diff --git a/autotests/keyresolvercoretest.cpp b/autotests/keyresolvercoretest.cpp
index a92f4ed24..33a354098 100644
--- a/autotests/keyresolvercoretest.cpp
+++ b/autotests/keyresolvercoretest.cpp
@@ -1,620 +1,639 @@
 /*
     autotests/keyresolvercoretest.cpp
 
     This file is part of libkleopatra's test suite.
     SPDX-FileCopyrightText: 2021 g10 Code GmbH
     SPDX-FileContributor: Ingo Klöcker <dev@ingo-kloecker.de>
 
     SPDX-License-Identifier: GPL-2.0-or-later
 */
 
+#include <Libkleo/Formatting>
 #include <Libkleo/KeyCache>
 #include <Libkleo/KeyResolverCore>
 
 #include <QObject>
 #include <QTest>
 
 #include <gpgme++/key.h>
 
 #include <memory>
 
 using namespace Kleo;
 using namespace GpgME;
 
 namespace QTest
 {
 template <>
 inline bool qCompare(GpgME::UserID::Validity const &t1, GpgME::UserID::Validity const &t2, const char *actual, const char *expected,
                     const char *file, int line)
 {
     return qCompare(int(t1), int(t2), actual, expected, file, line);
 }
 
 template <>
 inline bool qCompare(int const &t1, KeyResolverCore::SolutionFlags const &t2, const char *actual, const char *expected,
                     const char *file, int line)
 {
     return qCompare(int(t1), int(t2), actual, expected, file, line);
 }
+
+template <>
+inline char *toString(const GpgME::Protocol &t)
+{
+    return qstrdup(Formatting::displayName(t).toLocal8Bit().constData());
+}
+
+template <>
+inline bool qCompare(GpgME::Protocol const &t1, GpgME::Protocol const &t2, const char *actual, const char *expected,
+                    const char *file, int line)
+{
+    return compare_helper(t1 == t2, "Compared values are not the same",
+                          toString(t1), toString(t2), actual, expected, file, line);
+}
 }
 
 class KeyResolverCoreTest: public QObject
 {
     Q_OBJECT
 private Q_SLOTS:
     void init()
     {
         mGnupgHome = QTest::qExtractTestData("/fixtures/keyresolvercoretest");
         qputenv("GNUPGHOME", mGnupgHome->path().toLocal8Bit());
 
         // hold a reference to the key cache to avoid rebuilding while the test is running
         mKeyCache = KeyCache::instance();
     }
 
     void cleanup()
     {
         // verify that nobody else holds a reference to the key cache
         QVERIFY(mKeyCache.use_count() == 1);
         mKeyCache.reset();
 
         mGnupgHome.reset();
     }
 
     void test_verify_test_keys()
     {
         {
             const Key openpgp = testKey("sender-mixed@example.net", OpenPGP);
             QVERIFY(openpgp.hasSecret() && openpgp.canEncrypt() && openpgp.canSign());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Ultimate);
             const Key smime = testKey("sender-mixed@example.net", CMS);
             QVERIFY(smime.hasSecret() && smime.canEncrypt() && smime.canSign());
             QCOMPARE(smime.userID(0).validity(), UserID::Full);
         }
         {
             const Key openpgp = testKey("sender-openpgp@example.net", OpenPGP);
             QVERIFY(openpgp.hasSecret() && openpgp.canEncrypt() && openpgp.canSign());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Ultimate);
         }
         {
             const Key smime = testKey("sender-smime@example.net", CMS);
             QVERIFY(smime.hasSecret() && smime.canEncrypt() && smime.canSign());
             QCOMPARE(smime.userID(0).validity(), UserID::Full);
         }
         {
             const Key openpgp = testKey("prefer-openpgp@example.net", OpenPGP);
             QVERIFY(openpgp.canEncrypt());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Ultimate);
             const Key smime = testKey("prefer-openpgp@example.net", CMS);
             QVERIFY(smime.canEncrypt());
             QCOMPARE(smime.userID(0).validity(), UserID::Full);
         }
         {
             const Key openpgp = testKey("full-validity@example.net", OpenPGP);
             QVERIFY(openpgp.canEncrypt());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Full);
             const Key smime = testKey("full-validity@example.net", CMS);
             QVERIFY(smime.canEncrypt());
             QCOMPARE(smime.userID(0).validity(), UserID::Full);
         }
         {
             const Key openpgp = testKey("prefer-smime@example.net", OpenPGP);
             QVERIFY(openpgp.canEncrypt());
             QCOMPARE(openpgp.userID(0).validity(), UserID::Marginal);
             const Key smime = testKey("prefer-smime@example.net", CMS);
             QVERIFY(smime.canEncrypt());
             QCOMPARE(smime.userID(0).validity(), UserID::Full);
         }
     }
 
     void test_openpgp_is_used_if_openpgp_only_and_smime_only_are_both_possible()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setAllowMixedProtocols(false);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
         QCOMPARE(result.solution.protocol, OpenPGP);
         QCOMPARE(result.solution.signingKeys.size(), 1);
         QCOMPARE(result.solution.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.solution.encryptionKeys.size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.alternative.protocol, CMS);
         QCOMPARE(result.alternative.signingKeys.size(), 1);
         QCOMPARE(result.alternative.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
         QCOMPARE(result.alternative.encryptionKeys.size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
     }
 
     void test_openpgp_is_used_if_openpgp_only_and_smime_only_are_both_possible_with_preference_for_openpgp()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setAllowMixedProtocols(false);
         resolver.setPreferredProtocol(OpenPGP);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
         QCOMPARE(result.solution.protocol, OpenPGP);
         QCOMPARE(result.solution.signingKeys.size(), 1);
         QCOMPARE(result.solution.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.solution.encryptionKeys.size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.alternative.protocol, CMS);
         QCOMPARE(result.alternative.signingKeys.size(), 1);
         QCOMPARE(result.alternative.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
         QCOMPARE(result.alternative.encryptionKeys.size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
     }
 
     void test_smime_is_used_if_openpgp_only_and_smime_only_are_both_possible_with_preference_for_smime()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setAllowMixedProtocols(false);
         resolver.setPreferredProtocol(CMS);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::CMSOnly);
         QCOMPARE(result.solution.protocol, CMS);
         QCOMPARE(result.solution.signingKeys.size(), 1);
         QCOMPARE(result.solution.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
         QCOMPARE(result.solution.encryptionKeys.size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
         QCOMPARE(result.alternative.protocol, OpenPGP);
         QCOMPARE(result.alternative.signingKeys.size(), 1);
         QCOMPARE(result.alternative.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.alternative.encryptionKeys.size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
     }
 
     void test_in_mixed_mode_openpgp_is_used_if_openpgp_only_and_smime_only_are_both_possible()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
-        QCOMPARE(result.solution.protocol, UnknownProtocol);
+        QCOMPARE(result.solution.protocol, OpenPGP);
         QCOMPARE(result.solution.signingKeys.size(), 1);
         QCOMPARE(result.solution.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.solution.encryptionKeys.size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         // no alternative solution is proposed
         QCOMPARE(result.alternative.protocol, UnknownProtocol);
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_in_mixed_mode_openpgp_is_used_if_openpgp_only_and_smime_only_are_both_possible_with_preference_for_openpgp()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setPreferredProtocol(OpenPGP);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
-        QCOMPARE(result.solution.protocol, UnknownProtocol);
+        QCOMPARE(result.solution.protocol, OpenPGP);
         QCOMPARE(result.solution.signingKeys.size(), 1);
         QCOMPARE(result.solution.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.solution.encryptionKeys.size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", OpenPGP).primaryFingerprint());
         // no alternative solution is proposed
         QCOMPARE(result.alternative.protocol, UnknownProtocol);
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_in_mixed_mode_smime_is_used_if_openpgp_only_and_smime_only_are_both_possible_with_preference_for_smime()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setPreferredProtocol(CMS);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::CMSOnly);
-        QCOMPARE(result.solution.protocol, UnknownProtocol);
+        QCOMPARE(result.solution.protocol, CMS);
         QCOMPARE(result.solution.signingKeys.size(), 1);
         QCOMPARE(result.solution.signingKeys[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
         QCOMPARE(result.solution.encryptionKeys.size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(),
                  testKey("sender-mixed@example.net", CMS).primaryFingerprint());
         // no alternative solution is proposed
         QCOMPARE(result.alternative.protocol, UnknownProtocol);
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_in_mixed_mode_keys_with_higher_validity_are_preferred_if_both_protocols_are_needed()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false);
         resolver.setRecipients({"sender-openpgp@example.net", "sender-smime@example.net", "prefer-openpgp@example.net", "prefer-smime@example.net"});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::MixedProtocols);
         QCOMPARE(result.solution.protocol, UnknownProtocol);
         QCOMPARE(result.solution.encryptionKeys.size(), 4);
         QVERIFY(result.solution.encryptionKeys.contains("sender-openpgp@example.net"));
         QVERIFY(result.solution.encryptionKeys.contains("sender-smime@example.net"));
         QCOMPARE(result.solution.encryptionKeys.value("prefer-openpgp@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("prefer-openpgp@example.net")[0].primaryFingerprint(),
                  testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.solution.encryptionKeys.value("prefer-smime@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("prefer-smime@example.net")[0].primaryFingerprint(),
                  testKey("prefer-smime@example.net", CMS).primaryFingerprint());
         // no alternative solution is proposed
         QCOMPARE(result.alternative.protocol, UnknownProtocol);
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_reports_unresolved_addresses_if_both_protocols_are_allowed_but_no_keys_are_found_for_an_address()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false);
         resolver.setRecipients({"unknown@example.net"});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::SomeUnresolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
+        QCOMPARE(result.solution.protocol, OpenPGP);
         QCOMPARE(result.solution.encryptionKeys.value("unknown@example.net").size(), 0);
     }
 
     void test_reports_unresolved_addresses_if_openpgp_is_requested_and_no_openpgp_keys_are_found_for_an_address()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false, OpenPGP);
         resolver.setRecipients({"sender-openpgp@example.net", "sender-smime@example.net"});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::SomeUnresolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
+        QCOMPARE(result.solution.protocol, OpenPGP);
         QCOMPARE(result.solution.encryptionKeys.size(), 2);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net").size(), 0);
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_reports_unresolved_addresses_if_smime_is_requested_and_no_smime_keys_are_found_for_an_address()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false, CMS);
         resolver.setRecipients({"sender-openpgp@example.net", "sender-smime@example.net"});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::SomeUnresolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::CMSOnly);
+        QCOMPARE(result.solution.protocol, CMS);
         QCOMPARE(result.solution.encryptionKeys.size(), 2);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net").size(), 0);
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net").size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_reports_unresolved_addresses_if_mixed_protocols_are_not_allowed_but_needed()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false);
         resolver.setAllowMixedProtocols(false);
         resolver.setRecipients({"sender-openpgp@example.net", "sender-smime@example.net"});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::SomeUnresolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
+        QCOMPARE(result.solution.protocol, OpenPGP);
         QCOMPARE(result.solution.encryptionKeys.size(), 2);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net").size(), 0);
         QCOMPARE(result.alternative.encryptionKeys.size(), 2);
         QCOMPARE(result.alternative.encryptionKeys.value("sender-openpgp@example.net").size(), 0);
         QCOMPARE(result.alternative.encryptionKeys.value("sender-smime@example.net").size(), 1);
     }
 
