Merge branch 'STABLE-BRANCH-2-4' into master

2025-02-07 17:33:02 +01:00 · 2023-07-04 17:37:54 +02:00 · 2023-07-04 17:37:54 +02:00 · 334f5d95c8
commit 334f5d95c8
parent b5efb52d43 2378ccf97c
89 changed files with 3260 additions and 1400 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -18,8 +18,8 @@
 ## Process this file with automake to produce Makefile.in
-# To include the wixlibs for building an MSI installer in a release use
+# We want to also build the wixlib for use by GnuPG Desktop
-#   make release WITH_MSI=1
+WITH_MSI=1
 # Location of the released tarball archives.  This is prefixed by
 # the variable RELEASE_ARCHIVE in ~/.gnupg-autogen.rc.  For example:
--- a/66
+++ b/66
@ -2,9 +2,75 @@ Noteworthy changes in version 2.5.0 (unreleased)
 ------------------------------------------------
  Changes also found in 2.4.3:
  * gpg: Set default expiration date to 3 years.  [T2701]
  * gpg: Add --list-filter properties "key_expires" and
     "key_expires_d".  [T6529]
  * gpg: Emit status line and proper diagnostics for write errors.
    [T6528]
  * gpg: Make progress work for large files on Windows.  [T6534]
  * gpg: New option --no-compress as alias for -z0.
  * gpgsm: Print PROGRESS status lines.  Add new --input-size-hint.
    [T6534]
  * gpgsm: Support SENDCERT_SKI for --call-dirmngr.  [rG701a8b30f0]
  * gpgsm: Major rewrite of the PKCS#12 parser.  [T6536]
  * gpgtar: New option --no-compress.
  * dirmngr: Extend the AD_QUERY command.  [rG207c99567c]
  * dirmngr: Disable the HTTP redirect rewriting.  [T6477]
  * dirmngr: New option --compatibility-flags.  [rGbf04b07327]
  * dirmngr: New option --ignore-crl-extensions.  [T6545]
  * wkd: Use export-clean for gpg-wks-client's --mirror and --create
    commands.  [rG2c7f7a5a27]
  * wkd: Make --add-revocs the default in gpg-wks-client.  New option
    --no-add-revocs.  [rG10c937ee68]
  * scd: Make signing work for Nexus cards.  [rGb83d86b988]
  * scd: Fix authentication with Administration Key for PIV.
    [rG25b59cf6ce]
  Changes also found in 2.4.2:
  * gpg: Print a warning if no more encryption subkeys are left over
    after changing the expiration date.  [rGef2c3d50fa]
  * gpg: Fix searching for the ADSK key when adding an ADSK.  [T6504]
  * gpgsm: Speed up key listings on Windows.  [rG08ff55bd44]
  * gpgsm: Reduce the number of "failed to open policy file"
    diagnostics.  [rG68613a6a9d]
  * agent: Make updating of private key files more robust and track
    display S/N.  [T6135]
  * keyboxd: Avoid longish delays on Windows when listing keys.
