with gpg4win full and that included kleopatra i can search ind import gpg keys

I think the following apps are missing: gpgsm, gpg-agent, pinentry, gnugp2

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-gnupg2.nsi
-> gpgsm (smime handling), gpgagent (the agent to ask for keys), gpg2 (OpenPGP handling),...

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-pinentry.nsi
-> getting a pinentry for gpg/smime keys

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=src/inst-dirmngr.nsi
->for getting CLRs (certificate revocation lists)

also very interessting is the documentation of gpg4win:
http://wald.intevation.org/frs/download.php/1385/gpg4win-compendium-en-3.0.0.pdf

Seems to work now together with http://files.gpg4win.org/gpg4win-vanilla-2.2.0.exe

With the version 2015-08-10-12-19 and gpg4win 2.2.0 more works but not everything:

bugs:

• can't import new certificates(gpg) - he always says no imported certificate:
  • settings add a keyserver (pool.sks-keyserver.net)
  • open"Search for certificate" and search for "knauss@kolabsys.com"
  • see one matching key
  • import that key
  • see a dialog, that the key is imported

• can't see new created smime certificate

Note that importing a gpg certificate from a server crashes on linux. Importing from a file works on windows and linux.

It was not possible to change the ownertrust using kleopatra.

After changing the ownertrust using gpg2:

$ gpg2 --edit-key {recipient email address}

trust
5 (select 5 if you ultimately trust the key)
save

KMail was able to verify a signature, but not decrypt a message. So signature verification is working once the key is trusted using openpgpg. Decryption is not working

All of this was tested using gpg4win-vanilla 2.2.0 which contains the same libassuan and gcrypt version as we use in emerge.

To decrypt something using gpg2:

Export secret key:

gpg2 --list-secret-keys
gpg2 --export-secret-keys -a "Christian Mollekopf<cmollekopf@gmail.com>" > cmollekopf.private.key

Import secret key on windows:

gpg2 --allow-secret-key-import --import cmollekopf.private.key

Configure pinentry to be used in C:\Users\kolab\AppData\Roaming\gnupg\gpg-agent.conf:

pinentry-program C:\Program Files (x86)\GNU\GnuPG\pinentry.exe

Start gpg-agent:

gpg-agent.exe --daemon

I had to start it twice until I've seen "set GPG_AGENT_INFO=C:\Users\kolab\AppData\Roaming\gnupg\S.gpg-agent;4756;1" in the output.

Then decrypt the file:

gpg2.exe --decrypt C:\Users\kolab\Desktop\encrypted.pgp

Encrypted.pgp contains a copy-paste out of the MIME message of the ecrypted part (including begin/end signatures).

This will trigger a password dialog and the decryption then succeeds.

And with all of that working decryption in kmail works as well.

Well I had never problems with kmail encrypt/decrypt emails. I think the main issue is the ownertrust/ permission issue. Becuase if gpg detects that the permissions are to open and/ore the owenrtrust is not correct that gpg-agent is not started automatically and gnupg complains about that and do nothing.

With my tests the permission/ownertrust was setup correcly if I restared windows and relogin into linux to gibe gpg-agent the possibility to start. As far as I know it is only triggered by login.

smime:

• you need to create a PCKS12 for import into kleopatra

http://serverfault.com/questions/103263/can-i-create-my-own-s-mime-certificate-for-email-encryption

• that PCKS12 can be imported via kleopatra,but the trusted issuer is not set to ulimate after import

Marking it has trusted can be done by manually editing the
file ~/.gnupg/trustlist.txt (there are instructions on the top) or by
putting a line "allow-mark-trusted" into ~/.gnupg/gpg-agent.conf" and
giving gpg-agent a HUP.  With allow-mark-trusted active, gpg-agent will
ask you whether you trust that root certificate and insert it for you
into the trustlist.txt.

https://lists.gnupg.org/pipermail/gnupg-users/2009-February/035754.html

• the docu to kleopatra also metion these things:

https://docs.kde.org/stable4/en/kdepim/kleopatra/menucertificates.html

till now i did not get my self signed certificate shown as trust ulimate :(

What about the tests inside kdepim exspecially messageviewer/rendertest,this onetests smime and gpg encrypted/signed messages.

In T678#9584, @knauss wrote:

What about the tests inside kdepim exspecially messageviewer/rendertest,this onetests smime and gpg encrypted/signed messages.

Never got them to run anywhere (also not linux).

With "disable-crl-checks" in .gnupg/gpgsm.conf I managed to use my self-signed certificate and encrypt/decrypt an email on linux.
disable-crl-checks is only necessary because the certificate I created has no crl list (crlDP: [none] in the dump)

And what is the problem onwindows withsetting this paramenter?

Therendertests i use on linux a lot and actually make sure that the encrypted/signed mails are displayed correctly. At least I was them using before we switched to docker based testing. So I know they are working.

The test just got stuck for me.

smime on windows is also working once the "Never consult a CRL" option is activated in Kleopatra (which is the disable-crl-checks option in the config file). With that it's possible to select the certificate, and to encrypt/decrypt and sign a message.

Importing the keys directly trusted the root certificate and imported it into the trustlist.txt.