     void test_openpgp_overrides_are_used_if_both_protocols_are_allowed()
     {
         const QString override = testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setAllowMixedProtocols(false);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"full-validity@example.net"});
         resolver.setOverrideKeys({{OpenPGP, {{QStringLiteral("Needs to be normalized <full-validity@example.net>"), {override}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net")[0].primaryFingerprint(), override);
         QCOMPARE(result.alternative.encryptionKeys.value("full-validity@example.net").size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.value("full-validity@example.net")[0].primaryFingerprint(),
                  testKey("full-validity@example.net", CMS).primaryFingerprint());
     }
 
     void test_openpgp_overrides_are_used_if_openpgp_only_is_requested()
     {
         const QString override = testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true, OpenPGP);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"full-validity@example.net"});
         resolver.setOverrideKeys({{OpenPGP, {{QStringLiteral("Needs to be normalized <full-validity@example.net>"), {override}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net")[0].primaryFingerprint(), override);
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_openpgp_overrides_are_ignored_if_smime_only_is_requested()
     {
         const QString override = testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true, CMS);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"full-validity@example.net"});
         resolver.setOverrideKeys({{OpenPGP, {{QStringLiteral("Needs to be normalized <full-validity@example.net>"), {override}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::CMSOnly);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net")[0].primaryFingerprint(),
                  testKey("full-validity@example.net", CMS).primaryFingerprint());
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_smime_overrides_are_used_if_both_protocols_are_allowed_and_smime_is_preferred()
     {
         const QString override = testKey("prefer-smime@example.net", CMS).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setAllowMixedProtocols(false);
         resolver.setPreferredProtocol(CMS);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"full-validity@example.net"});
         resolver.setOverrideKeys({{CMS, {{QStringLiteral("Needs to be normalized <full-validity@example.net>"), {override}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::CMSOnly);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net")[0].primaryFingerprint(), override);
         QCOMPARE(result.alternative.encryptionKeys.value("full-validity@example.net").size(), 1);
         QCOMPARE(result.alternative.encryptionKeys.value("full-validity@example.net")[0].primaryFingerprint(),
                  testKey("full-validity@example.net", OpenPGP).primaryFingerprint());
     }
 
     void test_smime_overrides_are_used_if_smime_only_is_requested()
     {
         const QString override = testKey("prefer-smime@example.net", CMS).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true, CMS);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"full-validity@example.net"});
         resolver.setOverrideKeys({{CMS, {{QStringLiteral("Needs to be normalized <full-validity@example.net>"), {override}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::CMSOnly);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net")[0].primaryFingerprint(), override);
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_smime_overrides_are_ignored_if_openpgp_only_is_requested()
     {
         const QString override = testKey("prefer-smime@example.net", CMS).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true, OpenPGP);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"full-validity@example.net"});
         resolver.setOverrideKeys({{CMS, {{QStringLiteral("Needs to be normalized <full-validity@example.net>"), {override}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("full-validity@example.net")[0].primaryFingerprint(),
                  testKey("full-validity@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.alternative.encryptionKeys.size(), 0);
     }
 
     void test_overrides_for_wrong_protocol_are_ignored()
     {
         const QString override1 = testKey("full-validity@example.net", CMS).primaryFingerprint();
         const QString override2 = testKey("full-validity@example.net", OpenPGP).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"sender-openpgp@example.net", "sender-smime@example.net"});
         resolver.setOverrideKeys({{OpenPGP, {{QStringLiteral("Needs to be normalized <sender-openpgp@example.net>"), {override1}}}}});
         resolver.setOverrideKeys({{CMS, {{QStringLiteral("Needs to be normalized <sender-smime@example.net>"), {override2}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::MixedProtocols);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net")[0].primaryFingerprint(),
                  testKey("sender-openpgp@example.net", OpenPGP).primaryFingerprint());
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net")[0].primaryFingerprint(),
                  testKey("sender-smime@example.net", CMS).primaryFingerprint());
     }
 
     void test_openpgp_only_common_overrides_are_used_for_openpgp()
     {
         const QString override = testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"sender-openpgp@example.net"});
         resolver.setOverrideKeys({{UnknownProtocol, {{QStringLiteral("Needs to be normalized <sender-openpgp@example.net>"), {override}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::OpenPGPOnly);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net")[0].primaryFingerprint(), override);
     }
 
     void test_smime_only_common_overrides_are_used_for_smime()
     {
         const QString override = testKey("prefer-smime@example.net", CMS).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"sender-smime@example.net"});
         resolver.setOverrideKeys({{UnknownProtocol, {{QStringLiteral("Needs to be normalized <sender-smime@example.net>"), {override}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::CMSOnly);
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net")[0].primaryFingerprint(), override);
     }
 
     void test_mixed_protocol_common_overrides_override_protocol_specific_resolution()
     {
         const QString override1 = testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint();
         const QString override2 = testKey("prefer-smime@example.net", CMS).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setOverrideKeys({{UnknownProtocol, {{QStringLiteral("sender-mixed@example.net"), {override1, override2}}}}});
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::MixedProtocols);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net").size(), 2);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net")[0].primaryFingerprint(), override1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-mixed@example.net")[1].primaryFingerprint(), override2);
     }
 
     void test_common_overrides_override_protocol_specific_overrides()
     {
         const QString override1 = testKey("full-validity@example.net", OpenPGP).primaryFingerprint();
         const QString override2 = testKey("full-validity@example.net", CMS).primaryFingerprint();
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ true);
         resolver.setSender(QStringLiteral("sender-mixed@example.net"));
         resolver.setRecipients({"sender-openpgp@example.net", "sender-smime@example.net"});
         resolver.setOverrideKeys({
             {OpenPGP, {
                 {QStringLiteral("sender-openpgp@example.net"), {testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint()}}
             }},
             {CMS, {
                 {QStringLiteral("sender-smime@example.net"), {testKey("prefer-smime@example.net", CMS).primaryFingerprint()}}
             }},
             {UnknownProtocol, {
                 {QStringLiteral("sender-openpgp@example.net"), {override1}},
                 {QStringLiteral("sender-smime@example.net"), {override2}}
             }}
         });
 
         const auto result = resolver.resolve();
 
         QCOMPARE(result.flags & KeyResolverCore::ResolvedMask, KeyResolverCore::AllResolved);
         QCOMPARE(result.flags & KeyResolverCore::ProtocolsMask, KeyResolverCore::MixedProtocols);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-openpgp@example.net")[0].primaryFingerprint(), override1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net").size(), 1);
         QCOMPARE(result.solution.encryptionKeys.value("sender-smime@example.net")[0].primaryFingerprint(), override2);
     }
 
     void test_reports_failure_if_openpgp_is_requested_but_common_overrides_require_smime()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false, OpenPGP);
         resolver.setRecipients({"sender-mixed@example.net"});
         resolver.setOverrideKeys({{UnknownProtocol, {
             {QStringLiteral("sender-mixed@example.net"), {testKey("prefer-smime@example.net", CMS).primaryFingerprint()}}
         }}});
 
         const auto result = resolver.resolve();
 
         QVERIFY(result.flags & KeyResolverCore::Error);
     }
 
     void test_reports_failure_if_smime_is_requested_but_common_overrides_require_openpgp()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false, CMS);
         resolver.setRecipients({"sender-mixed@example.net"});
         resolver.setOverrideKeys({{UnknownProtocol, {
             {QStringLiteral("sender-mixed@example.net"), {testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint()}}
         }}});
 
         const auto result = resolver.resolve();
 
         QVERIFY(result.flags & KeyResolverCore::Error);
     }
 
     void test_reports_failure_if_mixed_protocols_are_not_allowed_but_required_by_common_overrides()
     {
         KeyResolverCore resolver(/*encrypt=*/ true, /*sign=*/ false);
         resolver.setAllowMixedProtocols(false);
         resolver.setRecipients({"sender-mixed@example.net"});
         resolver.setOverrideKeys({{UnknownProtocol, {
             {QStringLiteral("sender-mixed@example.net"), {
                 testKey("prefer-openpgp@example.net", OpenPGP).primaryFingerprint(),
                 testKey("prefer-smime@example.net", CMS).primaryFingerprint()
             }}
         }}});
 
         const auto result = resolver.resolve();
 
         QVERIFY(result.flags & KeyResolverCore::Error);
     }
 
 private:
     Key testKey(const char *email, Protocol protocol = UnknownProtocol)
     {
         const std::vector<Key> keys = KeyCache::instance()->findByEMailAddress(email);
         for (const auto &key: keys) {
             if (protocol == UnknownProtocol || key.protocol() == protocol) {
                 return key;
             }
         }
         return Key();
     }
 
 private:
     QSharedPointer<QTemporaryDir> mGnupgHome;
     std::shared_ptr<const KeyCache> mKeyCache;
 };
 
 QTEST_MAIN(KeyResolverCoreTest)
 #include "keyresolvercoretest.moc"
diff --git a/src/kleo/keyresolver.cpp b/src/kleo/keyresolver.cpp
index 81dd0820f..3c62554e7 100644
--- a/src/kleo/keyresolver.cpp
+++ b/src/kleo/keyresolver.cpp
@@ -1,169 +1,162 @@
 /*  -*- c++ -*-
     keyresolver.cpp
 
     This file is part of libkleopatra, the KDE keymanagement library
     SPDX-FileCopyrightText: 2004 Klarälvdalens Datakonsult AB
     SPDX-FileCopyrightText: 2018 Intevation GmbH
     SPDX-FileCopyrightText: 2021 g10 Code GmbH
     SPDX-FileContributor: Ingo Klöcker <dev@ingo-kloecker.de>
 
     Based on kpgp.cpp
     SPDX-FileCopyrightText: 2001, 2002 the KPGP authors
     See file libkdenetwork/AUTHORS.kpgp for details
 
     SPDX-License-Identifier: GPL-2.0-or-later
 */
 
 #include "keyresolver.h"
 
 #include "keyresolvercore.h"
 
 #include "models/keycache.h"
 #include "ui/newkeyapprovaldialog.h"
 #include "utils/formatting.h"
 
 #include <gpgme++/key.h>
 
 #include "libkleo_debug.h"
 
 using namespace Kleo;
 using namespace GpgME;
 
 class KeyResolver::Private
 {
 public:
     Private(KeyResolver* qq, bool enc, bool sig, Protocol fmt, bool allowMixed)
         : q(qq)
         , mCore(enc, sig, fmt)
         , mFormat(fmt)
         , mEncrypt(enc)
         , mSign(sig)
         , mAllowMixed(allowMixed)
         , mCache(KeyCache::instance())
         , mDialogWindowFlags(Qt::WindowFlags())
         , mPreferredProtocol(UnknownProtocol)
     {
         mCore.setAllowMixedProtocols(allowMixed);
     }
 