    [rG6944aefa3c]
  * gpgtar: Emit extra status lines to help GPGME.  [T6497]
  * w32: Avoid using the VirtualStore.  [T6403]
 Release dates of 2.4 versions
 -----------------------------
 Version 2.4.3 (2023-07-04) https://dev.gnupg.org/T6509
 Version 2.4.2 (2023-05-30) https://dev.gnupg.org/T6506
 Version 2.4.1 (2023-04-28) https://dev.gnupg.org/T6454
 Version 2.4.0 (2022-12-16) https://dev.gnupg.org/T6302
--- a/agent/call-daemon.c
+++ b/agent/call-daemon.c
@ -153,6 +153,8 @@ wait_child_thread (void *arg)
                      name, WSTOPSIG (wstatus));
          goto again;
        }
      assuan_set_flag (g->primary_ctx, ASSUAN_NO_WAITPID, 1);
    }
 #endif /*!HAVE_W32_SYSTEM*/
@ -166,8 +168,6 @@ wait_child_thread (void *arg)
    }
  else
    {
      assuan_set_flag (g->primary_ctx, ASSUAN_NO_WAITPID, 1);
      for (sl = g->local_list; sl; sl = sl->next_local)
        {
          sl->invalid = 1;
--- a/build-aux/speedo.mk
+++ b/build-aux/speedo.mk
@ -1543,10 +1543,8 @@ sign-installer:
 	 if [ -f "$${msifile}" ]; then \
 	   $(call MKSWDB_commands,$${msifile},$${reldate},"wixlib_"); \
 	 fi; \
-	 echo "speedo: /*" ;\
+	 echo "speedo: /* (osslsigncode verify disabled) */" ;\
-	 echo "speedo:  * Verification result" ;\
+	 echo osslsigncode verify $${exefile} \
 	 echo "speedo:  */" ;\
         osslsigncode verify $${exefile} \
 	)
--- a/common/iobuf.c
+++ b/common/iobuf.c
@ -505,7 +505,8 @@ file_filter (void *opaque, int control, iobuf_t chain, byte * buf,
 	      if (ec != ERROR_BROKEN_PIPE)
 		{
 		  rc = gpg_error_from_errno (ec);
-		  log_error ("%s: read error: ec=%d\n", a->fname, ec);
+		  log_error ("%s: read error: %s (ec=%d)\n",
                             a->fname, gpg_strerror (rc), ec);
 		}
 	    }
 	  else if (!nread)
@ -573,9 +574,10 @@ file_filter (void *opaque, int control, iobuf_t chain, byte * buf,
 	    {
 	      if (size && !WriteFile (f, p, nbytes, &n, NULL))
 		{
-		  int ec = (int) GetLastError ();
+		  int ec = gnupg_w32_set_errno (-1);
-		  rc = gpg_error_from_errno (ec);
+		  rc = gpg_error_from_syserror ();
-		  log_error ("%s: write error: ec=%d\n", a->fname, ec);
+		  log_error ("%s: write error: %s (ec=%d)\n",
                             a->fname, gpg_strerror (rc), ec);
 		  break;
 		}
 	      p += n;
@ -634,7 +636,8 @@ file_filter (void *opaque, int control, iobuf_t chain, byte * buf,
          if (ec != ERROR_BROKEN_PIPE)
            {
              rc = gpg_error_from_errno (ec);
-              log_error ("%s: read error: ec=%d\n", a->fname, ec);
+              log_error ("%s: read error: %s (ec=%d)\n",
                         a->fname, gpg_strerror (rc), ec);
            }
          a->npeeked = 0;
        }
@ -883,7 +886,8 @@ sock_filter (void *opaque, int control, iobuf_t chain, byte * buf,
 	      if (n == SOCKET_ERROR)
 		{
 		  int ec = (int) WSAGetLastError ();
-		  rc = gpg_error_from_errno (ec);
+		  gnupg_w32_set_errno (ec);
 		  rc = gpg_error_from_syserror ();
 		  log_error ("socket write error: ec=%d\n", ec);
 		  break;
 		}
@ -2606,13 +2610,10 @@ iobuf_set_limit (iobuf_t a, off_t nlimit)
