Thanks for the report. Fix will be in the next release.

In Wald someone reports that this also appears to happen when decrypting. https://wald.intevation.org/forum/message.php?msg_id=6377 Probably run-threaded will help to flush this out.

NEWS are:

If you specify a pool of keyservers dirmngr selects a keyserver on its won from the pool. This is so that it can use its own heuristics to detect whether a keyserver is dead and then retry another one. Now the default is a pool and your specified keyserver.ubuntu.com is also a pool (of two servers). So if your DNS resolver does not tell us the IP addresses, we can't do anything about it.

In your second run you added the options after the argument (4E2C6E8793298290) so they won't have an effect. Anyway, I can't see anything from the output. My way to debug that would be to run gpg under strace:

hm, adding: --with-tar=tar to my invocation of ./configure appears to leave gpg-zip with:

I have a warning already in my working copy.

i don't see any active use of it in all of debian: https://codesearch.debian.net/search?q=gpg-zip

Let me also note that gpg-zip was not installed since 2006 due a conflict with gpg1.

gpg-zip is deprecated because we have replaced it by gpgtar. Given that you have a workaround for Debian I tend to close this bug as WONTFIX.

I don't think this answered my question -- i'm asking how adding --no-keyring affects gpgme_op_decrypt_verify -- it seems like verification would fail if no keyring is used, no?

gpgme_op_decrypt_verify can always be used instead of gpgme_op_decrypt. This is an obvious requirement because the signature and the fact that there is a signature is only known after the decryption step. The newer GPGME_DECRYPT_VERIFY of the gpgme_op_decrypt_ext function is basically an alias for gpgme_op_decrypt_verify.
For both functions gpgme employs "gpg --decrypt".

I'm fine with this change, but i do note that some people expect --decrypt to mean "decrypt and verify, if possible". In particular, gpg(1) says about --decrypt:

Released: https://lists.gnupg.org/pipermail/gnupg-announce/2018q4/000432.html

• gpgsm: Fix CRL loading when intermediate certicates are not yet trusted.
• gpgsm: Fix an error message about the digest algo. [T4219]
• gpg: Fix a wrong warning due to new sign usage check introduced​ with 2.2.9. [T4014]
• gpg: Print the "data source" even for an unsuccessful keyserver query. ​
• gpg: Do not store the TOFU trust model in the trustdb. This allows to enable or disable a TOFU model without triggering a trustdb rebuild. [T4134]
• scd: Fix cases of "Bad PIN" after using "forcesig". [T4177]
• agent: Fix possible hang in the ssh handler. [T4221]
• dirmngr: Tack the unmodified mail address to a WKD request. See commit a2bd4a64e5b057f291a60a9499f881dd47745e2f for details.
• dirmngr: Tweak diagnostic about missing LDAP server file.
• dirmngr: In verbose mode print the OCSP responder id.
• dirmngr: Fix parsing of the LDAP port. [T4230]
• wks: Add option --directory/-C to the server. Always build the​ server on Unix systems.
• wks: Add option --with-colons to the client. Support sites which​ use the policy file instead of the submission-address file.
• Fix EBADF when gpg et al. are called by broken CGI scripts.
• Fix some minor memory leaks and bugs.

Looking at the GPGME code the ERROR stati don't matter because they are only used to return a better error code in case an operation failed. The specific ones are not even recognized.

No info received.

No more complaints thus time to close.

Please put

I ran gpgconf --kill gpg-agent and then the suggested command for i in {1..10}; do gpg -v --no-tty --verbose -o - encrypted.gpg 2>mylog.$i > /dev/null & done. (I was already running with --verbose, does -v add something else?)