback on the usability of the updated workflow.

I don't see a reason backing off the original commit. A fix for macOS is now available (rCfa21ddc158b5) and will be in the next release. No reason for other changes.

I see the point of use of int.
For backward compatibility, the semantics of 0 should remain as default timeout (let kernel decide == 120 sec, usually), -1 would be meaning immediately (only success when local).

Thank you for your report. Good catch.

The fix is in 2.4.1.
It's not perfect fix, but it catches the problem when it's not encrypted secret key.

The code for the file Job etc. is definetly in there. I think it somehow tries to intospect supported protocols maybe even through dbus and this fails then. My current expectation is that we need to identify where this happens and then to hardcode some supported jobs / workers etc.

Yes most definetly I am looking it at next

works, Gpg4win-4.1.1-beta295

fixed

This is basically working as intended by gpg --quick-set-expire. With a first call of gpg --quick-set-expire the validity of the primary key is extended. With a second call of gpg --quick-set-expire with third option * gpg is asked to update the expiration time "of all non-revoked and not yet expired subkeys".

the option works

Closing. A small change in Kleopatra (T6472) should help to avoid using this hack in common cases.

Setting priority to high because this should be fixed before the next release.

I have checked that we now switch back to openpgp (if necessary) after every use of ReaderStatus::startSimpleTransaction and ReaderStatus::startTransaction. The only uses of those functions outside of subclasses of CardCommand are by PGPCardWidget for which switching back to openpgp isn't needed.

Why can't we keep the signed int? Do we ever need such a long timeout. We could for example define -1 as use default timeout.

assuan_sock_connect_byname may be extended to change the third argument (now int reserved) to unsigned int timeout.
It's a kind of API change, but ABI wise, the impact is minimum.

in gpg.conf

This has been fixed for gnupg24 and gpg4win.

!ebo: Did you set a log-file into gpg.conf or common.conf ?