 }
-
+/* Return the length of the file behind A.  If there is no file, return 0. */
-off_t
+uint64_t
-iobuf_get_filelength (iobuf_t a, int *overflow)
+iobuf_get_filelength (iobuf_t a)
 {
  if (overflow)
    *overflow = 0;
  /* Hmmm: file_filter may have already been removed */
  for ( ; a->chain; a = a->chain )
    ;
@ -2625,56 +2626,18 @@ iobuf_get_filelength (iobuf_t a, int *overflow)
    gnupg_fd_t fp = b->fp;
 #if defined(HAVE_W32_SYSTEM)
-    ulong size;
+    LARGE_INTEGER exsize;
    static int (* __stdcall get_file_size_ex) (void *handle,
 					       LARGE_INTEGER *r_size);
    static int get_file_size_ex_initialized;
-    if (!get_file_size_ex_initialized)
+    if (GetFileSizeEx (fp, &exsize))
-      {
+      return exsize.QuadPart;
 	void *handle;
 	handle = dlopen ("kernel32.dll", RTLD_LAZY);
 	if (handle)
 	  {
 	    get_file_size_ex = dlsym (handle, "GetFileSizeEx");
 	    if (!get_file_size_ex)
 	      dlclose (handle);
 	  }
 	get_file_size_ex_initialized = 1;
      }
    if (get_file_size_ex)
      {
 	/* This is a newer system with GetFileSizeEx; we use this
 	   then because it seem that GetFileSize won't return a
 	   proper error in case a file is larger than 4GB. */
 	LARGE_INTEGER exsize;
 	if (get_file_size_ex (fp, &exsize))
 	  {
 	    if (!exsize.u.HighPart)
 	      return exsize.u.LowPart;
 	    if (overflow)
 	      *overflow = 1;
 	    return 0;
 	  }
      }
    else
      {
 	if ((size=GetFileSize (fp, NULL)) != 0xffffffff)
 	  return size;
      }
    log_error ("GetFileSize for handle %p failed: %s\n",
 	       fp, w32_strerror (-1));
 #else /*!HAVE_W32_SYSTEM*/
-    {
+    struct stat st;
      struct stat st;
-      if ( !fstat (fp, &st) )
+    if ( !fstat (fp, &st) )
-        return st.st_size;
+      return st.st_size;
-      log_error("fstat() failed: %s\n", strerror(errno) );
+    log_error("fstat() failed: %s\n", strerror(errno) );
    }
 #endif /*!HAVE_W32_SYSTEM*/
  }
--- a/common/iobuf.h
+++ b/common/iobuf.h
@ -584,12 +584,8 @@ size_t iobuf_temp_to_buffer (iobuf_t a, byte * buffer, size_t buflen);
 size_t iobuf_copy (iobuf_t dest, iobuf_t source);
 /* Return the size of any underlying file.  This only works with
-   file_filter based pipelines.
+   file_filter based pipelines.  */
-
+uint64_t iobuf_get_filelength (iobuf_t a);
   On Win32, it is sometimes not possible to determine the size of
   files larger than 4GB.  In this case, *OVERFLOW (if not NULL) is
   set to 1.  Otherwise, *OVERFLOW is set to 0.  */
 off_t iobuf_get_filelength (iobuf_t a, int *overflow);
 #define IOBUF_FILELENGTH_LIMIT 0xffffffff
 /* Return the file descriptor designating the underlying file.  This
--- a/common/ksba-io-support.c
+++ b/common/ksba-io-support.c
@ -1,6 +1,6 @@
 /* kska-io-support.c - Supporting functions for ksba reader and writer
 * Copyright (C) 2001-2005, 2007, 2010-2011, 2017  Werner Koch
- * Copyright (C) 2006  g10 Code GmbH
+ * Copyright (C) 2006, 2023  g10 Code GmbH
 *
 * This file is part of GnuPG.
 *
@ -26,6 +26,7 @@
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <https://www.gnu.org/licenses/>.
