There shouldn't be any RegCreateKey anymore for HKLM\SOFTWARE\<product name>\... or HKCU\SOFTWARE\<product name>\.... And, of course, no registry keys should be created.

In any case, the order still needs to be adjusted.
The current implementation in gpg4win-5.0.2-beta2 is still (neither the order in the description nor on the settings page):

Seems to work in principle with gpg4win-5.0.2-beta2 and vsd-4.0.0-beta1203.
I'll wait for a new vsd beta release (with some fixes) for further testing.

with Gpg4win-5.0.2-beta2:

The missing signature indication can also be seen now in the customer mails sent via kmail (ted:INBOX, e.g. 18.02. 12:52). This was fine before.

Looks good to me on gpg4win-5.0.2-beta2 @ win11.
Tested import on 5 normal starts and 5 gdb starts.

The basic fix for the msg box looks good to me on gpg4win-5.0.2-beta2 @ win11.
There's only no signature shown anymore, not even for the formerly working case 1.
Note: I also tested those mails sent to an exchange server with the same result as via IMAP.

Looks like the "read config from registry" patch that was upstreamed wasn't tested properly.

It seemed that the reporter (also) claimed that a git repo could be weak/vulnerable when X.509 signature (with a relevant curve key) is used to validate the commit.

For the record (to show we don't hide a problem), I add some information.

It should be solved by the upstream (libtool, gnulib, and possibly autoconf/automake). The solution would be refactoring AC_PROG_LD and AC_LIB_PROG_LD factoring out common things like handling of use of GNU LD.

Works with Gpg4win-5.0.2-beta2

Fixed.

Here's a full log of a gdb run, which segfaults on start:

full debugview log with a crash on import after trusting the root cert:

Please always attach the full Debugview log. Sometimes (like here) I really want to know everything that was logged since the start.

Fixed. This regression was caused by changes made for T8056: Support config options RSAKeySizes and PGPKeyType for Kf6.

Implemented in mimetreeparser master: https://invent.kde.org/pim/mimetreeparser/-/merge_requests/92

The reporter informed us that the possible DoS has CVE number assigned:
CVE-2025-69913

In T8029#212310, @werner wrote:

My actual plan is to rework the imp[ort/export of secret keys to gpg-agent. Right now gpg-agent has knowledge of OpenPGP for import/export. This is not good and the required conversion should be moved to a helper tools for easier testing and to have this out of the gpg-agent process. For Kyber we right now don't use any conversion mut store the secret keys in gpg-agent's native format. Thus the passphrase is not necessary. We need to figure out why we have this problem here.

@werner said the reading order should be like on the page https://gnupg.com/vsd/kleopatra-settings.html:

Tested with Gpg4win 5.0.2 (Beta):
Registry settings SOFTWARE\Gpg4win\Kleopatra\<config group>\<config entry>
works (I used [CertificateCreationWizard] EMAIL_placeholder for testing)

This is not "Unbreak now" because we have not released the software yet. Unbreak now should be used for bugs in deployed software but not during development.

Note: This was fine on gpg4win-5.0.1

Regarding some broken "reg create" on some filepath: split into T8141: Kleopatra: Many wrong registry keys created in HKCU\Software\Gpg4Win

I rechecked the keyboxd locking of pubring.db. On crash via gdb the file was unlocked before, so this doesn't seem to be the problem:

Ok in Gpg4win 5.0.2. (Beta), in German: