I decided to try a little experiment, using Windows (rather than PGP) style certs and keys. Using Microsoft utilities makecert.exe and pvk2pfx.exe, I created a public/private keypair file called test2.pfx. I imported it into GPG4Win. It asked me a number of questions, including if I trusted the CA (certificate authority) which issued the certificate. The import was performed from within Kleopatra. After again using Kleopatra to delete the imported public/private keypair, and importing the same pfx file again, it no longer asked me if I trusted the CA. It kept the same settings as before. Even after closing Kleopatra and reopening it and repeating the experiment of deleting and re-importing the pfx file, it still seemed to remember my trust setting (trusted or untrusted) for the CA that issued it (which of course is myself). It never asked me again, until I went into the “C:\Users\MyName\AppData\Roaming\gnupg” folder and manually deleted the metadata which described the per-certificate trust settings. Since I didn’t know which file held the metadata in question, I just deleted all the files in the folder (which of course caused me to lose all keys in GPG4Win, including ones I wanted to keep).
Now you guys need to add a feature in the Kleopatra GUI (or in GPG4Win itself if it doesn’t currently support this) to completely expunge all metadata associated with a particular key or certificate when you delete that key or certificate. Not sure if this problem also exists with PGP keys/certs or only when handling Windows keys/certs, but it should be possible to wipe all traces of either a given PGP or a given Windows public or private key from within the GPG4Win system, when you delete that key or certificate from within Kleopatra.
Otherwise it clearly leaks info about what you’ve done in the past with the GPG4Win software. When you delete something, and references to it remain in other files, that’s a potential security hazard. An adversary could potentially use this information to their advantage.