 * SPDX-License-Identifier: (LGPL-3.0-or-later OR GPL-2.0-or-later)
 */
 #include <config.h>
@ -96,6 +97,15 @@ struct writer_cb_parm_s
  char *pem_name;      /* Malloced.  */
  struct {
    gnupg_ksba_progress_cb_t cb;
    ctrl_t ctrl;
    u32 last_time;		/* last time reported */
    uint64_t last;		/* last amount reported */
    uint64_t current;	        /* current amount */
    uint64_t total;	        /* total amount */
  } progress;
  int wrote_begin;
  int did_finish;
@ -110,6 +120,7 @@ struct writer_cb_parm_s
 /* Context for this module's functions.  */
 struct gnupg_ksba_io_s {
  int is_writer;  /* True if this context refers a writer object.  */
  union {
    struct reader_cb_parm_s rparm;
    struct writer_cb_parm_s wparm;
@ -527,6 +538,33 @@ simple_reader_cb (void *cb_value, char *buffer, size_t count, size_t *nread)
 /* Call the progress callback if its time.  We do this very 2 seconds
 * or if FORCE is set.  However, we also require that at least 64KiB
 * have been written to avoid unnecessary progress lines for small
 * files.  */
 static gpg_error_t
 update_write_progress (struct writer_cb_parm_s *parm, size_t count, int force)
 {
  gpg_error_t err = 0;
  u32 timestamp;
  parm->progress.current += count;
  if (parm->progress.current >= (64*1024))
    {
      timestamp = make_timestamp ();
      if (force || (timestamp - parm->progress.last_time > 1))
        {
          parm->progress.last = parm->progress.current;
          parm->progress.last_time = timestamp;
          err = parm->progress.cb (parm->progress.ctrl,
                                   parm->progress.current,
                                   parm->progress.total);
        }
    }
  return err;
 }
 static int
 base64_writer_cb (void *cb_value, const void *buffer, size_t count)
 {
@ -535,6 +573,8 @@ base64_writer_cb (void *cb_value, const void *buffer, size_t count)
  int i, c, idx, quad_count;
  const unsigned char *p;
  estream_t stream = parm->stream;
  int rc;
  size_t nleft;
  if (!count)
    return 0;
@ -557,7 +597,7 @@ base64_writer_cb (void *cb_value, const void *buffer, size_t count)
  for (i=0; i < idx; i++)
    radbuf[i] = parm->base64.radbuf[i];
-  for (p=buffer; count; p++, count--)
+  for (p=buffer, nleft = count; nleft; p++, nleft--)
    {
      radbuf[idx++] = *p;
      if (idx > 2)
@ -583,7 +623,11 @@ base64_writer_cb (void *cb_value, const void *buffer, size_t count)
  parm->base64.idx = idx;
  parm->base64.quad_count = quad_count;
-  return es_ferror (stream)? gpg_error_from_syserror () : 0;
+  rc = es_ferror (stream)? gpg_error_from_syserror () : 0;
  /* Note that we use the unencoded count for the progress.  */
  if (!rc && parm->progress.cb)
    rc = update_write_progress (parm, count, 0);
  return rc;
 }
@ -594,13 +638,16 @@ plain_writer_cb (void *cb_value, const void *buffer, size_t count)
 {
  struct writer_cb_parm_s *parm = cb_value;
  estream_t stream = parm->stream;
  int rc;
  if (!count)
    return 0;
  es_write (stream, buffer, count, NULL);
-
+  rc = es_ferror (stream)? gpg_error_from_syserror () : 0;
-  return es_ferror (stream)? gpg_error_from_syserror () : 0;
+  if (!rc && parm->progress.cb)
    rc = update_write_progress (parm, count, 0);
  return rc;
 }
@ -610,6 +657,7 @@ base64_finish_write (struct writer_cb_parm_s *parm)
  unsigned char *radbuf;
  int c, idx, quad_count;
  estream_t stream = parm->stream;
  int rc;
  if (!parm->wrote_begin)
    return 0; /* Nothing written or we are not called in base-64 mode. */
@ -656,7 +704,10 @@ base64_finish_write (struct writer_cb_parm_s *parm)
      es_fputs ("-----\n", stream);