     ~Private() = default;
 
     void showApprovalDialog(KeyResolverCore::Result result, QWidget *parent);
     void dialogAccepted();
 
     KeyResolver *const q;
     KeyResolverCore mCore;
     Solution mResult;
 
     Protocol mFormat;
     bool mEncrypt;
     bool mSign;
     bool mAllowMixed;
     // The cache is needed as a member variable to avoid rebuilding
     // it between calls if we are the only user.
     std::shared_ptr<const KeyCache> mCache;
     std::unique_ptr<NewKeyApprovalDialog> mDialog;
     Qt::WindowFlags mDialogWindowFlags;
     Protocol mPreferredProtocol;
 };
 
 void KeyResolver::Private::showApprovalDialog(KeyResolverCore::Result result, QWidget *parent)
 {
     const QString sender = mCore.normalizedSender();
     mDialog = std::make_unique<NewKeyApprovalDialog>(mEncrypt,
                                                      mSign,
                                                      sender,
                                                      std::move(result.solution),
                                                      std::move(result.alternative),
                                                      mAllowMixed,
                                                      mFormat,
                                                      parent,
                                                      mDialogWindowFlags);
     connect (mDialog.get(), &QDialog::accepted, q, [this] () {
         dialogAccepted();
     });
     connect (mDialog.get(), &QDialog::rejected, q, [this] () {
         Q_EMIT q->keysResolved(false, false);
     });
     mDialog->open();
 }
 
 void KeyResolver::Private::dialogAccepted()
 {
     mResult = mDialog->result();
     Q_EMIT q->keysResolved(true, false);
 }
 
 void KeyResolver::start(bool showApproval, QWidget *parentWidget)
 {
     qCDebug(LIBKLEO_LOG) << "Starting ";
     if (!d->mSign && !d->mEncrypt) {
         // nothing to do
         return Q_EMIT keysResolved(true, true);
     }
     const auto result = d->mCore.resolve();
     const bool success = (result.flags & KeyResolverCore::AllResolved);
     if (success && !showApproval) {
         d->mResult = std::move(result.solution);
-        // update protocol hint of solution if solution is single-protocol solution
-        const auto protocolsHint = result.flags & KeyResolverCore::ProtocolsMask;
-        if (protocolsHint == KeyResolverCore::OpenPGPOnly) {
-            d->mResult.protocol = OpenPGP;
-        } else if (protocolsHint == KeyResolverCore::CMSOnly) {
-            d->mResult.protocol = CMS;
-        }
         Q_EMIT keysResolved(true, false);
         return;
     } else if (success) {
         qCDebug(LIBKLEO_LOG) << "No need for the user showing approval anyway.";
     }
 
     d->showApprovalDialog(std::move(result), parentWidget);
 }
 
 KeyResolver::KeyResolver(bool encrypt, bool sign, Protocol fmt, bool allowMixed)
     : d(new Private(this, encrypt, sign, fmt, allowMixed))
 {
 }
 
 Kleo::KeyResolver::~KeyResolver() = default;
 
 void KeyResolver::setRecipients(const QStringList &addresses)
 {
     d->mCore.setRecipients(addresses);
 }
 
 void KeyResolver::setSender(const QString &address)
 {
     d->mCore.setSender(address);
 }
 
 void KeyResolver::setOverrideKeys(const QMap<Protocol, QMap<QString, QStringList> > &overrides)
 {
     d->mCore.setOverrideKeys(overrides);
 }
 
 void KeyResolver::setSigningKeys(const QStringList &fingerprints)
 {
     d->mCore.setSigningKeys(fingerprints);
 }
 
 KeyResolver::Solution KeyResolver::result() const
 {
     return d->mResult;
 }
 
 void KeyResolver::setDialogWindowFlags(Qt::WindowFlags flags)
 {
     d->mDialogWindowFlags = flags;
 }
 
 void KeyResolver::setPreferredProtocol(Protocol proto)
 {
     d->mCore.setPreferredProtocol(proto);
 }
 
 void KeyResolver::setMinimumValidity(int validity)
 {
     d->mCore.setMinimumValidity(validity);
 }
diff --git a/src/kleo/keyresolvercore.cpp b/src/kleo/keyresolvercore.cpp
index b22b66c18..87fcf84dd 100644
--- a/src/kleo/keyresolvercore.cpp
+++ b/src/kleo/keyresolvercore.cpp
@@ -1,676 +1,672 @@
 /*  -*- c++ -*-
     kleo/keyresolvercore.cpp
 
     This file is part of libkleopatra, the KDE keymanagement library
     SPDX-FileCopyrightText: 2004 Klarälvdalens Datakonsult AB
     SPDX-FileCopyrightText: 2018 Intevation GmbH
     SPDX-FileCopyrightText: 2021 g10 Code GmbH
     SPDX-FileContributor: Ingo Klöcker <dev@ingo-kloecker.de>
 
     Based on kpgp.cpp
     SPDX-FileCopyrightText: 2001, 2002 the KPGP authors
     See file libkdenetwork/AUTHORS.kpgp for details
 
     SPDX-License-Identifier: GPL-2.0-or-later
 */
 
 #include "keyresolvercore.h"
 
 #include "models/keycache.h"
 #include "utils/formatting.h"
 
 #include <gpgme++/key.h>
 
 #include "libkleo_debug.h"
 
 using namespace Kleo;
 using namespace GpgME;
 
 namespace {
 
 static inline bool ValidEncryptionKey(const Key &key)
 {
     if (key.isNull() || key.isRevoked() || key.isExpired() ||
         key.isDisabled() || !key.canEncrypt()) {
         return false;
     }
     return true;
 }
 
 static inline bool ValidSigningKey(const Key &key)
 {
     if (key.isNull() || key.isRevoked() || key.isExpired() ||
         key.isDisabled() || !key.canSign() || !key.hasSecret()) {
         return false;
     }
     return true;
 }
 
 static int keyValidity(const Key &key, const QString &address)
 {
     // returns the validity of the UID matching the address or, if no UID matches, the maximal validity of all UIDs
     int overallValidity = UserID::Validity::Unknown;
     for (const auto &uid: key.userIDs()) {
         if (QString::fromStdString(uid.addrSpec()).toLower() == address.toLower()) {
             return uid.validity();
         }
         overallValidity = std::max(overallValidity, static_cast<int>(uid.validity()));
     }
     return overallValidity;
 }
 
 static int minimumValidity(const std::vector<Key> &keys, const QString &address)
 {
     const int minValidity = std::accumulate(keys.cbegin(), keys.cend(), UserID::Ultimate + 1,
                                             [address] (int validity, const Key &key) {
                                                 return std::min<int>(validity, keyValidity(key, address));
                                             });
     return minValidity <= UserID::Ultimate ? static_cast<UserID::Validity>(minValidity) : UserID::Unknown;
 }
 
 bool allKeysHaveProtocol(const std::vector<Key> &keys, Protocol protocol)
 {
     return std::all_of(keys.cbegin(), keys.cend(), [protocol] (const Key &key) { return key.protocol() == protocol; });
 }
 
 bool anyKeyHasProtocol(const std::vector<Key> &keys, Protocol protocol)
 {
     return std::any_of(std::begin(keys), std::end(keys), [protocol] (const Key &key) { return key.protocol() == protocol; });
 }
 
 } // namespace
 
 class KeyResolverCore::Private
 {
 public:
     Private(KeyResolverCore* qq, bool enc, bool sig, Protocol fmt)
         : q(qq)
         , mFormat(fmt)
         , mEncrypt(enc)
         , mSign(sig)
         , mCache(KeyCache::instance())
         , mPreferredProtocol(UnknownProtocol)
         , mMinimumValidity(UserID::Marginal)
         , mCompliance(Formatting::complianceMode())
     {
     }
 
     ~Private() = default;
 
     bool isAcceptableSigningKey(const Key &key);
     bool isAcceptableEncryptionKey(const Key &key, const QString &address = QString());
     void setSender(const QString &address);
     void addRecipients(const QStringList &addresses);
     void setOverrideKeys(const QMap<Protocol, QMap<QString, QStringList>> &overrides);
     void resolveOverrides();
     void resolveSign(Protocol proto);
     void setSigningKeys(const QStringList &fingerprints);
     std::vector<Key> resolveRecipient(const QString &address, Protocol protocol);
     void resolveEnc(Protocol proto);
     void mergeEncryptionKeys();
     QStringList unresolvedRecipients(GpgME::Protocol protocol) const;
     Result resolve();
 
     KeyResolverCore *const q;
     QString mSender;
     QStringList mRecipients;
     QMap<Protocol, std::vector<Key>> mSigKeys;
     QMap<QString, QMap<Protocol, std::vector<Key>>> mEncKeys;
     QMap<QString, QMap<Protocol, QStringList>> mOverrides;
 
     Protocol mFormat;
     QStringList mFatalErrors;
     bool mEncrypt;
     bool mSign;
     // The cache is needed as a member variable to avoid rebuilding
     // it between calls if we are the only user.
     std::shared_ptr<const KeyCache> mCache;
     bool mAllowMixed = true;
     Protocol mPreferredProtocol;
     int mMinimumValidity;
     QString mCompliance;
 };
 
 bool KeyResolverCore::Private::isAcceptableSigningKey(const Key &key)
 {
     if (!ValidSigningKey(key)) {
         return false;
     }
     if (mCompliance == QLatin1String("de-vs")) {
         if (!Formatting::isKeyDeVs(key)) {
             qCDebug(LIBKLEO_LOG) << "Rejected sig key" << key.primaryFingerprint()
                                     << "because it is not de-vs compliant.";
             return false;
         }
     }
     return true;
 }
 
 bool KeyResolverCore::Private::isAcceptableEncryptionKey(const Key &key, const QString &address)
 {
     if (!ValidEncryptionKey(key)) {
         return false;
     }
 
     if (mCompliance == QLatin1String("de-vs")) {
         if (!Formatting::isKeyDeVs(key)) {
             qCDebug(LIBKLEO_LOG) << "Rejected enc key" << key.primaryFingerprint()
                                     << "because it is not de-vs compliant.";
             return false;
         }
     }
 
     if (address.isEmpty()) {
         return true;
     }
     for (const auto &uid: key.userIDs()) {
         if (uid.addrSpec() == address.toStdString()) {
             if (uid.validity() >= mMinimumValidity) {
                 return true;
             }
         }
     }
     return false;
 }
 
 void KeyResolverCore::Private::setSender(const QString &address)
 {
     const auto normalized = UserID::addrSpecFromString (address.toUtf8().constData());
     if (normalized.empty()) {
         // should not happen bug in the caller, non localized
         // error for bug reporting.
         mFatalErrors << QStringLiteral("The sender address '%1' could not be extracted").arg(address);
         return;
     }
     const auto normStr = QString::fromUtf8(normalized.c_str());
     if (mSign) {
         mSender = normStr;
     }
     addRecipients({address});
 }
 
 void KeyResolverCore::Private::addRecipients(const QStringList &addresses)
 {
     if (!mEncrypt) {
         return;
     }
 
     // Internally we work with normalized addresses. Normalization
     // matches the gnupg one.
     for (const auto &addr: addresses) {
         // PGP Uids are defined to be UTF-8 (RFC 4880 §5.11)
         const auto normalized = UserID::addrSpecFromString (addr.toUtf8().constData());
         if (normalized.empty()) {
             // should not happen bug in the caller, non localized
             // error for bug reporting.
             mFatalErrors << QStringLiteral("The mail address for '%1' could not be extracted").arg(addr);
             continue;
         }
         const QString normStr = QString::fromUtf8(normalized.c_str());
 
         mRecipients << normStr;
 
         // Initially add empty lists of keys for both protocols
         mEncKeys[normStr] = {{CMS, {}}, {OpenPGP, {}}};
     }
 }
 
 void KeyResolverCore::Private::setOverrideKeys(const QMap<Protocol, QMap<QString, QStringList>> &overrides)
 {
     for (auto protocolIt = overrides.cbegin(); protocolIt != overrides.cend(); ++protocolIt) {
         const Protocol &protocol = protocolIt.key();
         const auto &addressFingerprintMap = protocolIt.value();
         for (auto addressIt = addressFingerprintMap.cbegin(); addressIt != addressFingerprintMap.cend(); ++addressIt) {
             const QString &address = addressIt.key();
             const QStringList &fingerprints = addressIt.value();
             const QString normalizedAddress = QString::fromUtf8(UserID::addrSpecFromString(address.toUtf8().constData()).c_str());
             mOverrides[normalizedAddress][protocol] = fingerprints;
         }
     }
 }
 
 namespace
 {
 std::vector<Key> resolveOverride(const QString &address, Protocol protocol, const QStringList &fingerprints)
 {
     std::vector<Key> keys;
     for (const auto &fprOrId: fingerprints) {
         const Key key = KeyCache::instance()->findByKeyIDOrFingerprint(fprOrId.toUtf8().constData());
         if (key.isNull()) {
             // FIXME: Report to caller
             qCDebug (LIBKLEO_LOG) << "Failed to find override key for:" << address << "fpr:" << fprOrId;
             continue;
         }
         if (protocol != UnknownProtocol && key.protocol() != protocol) {
             qCDebug(LIBKLEO_LOG) << "Ignoring key" << Formatting::summaryLine(key) << "given as" << Formatting::displayName(protocol) << "override for"
                                  << address;
             continue;
         }
         qCDebug(LIBKLEO_LOG) << "Using key" << Formatting::summaryLine(key) << "as" << Formatting::displayName(protocol) << "override for" << address;
         keys.push_back(key);
     }
     return keys;
 }
 }
 
 void KeyResolverCore::Private::resolveOverrides()
 {
     if (!mEncrypt) {
         // No encryption we are done.
         return;
     }
     for (auto addressIt = mOverrides.cbegin(); addressIt != mOverrides.cend(); ++addressIt) {
         const QString &address = addressIt.key();
         const auto &protocolFingerprintsMap = addressIt.value();
 
         if (!mRecipients.contains(address)) {
             qCDebug(LIBKLEO_LOG) << "Overrides provided for an address that is "
                 "neither sender nor recipient. Address:" << address;
             continue;
         }
 
         const QStringList commonOverride = protocolFingerprintsMap.value(UnknownProtocol);
         if (!commonOverride.empty()) {
             mEncKeys[address][UnknownProtocol] = resolveOverride(address, UnknownProtocol, commonOverride);
             if (protocolFingerprintsMap.contains(OpenPGP)) {
                 qCDebug(LIBKLEO_LOG) << "Ignoring OpenPGP-specific override for" << address << "in favor of common override";
             }
             if (protocolFingerprintsMap.contains(CMS)) {
                 qCDebug(LIBKLEO_LOG) << "Ignoring S/MIME-specific override for" << address << "in favor of common override";
             }
         } else {
             if (mFormat != CMS) {
                 mEncKeys[address][OpenPGP] = resolveOverride(address, OpenPGP, protocolFingerprintsMap.value(OpenPGP));
             }
             if (mFormat != OpenPGP) {
                 mEncKeys[address][CMS] = resolveOverride(address, CMS, protocolFingerprintsMap.value(CMS));
             }
         }
     }
 }
 
 void KeyResolverCore::Private::resolveSign(Protocol proto)
 {
     if (mSigKeys.contains(proto)) {
         // Explicitly set
         return;
     }
     const auto keys = mCache->findBestByMailBox(mSender.toUtf8().constData(),
                                                 proto, true, false);
     for (const auto &key: keys) {
         if (key.isNull()) {
             continue;
         }
         if (!isAcceptableSigningKey(key)) {
             qCDebug(LIBKLEO_LOG) << "Unacceptable signing key" << key.primaryFingerprint()
                                     << "for" << mSender;
             return;
         }
     }
 
     if (!keys.empty() && !keys[0].isNull()) {
         mSigKeys.insert(proto, keys);
     }
 }
 
 void KeyResolverCore::Private::setSigningKeys(const QStringList &fingerprints)
 {
     if (mSign) {
         for (const auto &fpr: fingerprints) {
             const auto key = mCache->findByKeyIDOrFingerprint(fpr.toUtf8().constData());
             if (key.isNull()) {
                 qCDebug(LIBKLEO_LOG) << "Failed to find signing key with fingerprint" << fpr;
                 continue;
             }
             auto list = mSigKeys.value(key.protocol());
             list.push_back(key);
             mSigKeys.insert(key.protocol(), list);
         }
     }
 }
 
 std::vector<Key> KeyResolverCore::Private::resolveRecipient(const QString &address, Protocol protocol)
 {
     const auto keys = mCache->findBestByMailBox(address.toUtf8().constData(), protocol, false, true);
     if (keys.empty() || keys[0].isNull()) {
         qCDebug(LIBKLEO_LOG) << "Failed to find any" << Formatting::displayName(protocol) << "key for: " << address;
         return {};
     }
     if (keys.size() == 1) {
         if (!isAcceptableEncryptionKey(keys[0], address)) {
             qCDebug(LIBKLEO_LOG) << "key for:" << address << keys[0].primaryFingerprint()
                                     << "has not enough validity";
             return {};
         }
     } else {
         // If we have one unacceptable group key we reject the
         // whole group to avoid the situation where one key is
         // skipped or the operation fails.
         //
         // We are in Autoresolve land here. In the GUI we
         // will also show unacceptable group keys so that the
         // user can see which key is not acceptable.
         bool unacceptable = false;
         for (const auto &key: keys) {
             if (!isAcceptableEncryptionKey(key)) {
                 qCDebug(LIBKLEO_LOG) << "group key for:" << address << keys[0].primaryFingerprint()
                                         << "has not enough validity";
                 unacceptable = true;
                 break;
             }
         }
         if (unacceptable) {
             return {};
         }
     }
     for (const auto &k: keys) {
         qCDebug(LIBKLEO_LOG) << "Resolved encrypt to" << address << "with key" << k.primaryFingerprint();
     }
     return keys;
 }
 
 // Try to find matching keys in the provided protocol for the unresolved addresses
 void KeyResolverCore::Private::resolveEnc(Protocol proto)
 {
     for (auto it = mEncKeys.begin(); it != mEncKeys.end(); ++it) {
         const QString &address = it.key();
         auto &protocolKeysMap = it.value();
         if (!protocolKeysMap[proto].empty()) {
             // already resolved for current protocol (by override)
             continue;
         }
         const std::vector<Key> &commonOverride = protocolKeysMap[UnknownProtocol];
         if (!commonOverride.empty()) {
             // there is a common override; use it for current protocol if possible
             if (allKeysHaveProtocol(commonOverride, proto)) {
                 protocolKeysMap[proto] = commonOverride;
                 continue;
             } else {
                 qCDebug(LIBKLEO_LOG) << "Common override for" << address << "is unusable for" << Formatting::displayName(proto);
                 continue;
             }
         }
         protocolKeysMap[proto] = resolveRecipient(address, proto);
     }
 }
 
 auto getBestEncryptionKeys(const QMap<QString, QMap<Protocol, std::vector<Key>>> &encryptionKeys, Protocol preferredProtocol)
 {
     QMap<QString, std::vector<Key>> result;
 
     for (auto it = encryptionKeys.begin(); it != encryptionKeys.end(); ++it) {
         const QString &address = it.key();
         auto &protocolKeysMap = it.value();
         const std::vector<Key> &overrideKeys = protocolKeysMap[UnknownProtocol];
         if (!overrideKeys.empty()) {
             result.insert(address, overrideKeys);
             continue;
         }
         const std::vector<Key> &keysOpenPGP = protocolKeysMap[OpenPGP];
         const std::vector<Key> &keysCMS = protocolKeysMap[CMS];
         if (keysOpenPGP.empty() && keysCMS.empty()) {
             result.insert(address, {});
         } else if (!keysOpenPGP.empty() && keysCMS.empty()) {
             result.insert(address, keysOpenPGP);
         } else if (keysOpenPGP.empty() && !keysCMS.empty()) {
             result.insert(address, keysCMS);
         } else {
             // check whether OpenPGP keys or S/MIME keys have higher validity
             const int validityPGP = minimumValidity(keysOpenPGP, address);
             const int validityCMS = minimumValidity(keysCMS, address);
             if ((validityCMS > validityPGP) || (validityCMS == validityPGP && preferredProtocol == CMS)) {
                 result.insert(address, keysCMS);
             } else {
                 result.insert(address, keysOpenPGP);
             }
         }
     }
 
     return result;
 }
 
 QStringList KeyResolverCore::Private::unresolvedRecipients(GpgME::Protocol protocol) const
 {
     QStringList result;
     result.reserve(mEncKeys.size());
     for (auto it = mEncKeys.begin(); it != mEncKeys.end(); ++it) {
         const auto &protocolKeysMap = it.value();
         if (protocolKeysMap.value(protocol).empty()) {
             result.push_back(it.key());
         }
     }
     return result;
 }
 
 namespace
 {
 bool hasUnresolvedRecipients(const QMap<QString, QMap<Protocol, std::vector<Key>>> &encryptionKeys, Protocol protocol)
 {
     return std::any_of(std::cbegin(encryptionKeys), std::cend(encryptionKeys),
                        [protocol] (const auto &protocolKeysMap) {
                            return protocolKeysMap.value(protocol).empty();
                        });
 }
 
 bool anyCommonOverrideHasKeyOfType(const QMap<QString, QMap<Protocol, std::vector<Key>>> &encryptionKeys, Protocol protocol)
 {
     return std::any_of(std::cbegin(encryptionKeys), std::cend(encryptionKeys),
                        [protocol] (const auto &protocolKeysMap) {
                            return anyKeyHasProtocol(protocolKeysMap.value(UnknownProtocol), protocol);
                        });
 }
 
 auto keysForProtocol(const QMap<QString, QMap<Protocol, std::vector<Key>>> &encryptionKeys, Protocol protocol)
 {
     QMap<QString, std::vector<Key>> keys;
     for (auto it = std::begin(encryptionKeys), end = std::end(encryptionKeys); it != end; ++it) {
         const QString &address = it.key();
         const auto &protocolKeysMap = it.value();
         keys.insert(address, protocolKeysMap.value(protocol));
     }
     return keys;
 }
 
 template<typename T>
 auto concatenate(std::vector<T> v1, const std::vector<T> &v2)
 {
     v1.reserve(v1.size() + v2.size());
     v1.insert(std::end(v1), std::begin(v2), std::end(v2));
     return v1;
 }
 
 }
 
 KeyResolverCore::Result KeyResolverCore::Private::resolve()
 {
     qCDebug(LIBKLEO_LOG) << "Starting ";
     if (!mSign && !mEncrypt) {
         // nothing to do
         return {AllResolved, {}, {}};
     }
 
     // First resolve through overrides
     resolveOverrides();
 
     // check protocols needed for overrides
     const bool commonOverridesNeedOpenPGP = anyCommonOverrideHasKeyOfType(mEncKeys, OpenPGP);
     const bool commonOverridesNeedCMS = anyCommonOverrideHasKeyOfType(mEncKeys, CMS);
     if ((mFormat == OpenPGP && commonOverridesNeedCMS)
             || (mFormat == CMS && commonOverridesNeedOpenPGP)
             || (!mAllowMixed && commonOverridesNeedOpenPGP && commonOverridesNeedCMS)) {
         // invalid protocol requirements -> clear intermediate result and abort resolution
         mEncKeys.clear();
         return {Error, {}, {}};
     }
 
     // Then look for signing / encryption keys
     if (mFormat == OpenPGP || mFormat == UnknownProtocol) {
         resolveSign(OpenPGP);
         resolveEnc(OpenPGP);
     }
     const bool pgpOnly = (!mEncrypt || !hasUnresolvedRecipients(mEncKeys, OpenPGP)) && (!mSign || mSigKeys.contains(OpenPGP));
 
     if (mFormat == OpenPGP) {
         return {
             SolutionFlags((pgpOnly ? AllResolved : SomeUnresolved) | OpenPGPOnly),
             {OpenPGP, mSigKeys.value(OpenPGP), keysForProtocol(mEncKeys, OpenPGP)},
             {}
         };
     }
 
     if (mFormat == CMS || mFormat == UnknownProtocol) {
         resolveSign(CMS);
         resolveEnc(CMS);
     }
     const bool cmsOnly = (!mEncrypt || !hasUnresolvedRecipients(mEncKeys, CMS)) && (!mSign || mSigKeys.contains(CMS));
 
     if (mFormat == CMS) {
         return {
             SolutionFlags((cmsOnly ? AllResolved : SomeUnresolved) | CMSOnly),
             {CMS, mSigKeys.value(CMS), keysForProtocol(mEncKeys, CMS)},
             {}
         };
     }
 
     // check if single-protocol solution has been found
     if (cmsOnly && (!pgpOnly || mPreferredProtocol == CMS)) {
         if (!mAllowMixed) {
             return {
                 SolutionFlags(AllResolved | CMSOnly),
                 {CMS, mSigKeys.value(CMS), keysForProtocol(mEncKeys, CMS)},
                 {OpenPGP, mSigKeys.value(OpenPGP), keysForProtocol(mEncKeys, OpenPGP)}
             };
         } else {
-            // keys marked as mixed (UnknownProtocol) as hint that OpenPGP keys are also allowed in key approval
             return {
                 SolutionFlags(AllResolved | CMSOnly),
-                {UnknownProtocol, mSigKeys.value(CMS), keysForProtocol(mEncKeys, CMS)},
+                {CMS, mSigKeys.value(CMS), keysForProtocol(mEncKeys, CMS)},
                 {}
             };
         }
     }
     if (pgpOnly) {
         if (!mAllowMixed) {
             return {
                 SolutionFlags(AllResolved | OpenPGPOnly),
                 {OpenPGP, mSigKeys.value(OpenPGP), keysForProtocol(mEncKeys, OpenPGP)},
                 {CMS, mSigKeys.value(CMS), keysForProtocol(mEncKeys, CMS)}
             };
         } else {
-            // keys marked as mixed (UnknownProtocol) as hint that S/MIME keys are also allowed in key approval
             return {
                 SolutionFlags(AllResolved | OpenPGPOnly),
-                {UnknownProtocol, mSigKeys.value(OpenPGP), keysForProtocol(mEncKeys, OpenPGP)},
+                {OpenPGP, mSigKeys.value(OpenPGP), keysForProtocol(mEncKeys, OpenPGP)},
                 {}
             };
         }
     }
 
     if (!mAllowMixed) {
         // return incomplete single-protocol solution
         if (mPreferredProtocol == CMS) {
             return {
                 SolutionFlags(SomeUnresolved | CMSOnly),
                 {CMS, mSigKeys.value(CMS), keysForProtocol(mEncKeys, CMS)},
                 {OpenPGP, mSigKeys.value(OpenPGP), keysForProtocol(mEncKeys, OpenPGP)}
             };
         } else {
             return {
                 SolutionFlags(SomeUnresolved | OpenPGPOnly),
                 {OpenPGP, mSigKeys.value(OpenPGP), keysForProtocol(mEncKeys, OpenPGP)},
                 {CMS, mSigKeys.value(CMS), keysForProtocol(mEncKeys, CMS)}
             };
         }
     }
 
     const auto bestEncryptionKeys = getBestEncryptionKeys(mEncKeys, mPreferredProtocol);
     const bool allAddressesAreResolved = std::all_of(std::begin(bestEncryptionKeys), std::end(bestEncryptionKeys),
                                                      [] (const auto &keys) { return !keys.empty(); });
     if (allAddressesAreResolved) {
         return {
             SolutionFlags(AllResolved | MixedProtocols),
             {UnknownProtocol, concatenate(mSigKeys.value(OpenPGP), mSigKeys.value(CMS)), bestEncryptionKeys},
             {}
         };
     }
 
     const bool allKeysAreOpenPGP = std::all_of(std::begin(bestEncryptionKeys), std::end(bestEncryptionKeys),
                                                [] (const auto &keys) { return allKeysHaveProtocol(keys, OpenPGP); });
     if (allKeysAreOpenPGP) {
-        // keys marked as mixed (UnknownProtocol) as hint that S/MIME keys are also allowed in key approval
         return {
             SolutionFlags(SomeUnresolved | OpenPGPOnly),
-            {UnknownProtocol, mSigKeys.value(OpenPGP), bestEncryptionKeys},
+            {OpenPGP, mSigKeys.value(OpenPGP), bestEncryptionKeys},
             {}
         };
     }
 
     const bool allKeysAreCMS = std::all_of(std::begin(bestEncryptionKeys), std::end(bestEncryptionKeys),
                                            [] (const auto &keys) { return allKeysHaveProtocol(keys, CMS); });
     if (allKeysAreCMS) {
-        // keys marked as mixed (UnknownProtocol) as hint that S/MIME keys are also allowed in key approval
         return {
             SolutionFlags(SomeUnresolved | CMSOnly),
-            {UnknownProtocol, mSigKeys.value(CMS), bestEncryptionKeys},
+            {CMS, mSigKeys.value(CMS), bestEncryptionKeys},
             {}
         };
     }
 
     return {
         SolutionFlags(SomeUnresolved | MixedProtocols),
         {UnknownProtocol, concatenate(mSigKeys.value(OpenPGP), mSigKeys.value(CMS)), bestEncryptionKeys},
         {}
     };
 }
 
 KeyResolverCore::KeyResolverCore(bool encrypt, bool sign, Protocol fmt)
     : d(new Private(this, encrypt, sign, fmt))
 {
 }
 
 KeyResolverCore::~KeyResolverCore() = default;
 
 void KeyResolverCore::setSender(const QString &address)
 {
     d->setSender(address);
 }
 
 QString KeyResolverCore::normalizedSender() const
 {
     return d->mSender;
 }
 
 void KeyResolverCore::setRecipients(const QStringList &addresses)
 {
     d->addRecipients(addresses);
 }
 
 void KeyResolverCore::setSigningKeys(const QStringList &fingerprints)
 {
     d->setSigningKeys(fingerprints);
 }
 
 void KeyResolverCore::setOverrideKeys(const QMap<Protocol, QMap<QString, QStringList>> &overrides)
 {
     d->setOverrideKeys(overrides);
 }
 
 void KeyResolverCore::setAllowMixedProtocols(bool allowMixed)
 {
     d->mAllowMixed = allowMixed;
 }
 
 void KeyResolverCore::setPreferredProtocol(Protocol proto)
 {
     d->mPreferredProtocol = proto;
 }
 
 void KeyResolverCore::setMinimumValidity(int validity)
 {
     d->mMinimumValidity = validity;
 }
 
 KeyResolverCore::Result KeyResolverCore::resolve()
 {
     return d->resolve();
 }
diff --git a/src/ui/newkeyapprovaldialog.cpp b/src/ui/newkeyapprovaldialog.cpp
index a19df4969..64119d9b5 100644
--- a/src/ui/newkeyapprovaldialog.cpp
+++ b/src/ui/newkeyapprovaldialog.cpp
@@ -1,870 +1,870 @@
 /*  -*- c++ -*-
     newkeyapprovaldialog.cpp
 
     This file is part of libkleopatra, the KDE keymanagement library
     SPDX-FileCopyrightText: 2018 Intevation GmbH
 
     SPDX-License-Identifier: GPL-2.0-or-later
 */
 
 #include "newkeyapprovaldialog.h"
 #include "kleo/defaultkeyfilter.h"
 #include "keyselectioncombo.h"
 #include "progressdialog.h"
 #include "utils/formatting.h"
 
 #include "libkleo_debug.h"
 
 #include <QApplication>
 #include <QButtonGroup>
 #include <QDesktopWidget>
 #include <QDialogButtonBox>
 #include <QGroupBox>
 #include <QLabel>
 #include <QMap>
 #include <QPushButton>
 #include <QRadioButton>
 #include <QScrollArea>
 #include <QToolTip>
 #include <QVBoxLayout>
 
 #include <QGpgME/DefaultKeyGenerationJob>
 #include <QGpgME/CryptoConfig>
 #include <QGpgME/Protocol>
 #include <gpgme++/keygenerationresult.h>
 #include <gpgme++/key.h>
 
 #include <KLocalizedString>
 #include <KMessageBox>
 
 using namespace Kleo;
 using namespace GpgME;
 
