This has been resolved with rOb05416e7bc41

If you encounter this error message when running gpgconf --list-options gpg:

gpgconf: Option gpgconf-gpg.conf, needed by backend GnuPG, is not absolute

please simply create an empty file /etc/gnupg/gpg.conf or wherever your global configuration files are expected ("gpgconf --list-dirs sysconfdir" shows it). Bug fixed with commit rG9f37d3e6f307a9

This can be closed now that we have the system wide gnupg configuration.

Thanks for your answers. If you see another problem with kleopatra, please test the latest Kleopatra version which we will release the next days.

The code has been reworked to also support the updated schema which also stores the fingerprints and a parsed down mail address. See gnupg/doc/ldap/ . These changes are in master and 2.2.26. Sorry for taking so long to fix that.

I agree to the sexp change - but it should not be backported to 1.8

For printing SEXP, it would be good to have this change:

rG47c1c329ed82: agent,ecc: Use of opaque MPI for ECC, fixup 'd'. does the fixup when reading keys.

I describe about rC6f8b1d4cb798: ecc: Consistently handle parameters as unsigned value..

Reading compressed point (in keys) is supported (except for NIST P-224). When curve point is represented in compressed format, it is correctly interpreted now. So, for example, I think that with 1.9.0, gpgsm can handle certificate which uses compressed format in its curve point representation.

1. I created another handful of key pairs and tested around. However, I could not recreate the problem now. I can store the secret key in Kleopatra, but the file differs from the backup key. It seems to be a stub indeed. And even if I want to perform an operation directly in Kleopatra, the smartcard is requested.

Yes, bug is also in 1.8 branch.

Why do you think you can still export more than a stub key?

The listing shows that the private keys are stored on a card ("sec>", "ssb>"). Why do you think you can still export more than a stub key? If I export a test key (just the primary key in this case) and run "gpg --show-keys" on the exported file I get the expected "sec>" marker. Looking with --list-packets at it we get:

The exact commands given and the output. Adding -v is always helpful.

Hi, I'm the user that reported this bug.

do_sign() calls find_fid_by_keyref() which does a switch_application(). So, I think the SigG application should already be active. But, yes, please have a look at it.

I'm also getting this same error with GPG4Win 3.1.14.

Description and translation domain were swapped in 2.2.

On Thu, 7 Jan 2021 09:56, bernhard (Bernhard Reiter) said:

We need to switch to the SigG application. Shall I look at it?

Do we need to backport to 1.8?

Do we really need this for 1.9?

What is the state of this bug? Reading is implemented - do we really need writing (maybe to support certain smartcards)?

It is possible to disable the mlock thingy and if that is not wanted the application should be modified to be suid(root) during Libgcrypt initialization - this is actually how we handle this in GnuPG. Or maybe I don't understand the bug described here. It seems to be more of a support question.

For security and auditing reasons a Libgcrypt SO may not be "unloaded".

gcry_ecc_get_algo_keylen has been added with commit a658c9ccc2c741f40b0b5cdbcd184cfb9a841d17 but documentation is missing.

The user reported to

Generating a CSR for the standard NetKey card signing key works now, but generating a CSR for the SigG NetKey card key fails (T5219).

Please describe exactly what you did so that we can replicate this.

Thanks. I added the OIDs and the missing curves. To go into 1.9

D520 is accepted by me.
If you will have another fixes, please go ahead.
Or else, I'll commit the change to master of GnuPG.

I wrote https://github.com/rupor-github/win-gpg-agent to simplify usage on Windows until this issue is resolved - it handles various edge cases on Windows.

Okay. Now since configure.ac is already touching CFLAGS, it seemed like a good place to add that additional option here. All this is guarded by a test for GCC, and since clang mimics that behaviour, it works for them as well.