    }
-  return es_ferror (stream)? gpg_error_from_syserror () : 0;
+  rc = es_ferror (stream)? gpg_error_from_syserror () : 0;
  if (!rc && parm->progress.cb)
    rc = update_write_progress (parm, 0, 1);
  return rc;
 }
@ -788,6 +839,7 @@ gnupg_ksba_create_writer (gnupg_ksba_io_t *ctx, unsigned int flags,
  *ctx = xtrycalloc (1, sizeof **ctx);
  if (!*ctx)
    return gpg_error_from_syserror ();
  (*ctx)->is_writer = 1;
  rc = ksba_writer_new (&w);
  if (rc)
@ -865,3 +917,37 @@ gnupg_ksba_destroy_writer (gnupg_ksba_io_t ctx)
  xfree (ctx->u.wparm.pem_name);
  xfree (ctx);
 }
 /* Set a callback to the writer object.  CTRL will be bassed to the
 * callback.  */
 void
 gnupg_ksba_set_progress_cb (gnupg_ksba_io_t ctx,
                            gnupg_ksba_progress_cb_t cb, ctrl_t ctrl)
 {
  struct writer_cb_parm_s *parm;
  if (!ctx || !ctx->is_writer)
    return; /* Currently only supported for writer objects.  */
  parm = &ctx->u.wparm;
  parm->progress.cb = cb;
  parm->progress.ctrl = ctrl;
  parm->progress.last_time = 0;
  parm->progress.last = 0;
  parm->progress.current = 0;
  parm->progress.total = 0;
 }
 /* Update the total count for the progress thingy.  */
 void
 gnupg_ksba_set_total (gnupg_ksba_io_t ctx, uint64_t total)
 {
  struct writer_cb_parm_s *parm;
  if (!ctx || !ctx->is_writer)
    return; /* Currently only supported for writer objects.  */
  parm = &ctx->u.wparm;
  parm->progress.total = total;
 }
--- a/common/ksba-io-support.h
+++ b/common/ksba-io-support.h
@ -25,6 +25,7 @@
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <https://www.gnu.org/licenses/>.
 * SPDX-License-Identifier: (LGPL-3.0-or-later OR GPL-2.0-or-later)
 */
 #ifndef GNUPG_KSBA_IO_SUPPORT_H
@ -42,6 +43,10 @@
 /* Context object.  */
 typedef struct gnupg_ksba_io_s *gnupg_ksba_io_t;
 /* Progress callback type.  */
 typedef gpg_error_t (*gnupg_ksba_progress_cb_t)(ctrl_t ctrl,
                                                uint64_t current,
                                                uint64_t total);
 gpg_error_t gnupg_ksba_create_reader (gnupg_ksba_io_t *ctx,
@ -57,10 +62,13 @@ gpg_error_t gnupg_ksba_create_writer (gnupg_ksba_io_t *ctx,
                                      const char *pem_name,
                                      estream_t stream,
                                      ksba_writer_t *r_writer);
 gpg_error_t gnupg_ksba_finish_writer (gnupg_ksba_io_t ctx);
 void gnupg_ksba_destroy_writer (gnupg_ksba_io_t ctx);
 void gnupg_ksba_set_progress_cb (gnupg_ksba_io_t ctx,
                                 gnupg_ksba_progress_cb_t cb, ctrl_t ctrl);
 void gnupg_ksba_set_total (gnupg_ksba_io_t ctx, uint64_t total);
--- a/common/name-value.c
+++ b/common/name-value.c
@ -616,7 +616,7 @@ nve_next_value (nve_t entry, const char *name)
 /* Return the string for the first entry in NVC with NAME.  If an
 * entry with NAME is missing in NVC or its value is the empty string
- * NULL is returned.  Note that the The returned string is a pointer
+ * NULL is returned.  Note that the the returned string is a pointer
 * into NVC.  */
 const char *
 nvc_get_string (nvc_t nvc, const char *name)
--- a/common/stringhelp.c
+++ b/common/stringhelp.c
@ -1689,10 +1689,16 @@ format_text (const char *text_in, int target_cols, int max_cols)
 }
-/* Substitute environment variables in STRING and return a new string.
+/* Substitute variables in STRING and return a new string.  GETVAL is
- * On error the function returns NULL.  */
+ * a function which maps NAME to its value; that value is a string
 * which may not change during the execution time of this function.