 QDebug operator<<(QDebug debug, const GpgME::Key &key)
 {
     if (key.isNull()) {
         debug << "Null";
     } else {
         debug << Formatting::summaryLine(key);
     }
     return debug.maybeSpace();
 }
 
 namespace {
 static std::shared_ptr<KeyFilter> s_defaultFilter= std::shared_ptr<KeyFilter> (new DefaultKeyFilter);
 
 class OpenPGPFilter: public DefaultKeyFilter
 {
 public:
     OpenPGPFilter() : DefaultKeyFilter()
     {
         setIsOpenPGP(DefaultKeyFilter::Set);
         setCanEncrypt(DefaultKeyFilter::Set);
     }
 };
 static std::shared_ptr<KeyFilter> s_pgpFilter = std::shared_ptr<KeyFilter> (new OpenPGPFilter);
 
 class OpenPGPSignFilter: public DefaultKeyFilter
 {
 public:
     OpenPGPSignFilter() : DefaultKeyFilter()
     {
         /* Also list unusable keys to make it transparent why they are unusable */
         setDisabled(DefaultKeyFilter::NotSet);
         setRevoked(DefaultKeyFilter::NotSet);
         setExpired(DefaultKeyFilter::NotSet);
         setCanSign(DefaultKeyFilter::Set);
         setHasSecret(DefaultKeyFilter::Set);
         setIsOpenPGP(DefaultKeyFilter::Set);
     }
 };
 static std::shared_ptr<KeyFilter> s_pgpSignFilter = std::shared_ptr<KeyFilter> (new OpenPGPSignFilter);
 
 class SMIMEFilter: public DefaultKeyFilter
 {
 public:
     SMIMEFilter(): DefaultKeyFilter()
     {
         setIsOpenPGP(DefaultKeyFilter::NotSet);
         setCanEncrypt(DefaultKeyFilter::Set);
     }
 };
 static std::shared_ptr<KeyFilter> s_smimeFilter = std::shared_ptr<KeyFilter> (new SMIMEFilter);
 
 class SMIMESignFilter: public DefaultKeyFilter
 {
 public:
     SMIMESignFilter(): DefaultKeyFilter()
     {
         setDisabled(DefaultKeyFilter::NotSet);
         setRevoked(DefaultKeyFilter::NotSet);
         setExpired(DefaultKeyFilter::NotSet);
         setCanSign(DefaultKeyFilter::Set);
         setIsOpenPGP(DefaultKeyFilter::NotSet);
         setHasSecret(DefaultKeyFilter::Set);
     }
 };
 static std::shared_ptr<KeyFilter> s_smimeSignFilter = std::shared_ptr<KeyFilter> (new SMIMESignFilter);
 
 /* Some decoration and a button to remove the filter for a keyselectioncombo */
 class ComboWidget: public QWidget
 {
     Q_OBJECT
 public:
     explicit ComboWidget(KeySelectionCombo *combo):
         mCombo(combo),
         mFilterBtn(new QPushButton),
         mFromOverride(GpgME::UnknownProtocol)
     {
         auto hLay = new QHBoxLayout(this);
         auto infoBtn = new QPushButton;
         infoBtn->setIcon(QIcon::fromTheme(QStringLiteral("help-contextual")));
         infoBtn->setIconSize(QSize(22,22));
         infoBtn->setFlat(true);
         hLay->addWidget(infoBtn);
         hLay->addWidget(combo, 1);
         hLay->addWidget(mFilterBtn, 0);
 
         connect(infoBtn, &QPushButton::clicked, this, [this, infoBtn] () {
             QToolTip::showText(infoBtn->mapToGlobal(QPoint()) + QPoint(infoBtn->width(), 0),
                     mCombo->currentData(Qt::ToolTipRole).toString(), infoBtn, QRect(), 30000);
         });
 
         // FIXME: This is ugly to enforce but otherwise the
         // icon is broken.
         combo->setMinimumHeight(22);
         mFilterBtn->setMinimumHeight(23);
 
         updateFilterButton();
 
         connect(mFilterBtn, &QPushButton::clicked, this, [this] () {
             const QString curFilter = mCombo->idFilter();
             if (curFilter.isEmpty()) {
                 setIdFilter(mLastIdFilter);
                 mLastIdFilter = QString();
             } else {
                 setIdFilter(QString());
                 mLastIdFilter = curFilter;
             }
         });
     }
 
     void setIdFilter(const QString &id)
     {
         mCombo->setIdFilter(id);
         updateFilterButton();
     }
 
     void updateFilterButton()
     {
         if (mCombo->idFilter().isEmpty()) {
             mFilterBtn->setIcon(QIcon::fromTheme(QStringLiteral("kt-add-filters")));
             mFilterBtn->setToolTip(i18n("Show keys matching the email address"));
         } else {
             mFilterBtn->setIcon(QIcon::fromTheme(QStringLiteral("kt-remove-filters")));
             mFilterBtn->setToolTip(i18n("Show all keys"));
         }
     }
 
     KeySelectionCombo *combo()
     {
         return mCombo;
     }
 
     GpgME::Protocol fromOverride() const
     {
         return mFromOverride;
     }
 
     void setFromOverride(GpgME::Protocol proto)
     {
         mFromOverride = proto;
     }
 
     GpgME::Protocol fixedProtocol() const
     {
         return mFixedProtocol;
     }
 
     void setFixedProtocol(GpgME::Protocol proto)
     {
         mFixedProtocol = proto;
     }
 
 private:
     KeySelectionCombo *mCombo;
     QPushButton *mFilterBtn;
     QString mLastIdFilter;
     GpgME::Protocol mFromOverride;
     GpgME::Protocol mFixedProtocol = GpgME::UnknownProtocol;
 };
 
 static enum GpgME::UserID::Validity keyValidity(const GpgME::Key &key)
 {
     enum GpgME::UserID::Validity validity = GpgME::UserID::Validity::Unknown;
 
     for (const auto &uid: key.userIDs()) {
         if (validity == GpgME::UserID::Validity::Unknown
             || validity > uid.validity()) {
             validity = uid.validity();
         }
     }
 
     return validity;
 }
 
 static bool key_has_addr(const GpgME::Key &key, const QString &addr)
 {
     for (const auto &uid: key.userIDs()) {
         if (QString::fromStdString(uid.addrSpec()).toLower() == addr.toLower()) {
             return true;
         }
     }
     return false;
 }
 
 bool anyKeyHasProtocol(const std::vector<Key> &keys, Protocol protocol)
 {
     return std::any_of(std::begin(keys), std::end(keys), [protocol] (const auto &key) { return key.protocol() == protocol; });
 }
 
 Key findfirstKeyOfType(const std::vector<Key> &keys, Protocol protocol)
 {
     const auto it = std::find_if(std::begin(keys), std::end(keys), [protocol] (const auto &key) { return key.protocol() == protocol; });
     return it != std::end(keys) ? *it : Key();
 }
 
 } // namespace
 
 class NewKeyApprovalDialog::Private
 {
 private:
     enum Action {
         Unset,
         GenerateKey,
         IgnoreKey,
     };
 public:
     Private(NewKeyApprovalDialog *qq,
             bool encrypt,
             bool sign,
             GpgME::Protocol forcedProtocol,
             GpgME::Protocol presetProtocol,
             const QString &sender,
             bool allowMixed)
         : mForcedProtocol{forcedProtocol}
         , mSender{sender}
         , mSign{sign}
         , mEncrypt{encrypt}
         , mAllowMixed{allowMixed}
         , q{qq}
     {
         Q_ASSERT(forcedProtocol == GpgME::UnknownProtocol || presetProtocol == GpgME::UnknownProtocol || presetProtocol == forcedProtocol);
         Q_ASSERT(!allowMixed || (allowMixed && forcedProtocol == GpgME::UnknownProtocol));
 
         // We do the translation here to avoid having the same string multiple times.
         mGenerateTooltip = i18nc("@info:tooltip for a 'Generate new key pair' action "
                                  "in a combobox when a user does not yet have an OpenPGP or S/MIME key.",
                                  "Generate a new key using your E-Mail address.<br/><br/>"
                                  "The key is necessary to decrypt and sign E-Mails. "
                                  "You will be asked for a passphrase to protect this key and the protected key "
                                  "will be stored in your home directory.");
         mMainLay = new QVBoxLayout;
 
         QDialogButtonBox *btnBox = new QDialogButtonBox(QDialogButtonBox::Ok | QDialogButtonBox::Cancel);
         mOkButton = btnBox->button(QDialogButtonBox::Ok);
         QObject::connect (btnBox, &QDialogButtonBox::accepted, q, [this] () {
                 accepted();
             });
         QObject::connect (btnBox, &QDialogButtonBox::rejected, q, &QDialog::reject);
 
         mScrollArea = new QScrollArea;
         mScrollArea->setWidget(new QWidget);
         mScrollLayout = new QVBoxLayout;
         mScrollArea->widget()->setLayout(mScrollLayout);
         mScrollArea->setWidgetResizable(true);
         mScrollArea->setSizeAdjustPolicy(QAbstractScrollArea::AdjustToContentsOnFirstShow);
         mScrollArea->setFrameStyle(QFrame::NoFrame);
         mScrollLayout->setContentsMargins(0, 0, 0, 0);
 
         q->setWindowTitle(i18nc("@title:window", "Security approval"));
 
         auto fmtLayout = new QHBoxLayout;
         mFormatBtns = new QButtonGroup;
         auto pgpBtn = new QRadioButton(i18n("OpenPGP"));
         auto smimeBtn = new QRadioButton(i18n("S/MIME"));
         mFormatBtns->addButton(pgpBtn, 1);
         mFormatBtns->addButton(smimeBtn, 2);
         mFormatBtns->setExclusive(true);
 
         fmtLayout->addStretch(-1);
         fmtLayout->addWidget(pgpBtn);
         fmtLayout->addWidget(smimeBtn);
         mMainLay->addLayout(fmtLayout);
 
         if (mAllowMixed) {
             smimeBtn->setVisible(false);
             pgpBtn->setVisible(false);
         } else if (mForcedProtocol != GpgME::UnknownProtocol) {
             pgpBtn->setChecked(mForcedProtocol == GpgME::OpenPGP);
             smimeBtn->setChecked(mForcedProtocol == GpgME::CMS);
             pgpBtn->setVisible(false);
             smimeBtn->setVisible(false);
         } else {
             pgpBtn->setChecked(presetProtocol == GpgME::OpenPGP);
             smimeBtn->setChecked(presetProtocol == GpgME::CMS);
         }
 
         QObject::connect (mFormatBtns, static_cast<void (QButtonGroup::*)(QAbstractButton *, bool)> (&QButtonGroup::buttonToggled),
                 q, [this](QAbstractButton *, bool) {
             updateWidgetVisibility();
         });
 
         mMainLay->addWidget(mScrollArea);
 
         mComplianceLbl = new QLabel;
         mComplianceLbl->setVisible(false);
 
         auto btnLayout = new QHBoxLayout;
         btnLayout->addWidget(mComplianceLbl);
         btnLayout->addWidget(btnBox);
         mMainLay->addLayout(btnLayout);
 
         q->setLayout(mMainLay);
 
     }
 
     ~Private() = default;
 