 * If GETVAL returns NULL substitute_vars returns NULL and the caller
 * may inspect ERRNO for the reason.  In all other error cases this
 * function also returns NULL.  Caller must free the returned string.  */
 char *
-substitute_envvars (const char *string)
+substitute_vars (const char *string,
                 const char *(*getval)(void *cookie, const char *name),
                 void *cookie)
 {
  char *line, *p, *pend;
  const char *value;
@ -1743,19 +1749,22 @@ substitute_envvars (const char *string)
        {
          int save = *pend;
          *pend = 0;
-          value = getenv (p+2);
+          value = getval (cookie, p+2);
          *pend++ = save;
        }
      else
        {
          int save = *pend;
          *pend = 0;
-          value = getenv (p+1);
+          value = getval (cookie, p+1);
          *pend = save;
        }
      if (!value)
-        value = "";
+        {
          xfree (result);
          return NULL;
        }
      valuelen = strlen (value);
      if (valuelen <= pend - p)
        {
@ -1791,3 +1800,26 @@ substitute_envvars (const char *string)
 leave:
  return result;
 }
 /* Helper for substitute_envvars.  */
 static const char *
 subst_getenv (void *cookie, const char *name)
 {
  const char *s;
  (void)cookie;
  s = getenv (name);
  return s? s : "";
 }
 /* Substitute environment variables in STRING and return a new string.
 * On error the function returns NULL.  */
 char *
 substitute_envvars (const char *string)
 {
  return substitute_vars (string, subst_getenv, NULL);
 }
--- a/common/stringhelp.h
+++ b/common/stringhelp.h
@ -169,7 +169,10 @@ int compare_version_strings (const char *my_version, const char *req_version);
 /* Format a string so that it fits within about TARGET_COLS columns.  */
 char *format_text (const char *text, int target_cols, int max_cols);
-/* Substitute environmen variabales in STRING.  */
+/* Substitute variables in STRING.  */
 char *substitute_vars (const char *string,
                       const char *(*getval)(void *cookie, const char *name),
                       void *cookie);
 char *substitute_envvars (const char *string);
--- a/common/sysutils.c
+++ b/common/sysutils.c
@ -327,9 +327,10 @@ map_w32_to_errno (DWORD w32_err)
 #endif /*HAVE_W32_SYSTEM*/
-/* Set ERRNO from the Windows error.  EC may be -1 to use the last error.  */
+/* Set ERRNO from the Windows error.  EC may be -1 to use the last
 * error.  Returns the Windows error code.  */
 #ifdef HAVE_W32_SYSTEM
-void
+int
 gnupg_w32_set_errno (int ec)
 {
  /* FIXME: Replace by gpgrt_w32_set_errno.  */
--- a/common/sysutils.h
+++ b/common/sysutils.h
@ -111,7 +111,7 @@ int gnupg_inotify_has_name (int fd, const char *name);
 #ifdef HAVE_W32_SYSTEM
-void gnupg_w32_set_errno (int ec);
+int gnupg_w32_set_errno (int ec);
 void *w32_get_user_sid (void);
 #include "../common/w32help.h"
--- a/common/tlv.c
+++ b/common/tlv.c
@ -150,13 +150,16 @@ find_tlv_unchecked (const unsigned char *buffer, size_t length,
 /* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag
-   and the length part from the TLV triplet.  Update BUFFER and SIZE
+ * and the length part from the TLV triplet.  Update BUFFER and SIZE
-   on success. */
+ * on success.  Note that this function does not check that the value
 * fits into the provided buffer; this allows to work on the TL part
 * of a TLV. */
 gpg_error_t
 parse_ber_header (unsigned char const **buffer, size_t *size,
                  int *r_class, int *r_tag,
                  int *r_constructed, int *r_ndef,
-                  size_t *r_length, size_t *r_nhdr){
+                  size_t *r_length, size_t *r_nhdr)
 {
  int c;
  unsigned long tag;
  const unsigned char *buf = *buffer;
--- a/dirmngr/crlcache.c
+++ b/dirmngr/crlcache.c
@ -2356,11 +2356,21 @@ crl_cache_insert (ctrl_t ctrl, const char *url, ksba_reader_t reader)
  for (idx=0; !(err=ksba_crl_get_extension (crl, idx, &oid, &critical,
                                              NULL, NULL)); idx++)
    {
      strlist_t sl;
      if (!critical
          || !strcmp (oid, oidstr_authorityKeyIdentifier)
          || !strcmp (oid, oidstr_crlNumber) )
        continue;
      for (sl=opt.ignored_crl_extensions;
           sl && strcmp (sl->d, oid); sl = sl->next)
        ;
      if (sl)
        continue;  /* Is in ignored list.  */
      log_error (_("unknown critical CRL extension %s\n"), oid);
      log_info ("(CRL='%s')\n", url);
      if (!err2)
        err2 = gpg_error (GPG_ERR_INV_CRL);
      invalidate_crl |= INVCRL_UNKNOWN_EXTN;
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@ -147,6 +147,7 @@ enum cmd_and_opt_values {
  oHTTPWrapperProgram,
  oIgnoreCert,
  oIgnoreCertExtension,
  oIgnoreCRLExtension,
  oUseTor,
  oNoUseTor,
  oKeyServer,
@ -159,6 +160,7 @@ enum cmd_and_opt_values {
  oConnectQuickTimeout,
  oListenBacklog,
  oFakeCRL,
  oCompatibilityFlags,
  aTest
 };
@ -223,6 +225,7 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_n (oDisableCheckOwnSocket, "disable-check-own-socket", "@"),
  ARGPARSE_s_s (oIgnoreCert,"ignore-cert", "@"),
  ARGPARSE_s_s (oIgnoreCertExtension,"ignore-cert-extension", "@"),
  ARGPARSE_s_s (oIgnoreCRLExtension,"ignore-crl-extension", "@"),
  ARGPARSE_header ("Network", N_("Network related options")),
@ -297,6 +300,7 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_s (oSocketName, "socket-name", "@"),  /* Only for debugging.  */
  ARGPARSE_s_n (oDebugCacheExpiredCerts, "debug-cache-expired-certs", "@"),
  ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"),
  ARGPARSE_header (NULL, ""),  /* Stop the header group.  */
@ -329,6 +333,14 @@ static struct debug_flags_s debug_flags [] =
    { 77, NULL } /* 77 := Do not exit on "help" or "?".  */
  };
 /* The list of compatibility flags.  */
 static struct compatibility_flags_s compatibility_flags [] =
  {
    { COMPAT_RESTRICT_HTTP_REDIR, "restrict-http-redir" },
    { 0, NULL }
  };
 #define DEFAULT_MAX_REPLIES 10
 #define DEFAULT_LDAP_TIMEOUT 15  /* seconds */
@ -699,6 +711,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
          opt.ignored_certs = tmp;
        }
      FREE_STRLIST (opt.ignored_cert_extensions);
      FREE_STRLIST (opt.ignored_crl_extensions);
      http_register_tls_ca (NULL);
      FREE_STRLIST (hkp_cacert_filenames);
      FREE_STRLIST (opt.keyserver);
@ -715,6 +728,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
      opt.debug_cache_expired_certs = 0;
      xfree (opt.fake_crl);
      opt.fake_crl = NULL;
      opt.compat_flags = 0;
      return 1;
    }
@ -811,6 +825,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
      add_to_strlist (&opt.ignored_cert_extensions, pargs->r.ret_str);
      break;
    case oIgnoreCRLExtension:
      add_to_strlist (&opt.ignored_crl_extensions, pargs->r.ret_str);
      break;
    case oUseTor:
      tor_mode = TOR_MODE_FORCE;
      break;
@ -882,6 +900,15 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
      opt.fake_crl = *pargs->r.ret_str? xstrdup (pargs->r.ret_str) : NULL;
      break;
    case oCompatibilityFlags:
      if (parse_compatibility_flags (pargs->r.ret_str, &opt.compat_flags,
                                     compatibility_flags))
        {
          pargs->r_opt = ARGPARSE_INVALID_ARG;
          pargs->err = ARGPARSE_PRINT_WARNING;
        }
      break;
    default:
      return 0; /* Not handled. */
    }
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@ -132,6 +132,11 @@ struct
     OID per string.  */
  strlist_t ignored_cert_extensions;
  /* A list of CRL extension OIDs which are ignored so that one can