     Protocol currentProtocol()
     {
         if (mAllowMixed) {
             return UnknownProtocol;
         } else if (mFormatBtns->checkedId() == 1) {
             return OpenPGP;
         } else if (mFormatBtns->checkedId() == 2) {
             return CMS;
         }
         return UnknownProtocol;
     }
 
     void generateKey(KeySelectionCombo *combo)
     {
         const auto &addr = combo->property("address").toString();
         auto job = new QGpgME::DefaultKeyGenerationJob(q);
         auto progress = new Kleo::ProgressDialog(job, i18n("Generating key for '%1'...", addr) + QStringLiteral("\n\n") +
                                                  i18n("This can take several minutes."), q);
         progress->setWindowFlags(progress->windowFlags() & ~Qt::WindowContextHelpButtonHint);
         progress->setWindowTitle(i18nc("@title:window", "Key generation"));
         progress->setModal(true);
         progress->setAutoClose(true);
         progress->setMinimumDuration(0);
         progress->setValue(0);
 
         mRunningJobs << job;
         connect (job, &QGpgME::DefaultKeyGenerationJob::result, q,
             [this, job, combo] (const GpgME::KeyGenerationResult &result) {
                 handleKeyGenResult(result, job, combo);
             });
         job->start(addr, QString());
         return;
     }
 
     void handleKeyGenResult(const GpgME::KeyGenerationResult &result, QGpgME::Job *job, KeySelectionCombo *combo)
     {
         mLastError = result.error();
         if (!mLastError || mLastError.isCanceled()) {
             combo->setDefaultKey(QString::fromLatin1(result.fingerprint()), GpgME::OpenPGP);
             connect (combo, &KeySelectionCombo::keyListingFinished, q, [this, job] () {
                     mRunningJobs.removeAll(job);
                 });
             combo->refreshKeys();
         } else {
             mRunningJobs.removeAll(job);
         }
     }
 
     void checkAccepted()
     {
         if (mLastError || mLastError.isCanceled()) {
             KMessageBox::error(q, QString::fromLocal8Bit(mLastError.asString()), i18n("Operation Failed"));
             mRunningJobs.clear();
             return;
         }
 
         if (!mRunningJobs.empty()) {
             return;
         }
         /* Save the keys */
         const Protocol protocol = currentProtocol();
 
         mAcceptedResult.encryptionKeys.clear();
         mAcceptedResult.signingKeys.clear();
 
         for (const auto combo: qAsConst(mEncCombos)) {
             const auto &addr = combo->property("address").toString();
             const auto &key = combo->currentKey();
             if (!combo->isVisible()) {
                 continue;
             }
             if (protocol != UnknownProtocol && key.protocol() != protocol) {
                 continue;
             }
             mAcceptedResult.encryptionKeys[addr].push_back(key);
         }
         for (const auto combo: qAsConst(mSigningCombos)) {
             const auto key = combo->currentKey();
             if (!combo->isVisible()) {
                 continue;
             }
             if (protocol != UnknownProtocol && key.protocol() != protocol) {
                 continue;
             }
             mAcceptedResult.signingKeys.push_back(key);
         }
 
         q->accept();
     }
 
     void accepted()
     {
         // We can assume everything was validly resolved, otherwise
         // the OK button would have been disabled.
         // Handle custom items now.
         for (auto combo: qAsConst(mAllCombos)) {
             auto act = combo->currentData(Qt::UserRole).toInt();
             if (act == GenerateKey) {
                 generateKey(combo);
                 // Only generate once
                 return;
             }
         }
         checkAccepted();
     }
 
     void updateWidgetVisibility()
     {
         const Protocol protocol = currentProtocol();
 
         for (auto combo: qAsConst(mSigningCombos)) {
             auto widget = qobject_cast<ComboWidget *>(combo->parentWidget());
             if (!widget) {
                 qCDebug(LIBKLEO_LOG) << "Failed to find signature combo widget";
                 continue;
             }
             widget->setVisible(protocol == UnknownProtocol || widget->fixedProtocol() == protocol);
         }
         for (auto combo: qAsConst(mEncCombos)) {
             auto widget = qobject_cast<ComboWidget *>(combo->parentWidget());
             if (!widget) {
                 qCDebug(LIBKLEO_LOG) << "Failed to find combo widget";
                 continue;
             }
             widget->setVisible(protocol == UnknownProtocol || widget->fixedProtocol() == protocol);
         }
     }
 
     ComboWidget *createSigningCombo(const QString &addr, const GpgME::Key &key, Protocol protocol = UnknownProtocol)
     {
         Q_ASSERT(!key.isNull() || protocol != UnknownProtocol);
         protocol = !key.isNull() ? key.protocol() : protocol;
 
         auto combo = new KeySelectionCombo();
         auto comboWidget = new ComboWidget(combo);
 #ifndef NDEBUG
         combo->setObjectName(QStringLiteral("signing key"));
 #endif
         if (protocol == GpgME::OpenPGP) {
             combo->setKeyFilter(s_pgpSignFilter);
         } else if (protocol == GpgME::CMS) {
             combo->setKeyFilter(s_smimeSignFilter);
         }
         if (key.isNull() || key_has_addr(key, mSender)) {
             comboWidget->setIdFilter(mSender);
         }
         comboWidget->setFixedProtocol(protocol);
         if (!key.isNull()) {
             combo->setDefaultKey(QString::fromLatin1(key.primaryFingerprint()), protocol);
         }
         if (key.isNull() && protocol == OpenPGP) {
             combo->appendCustomItem(QIcon::fromTheme(QStringLiteral("document-new")),
                                     i18n("Generate a new key pair"), GenerateKey,
                                     mGenerateTooltip);
         }
         combo->appendCustomItem(QIcon::fromTheme(QStringLiteral("emblem-unavailable")),
                 i18n("Don't confirm identity and integrity"), IgnoreKey,
                 i18nc("@info:tooltip for not selecting a key for signing.",
                       "The E-Mail will not be cryptographically signed."));
 
         mSigningCombos << combo;
         mAllCombos << combo;
         combo->setProperty("address", addr);
 
         connect(combo, &KeySelectionCombo::currentKeyChanged, q, [this] () {
             updateOkButton();
         });
         connect(combo, QOverload<int>::of(&QComboBox::currentIndexChanged), q, [this] () {
             updateOkButton();
         });
 
         return comboWidget;
     }
 
     void setSigningKeys(std::vector<GpgME::Key> preferredKeys, std::vector<GpgME::Key> alternativeKeys)
     {
         auto group = new QGroupBox(i18nc("Caption for signing key selection", "Confirm identity '%1' as:", mSender));
         group->setAlignment(Qt::AlignLeft);
         auto sigLayout = new QVBoxLayout(group);
 
         const bool mayNeedOpenPGP = mForcedProtocol != CMS;
         const bool mayNeedCMS = mForcedProtocol != OpenPGP;
         if (mayNeedOpenPGP) {
             if (mAllowMixed) {
                 sigLayout->addWidget(new QLabel(Formatting::displayName(OpenPGP)));
             }
             const Key preferredKey = findfirstKeyOfType(preferredKeys, OpenPGP);
             const Key alternativeKey = findfirstKeyOfType(alternativeKeys, OpenPGP);
             if (!preferredKey.isNull()) {
                 qCDebug(LIBKLEO_LOG) << "setSigningKeys - creating signing combo for" << preferredKey;
                 auto comboWidget = createSigningCombo(mSender, preferredKey);
                 sigLayout->addWidget(comboWidget);
             } else if (!alternativeKey.isNull()) {
                 qCDebug(LIBKLEO_LOG) << "setSigningKeys - creating signing combo for" << alternativeKey;
                 auto comboWidget = createSigningCombo(mSender, alternativeKey);
                 sigLayout->addWidget(comboWidget);
             } else {
                 qCDebug(LIBKLEO_LOG) << "setSigningKeys - creating signing combo for OpenPGP key";
                 auto comboWidget = createSigningCombo(mSender, Key(), OpenPGP);
                 sigLayout->addWidget(comboWidget);
             }
         }
         if (mayNeedCMS) {
             if (mAllowMixed) {
                 sigLayout->addWidget(new QLabel(Formatting::displayName(CMS)));
             }
             const Key preferredKey = findfirstKeyOfType(preferredKeys, CMS);
             const Key alternativeKey = findfirstKeyOfType(alternativeKeys, CMS);
             if (!preferredKey.isNull()) {
                 qCDebug(LIBKLEO_LOG) << "setSigningKeys - creating signing combo for" << preferredKey;
                 auto comboWidget = createSigningCombo(mSender, preferredKey);
                 sigLayout->addWidget(comboWidget);
             } else if (!alternativeKey.isNull()) {
                 qCDebug(LIBKLEO_LOG) << "setSigningKeys - creating signing combo for" << alternativeKey;
                 auto comboWidget = createSigningCombo(mSender, alternativeKey);
                 sigLayout->addWidget(comboWidget);
             } else {
                 qCDebug(LIBKLEO_LOG) << "setSigningKeys - creating signing combo for S/MIME key";
                 auto comboWidget = createSigningCombo(mSender, Key(), CMS);
                 sigLayout->addWidget(comboWidget);
             }
         }
 
         mScrollLayout->addWidget(group);
     }
 
     ComboWidget *createEncryptionCombo(const QString &addr, const GpgME::Key &key, Protocol fixedProtocol)
     {
         auto combo = new KeySelectionCombo(false);
         auto comboWidget = new ComboWidget(combo);
 #ifndef NDEBUG
         combo->setObjectName(QStringLiteral("encryption key"));
 #endif
         if (fixedProtocol == GpgME::OpenPGP) {
             combo->setKeyFilter(s_pgpFilter);
         } else if (fixedProtocol == GpgME::CMS) {
             combo->setKeyFilter(s_smimeFilter);
         } else {
             combo->setKeyFilter(s_defaultFilter);
         }
         if (key.isNull() || key_has_addr (key, addr)) {
             comboWidget->setIdFilter(addr);
         }
         comboWidget->setFixedProtocol(fixedProtocol);
         if (!key.isNull()) {
             combo->setDefaultKey(QString::fromLatin1(key.primaryFingerprint()), fixedProtocol);
         }
 
         if (addr == mSender && key.isNull() && fixedProtocol == OpenPGP) {
             combo->appendCustomItem(QIcon::fromTheme(QStringLiteral("document-new")),
                                     i18n("Generate a new key pair"), GenerateKey,
                                     mGenerateTooltip);
         }
 
         combo->appendCustomItem(QIcon::fromTheme(QStringLiteral("emblem-unavailable")),
                 i18n("No key. Recipient will be unable to decrypt."), IgnoreKey,
                 i18nc("@info:tooltip for No Key selected for a specific recipient.",
                         "Do not select a key for this recipient.<br/><br/>"
                         "The recipient will receive the encrypted E-Mail, but it can only "
                         "be decrypted with the other keys selected in this dialog."));
 
         connect(combo, &KeySelectionCombo::currentKeyChanged, q, [this] () {
             updateOkButton();
         });
         connect(combo, QOverload<int>::of(&QComboBox::currentIndexChanged), q, [this] () {
             updateOkButton();
         });
 
         mEncCombos << combo;
         mAllCombos << combo;
         combo->setProperty("address", addr);
         return comboWidget;
     }
 
     void addEncryptionAddr(const QString &addr,
                            Protocol preferredKeysProtocol, const std::vector<GpgME::Key> &preferredKeys,
                            Protocol alternativeKeysProtocol, const std::vector<GpgME::Key> &alternativeKeys,
                            QGridLayout *encGrid)
     {
         if (addr == mSender) {
             const bool mayNeedOpenPGP = mForcedProtocol != CMS;
             const bool mayNeedCMS = mForcedProtocol != OpenPGP;
             if (mayNeedOpenPGP) {
                 if (mAllowMixed) {
                     encGrid->addWidget(new QLabel(Formatting::displayName(OpenPGP)), encGrid->rowCount(), 0);
                 }
                 for (const auto &key : preferredKeys) {
                     if (key.protocol() == OpenPGP) {
                         qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for" << key;
                         auto comboWidget = createEncryptionCombo(addr, key, OpenPGP);
                         encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                     }
                 }
                 for (const auto &key : alternativeKeys) {
                     if (key.protocol() == OpenPGP) {
                         qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for" << key;
                         auto comboWidget = createEncryptionCombo(addr, key, OpenPGP);
                         encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                     }
                 }
                 if (!anyKeyHasProtocol(preferredKeys, OpenPGP) && !anyKeyHasProtocol(alternativeKeys, OpenPGP)) {
                     qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for OpenPGP key";
                     auto comboWidget = createEncryptionCombo(addr, GpgME::Key(), OpenPGP);
                     encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                 }
             }
             if (mayNeedCMS) {
                 if (mAllowMixed) {
                     encGrid->addWidget(new QLabel(Formatting::displayName(CMS)), encGrid->rowCount(), 0);
                 }
                 for (const auto &key : preferredKeys) {
                     if (key.protocol() == CMS) {
                         qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for" << key;
                         auto comboWidget = createEncryptionCombo(addr, key, CMS);
                         encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                     }
                 }
                 for (const auto &key : alternativeKeys) {
                     if (key.protocol() == CMS) {
                         qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for" << key;
                         auto comboWidget = createEncryptionCombo(addr, key, CMS);
                         encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                     }
                 }
                 if (!anyKeyHasProtocol(preferredKeys, CMS) && !anyKeyHasProtocol(alternativeKeys, CMS)) {
                     qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for S/MIME key";
                     auto comboWidget = createEncryptionCombo(addr, GpgME::Key(), CMS);
                     encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                 }
             }
         } else {
             encGrid->addWidget(new QLabel(addr), encGrid->rowCount(), 0);
 
             for (const auto &key : preferredKeys) {
                 qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for" << key;
                 auto comboWidget = createEncryptionCombo(addr, key, preferredKeysProtocol);
                 encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
             }
             for (const auto &key : alternativeKeys) {
                 qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for" << key;
                 auto comboWidget = createEncryptionCombo(addr, key, alternativeKeysProtocol);
                 encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
             }
             if (!mAllowMixed) {
                 if (preferredKeys.empty()) {
                     qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for" << Formatting::displayName(preferredKeysProtocol) << "key";
                     auto comboWidget = createEncryptionCombo(addr, GpgME::Key(), preferredKeysProtocol);
                     encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                 }
                 if (alternativeKeys.empty() && alternativeKeysProtocol != UnknownProtocol) {
                     qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for" << Formatting::displayName(alternativeKeysProtocol) << "key";
                     auto comboWidget = createEncryptionCombo(addr, GpgME::Key(), alternativeKeysProtocol);
                     encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                 }
             } else {
                 if (preferredKeys.empty() && alternativeKeys.empty()) {
                     qCDebug(LIBKLEO_LOG) << "setEncryptionKeys -" << addr << "- creating encryption combo for any key";
                     auto comboWidget = createEncryptionCombo(addr, GpgME::Key(), UnknownProtocol);
                     encGrid->addWidget(comboWidget, encGrid->rowCount(), 0, 1, 2);
                 }
             }
         }
     }
 
     void setEncryptionKeys(Protocol preferredKeysProtocol, const QMap<QString, std::vector<GpgME::Key>> &preferredKeys,
                            Protocol alternativeKeysProtocol, const QMap<QString, std::vector<GpgME::Key>> &alternativeKeys)
     {
         {
             auto group = new QGroupBox(i18nc("Encrypt to self (email address):", "Encrypt to self (%1):", mSender));
             group->setAlignment(Qt::AlignLeft);
             auto encGrid = new QGridLayout(group);
 
             addEncryptionAddr(mSender, preferredKeysProtocol, preferredKeys.value(mSender), alternativeKeysProtocol, alternativeKeys.value(mSender), encGrid);
 
             mScrollLayout->addWidget(group);
         }
 
         auto group = new QGroupBox(i18n("Encrypt to others:"));
         group->setAlignment(Qt::AlignLeft);
         auto encGrid = new QGridLayout;
         group->setLayout(encGrid);
         mScrollLayout->addWidget(group);
 
         for (auto it = std::begin(preferredKeys); it != std::end(preferredKeys); ++it) {
             const auto &address = it.key();
             const auto &keys = it.value();
             if (address != mSender) {
                 addEncryptionAddr(address, preferredKeysProtocol, keys, alternativeKeysProtocol, alternativeKeys.value(address), encGrid);
             }
         }
 
         encGrid->setColumnStretch(1, -1);
         mScrollLayout->addStretch(-1);
     }
 
     void updateOkButton()
     {
         static QString origOkText = mOkButton->text();
         bool isGenerate = false;
         bool isAllIgnored = true;
         // Check if generate is selected.
         for (auto combo: mAllCombos) {
             auto act = combo->currentData(Qt::UserRole).toInt();
             if (act == GenerateKey) {
                 mOkButton->setText(i18n("Generate"));
                 isGenerate = true;
             }
             if (act != IgnoreKey) {
                 isAllIgnored = false;
             }
         }
 
         // If we don't encrypt the ok button is always enabled. But otherwise
         // we only enable it if we encrypt to at least one recipient.
         if (!mEncrypt) {
             mOkButton->setEnabled(true);
         } else {
             mOkButton->setEnabled(!isAllIgnored);
         }
 
         if (!isGenerate) {
             mOkButton->setText(origOkText);
         }
 
         if (Formatting::complianceMode() != QLatin1String("de-vs")) {
             return;
         }
 
         // Handle compliance
         bool de_vs = true;
 
         const Protocol protocol = currentProtocol();
 
         for (const auto combo: qAsConst(mEncCombos)) {
             const auto &key = combo->currentKey();
             if (!combo->isVisible()) {
                 continue;
             }
             if (protocol != UnknownProtocol && key.protocol() != protocol) {
                 continue;
             }
             if (!Formatting::isKeyDeVs(key) || keyValidity(key) < GpgME::UserID::Validity::Full) {
                 de_vs = false;
                 break;
             }
         }
         if (de_vs) {
             for (const auto combo: qAsConst(mSigningCombos)) {
                 const auto key = combo->currentKey();
                 if (!combo->isVisible()) {
                     continue;
                 }
                 if (protocol != UnknownProtocol && key.protocol() != protocol) {
                     continue;
                 }
                 if (!Formatting::isKeyDeVs(key) || keyValidity(key) < GpgME::UserID::Validity::Full) {
                     de_vs = false;
                     break;
                 }
             }
         }
 
         mOkButton->setIcon(QIcon::fromTheme(de_vs
                     ? QStringLiteral("security-high")
                     : QStringLiteral("security-medium")));
         mOkButton->setStyleSheet(QStringLiteral("background-color: ") + (de_vs
                     ? QStringLiteral("#D5FAE2")  // KColorScheme(QPalette::Active, KColorScheme::View).background(KColorScheme::PositiveBackground).color().name()
                     : QStringLiteral("#FAE9EB"))); //KColorScheme(QPalette::Active, KColorScheme::View).background(KColorScheme::NegativeBackground).color().name()));
         mComplianceLbl->setText(de_vs
                 ? i18nc("%1 is a placeholder for the name of a compliance mode. E.g. NATO RESTRICTED compliant or VS-NfD compliant",
                     "%1 communication possible.", Formatting::deVsString())
                 : i18nc("%1 is a placeholder for the name of a compliance mode. E.g. NATO RESTRICTED compliant or VS-NfD compliant",
                     "%1 communication not possible.", Formatting::deVsString()));
         mComplianceLbl->setVisible(true);
     }
 
     GpgME::Protocol mForcedProtocol;
     QList<KeySelectionCombo *> mSigningCombos;
     QList<KeySelectionCombo *> mEncCombos;
     QList<KeySelectionCombo *> mAllCombos;
     QScrollArea *mScrollArea;
     QVBoxLayout *mScrollLayout;
     QPushButton *mOkButton;
     QVBoxLayout *mMainLay;
     QButtonGroup *mFormatBtns;
     QString mSender;
     bool mSign;
     bool mEncrypt;
     bool mAllowMixed;
     NewKeyApprovalDialog *q;
     QList <QGpgME::Job *> mRunningJobs;
     GpgME::Error mLastError;
     QLabel *mComplianceLbl;
     KeyResolver::Solution mAcceptedResult;
     QString mGenerateTooltip;
 };
 
 NewKeyApprovalDialog::NewKeyApprovalDialog(bool encrypt,
                                            bool sign,
                                            const QString &sender,
                                            KeyResolver::Solution preferredSolution,
                                            KeyResolver::Solution alternativeSolution,
                                            bool allowMixed,
                                            GpgME::Protocol forcedProtocol,
                                            QWidget *parent,
                                            Qt::WindowFlags f)
     : QDialog(parent, f)
     , d{std::make_unique<Private>(this, encrypt, sign, forcedProtocol, preferredSolution.protocol, sender, allowMixed)}
 {
     if (sign) {
         d->setSigningKeys(std::move(preferredSolution.signingKeys), std::move(alternativeSolution.signingKeys));
     }
     if (encrypt) {
-        d->setEncryptionKeys(preferredSolution.protocol, std::move(preferredSolution.encryptionKeys),
-                             alternativeSolution.protocol, std::move(alternativeSolution.encryptionKeys));
+        d->setEncryptionKeys(allowMixed ? UnknownProtocol : preferredSolution.protocol, std::move(preferredSolution.encryptionKeys),
+                             allowMixed ? UnknownProtocol : alternativeSolution.protocol, std::move(alternativeSolution.encryptionKeys));
     }
     d->updateWidgetVisibility();
     d->updateOkButton();
 
     const auto size = sizeHint();
     const auto desk = QApplication::desktop()->screenGeometry(this);
     resize(QSize(desk.width() / 3, qMin(size.height(), desk.height() / 2)));
 }
 
 Kleo::NewKeyApprovalDialog::~NewKeyApprovalDialog() = default;
 
 KeyResolver::Solution NewKeyApprovalDialog::result()
 {
     return d->mAcceptedResult;
 }
 
 #include "newkeyapprovaldialog.moc"