   * claim that a critical extension has been handled.  One OID per
   * string.  */
  strlist_t ignored_crl_extensions;
  /* Allow expired certificates in the cache.  */
  int debug_cache_expired_certs;
@ -154,6 +159,9 @@ struct
                                       current after nextUpdate. */
  strlist_t keyserver;              /* List of default keyservers.  */
  /* Compatibility flags (COMPAT_FLAG_xxxx).  */
  unsigned int compat_flags;
 } opt;
@ -182,6 +190,18 @@ struct
 #define DBG_EXTPROG (opt.debug & DBG_EXTPROG_VALUE)
 #define DBG_KEEPTMP (opt.debug & DBG_KEEPTMP_VALUE)
 /* Compatibility flags */
 /* Since version 2.2.12 dirmngr restricted HTTP redirection in an
 * attempt to mitigate certain CSRF attacks.  It turned out that this
 * breaks too many WKD deployments and that the attack scenario is not
 * due to gnupg's redirecting but due to insecure configured systems.
 * Thus from 2.4.3 on we disable this restriction but allow to use the
 * old behaviour by using this compatibility flag.  For details see
 * https://dev.gnupg.org/T6477.  */
 #define COMPAT_RESTRICT_HTTP_REDIR   1
 /* A simple list of certificate references.  FIXME: Better use
   certlist_t also for references (Store NULL at .cert) */
 struct cert_ref_s
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@ -3741,10 +3741,11 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
      http_release_parsed_uri (locuri);
      return err;
    }
-  else if (same_host_p (origuri, locuri))
+  else if (!info->restrict_redir || same_host_p (origuri, locuri))
    {
-      /* The host is the same or on an exception list and thus we can
+      /* Take the syntactically correct location or if restrict_redir
-       * take the location verbatim.  */
+       * is set the host is the same or on an exception list and thus
       * we can take the location verbatim.  */
      http_release_parsed_uri (origuri);
      http_release_parsed_uri (locuri);
      newurl = xtrystrdup (location);
@ -3754,7 +3755,7 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
          return err;
        }
    }
-  else
+  else /* Strictly rectricted redirection which we used in the past.  */
    {
      /* We take only the host and port from the URL given in the
       * Location.  This limits the effects of redirection attacks by
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@ -117,6 +117,7 @@ struct http_redir_info_s
  unsigned int silent:1;         /* No diagnostics.                        */
  unsigned int allow_downgrade:1;/* Allow a downgrade from https to http.  */
  unsigned int trust_location:1; /* Trust the received Location header.    */
  unsigned int restrict_redir:1; /* Use legacy restricted redirection.     */
 };
 typedef struct http_redir_info_s http_redir_info_t;
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@ -1242,8 +1242,9 @@ send_request (ctrl_t ctrl, const char *request, const char *hostportstr,
  redirinfo.orig_url   = request;
  redirinfo.orig_onion = uri->onion;
  redirinfo.allow_downgrade = 1;
-  /* FIXME: I am not sure whey we allow a downgrade for hkp requests.
+  /* FIXME: I am not sure why we allow a downgrade for hkp requests.
-   * Needs at least an explanation here..  */
+   * Needs at least an explanation here.  */
  redirinfo.restrict_redir = !!(opt.compat_flags & COMPAT_RESTRICT_HTTP_REDIR);
 once_more:
  err = http_session_new (&session, httphost,
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@ -88,6 +88,7 @@ ks_http_fetch (ctrl_t ctrl, const char *url, unsigned int flags,
  redirinfo.orig_onion = uri->onion;
  redirinfo.orig_https = uri->use_tls;
  redirinfo.allow_downgrade = !!(flags & KS_HTTP_FETCH_ALLOW_DOWNGRADE);
  redirinfo.restrict_redir = !!(opt.compat_flags & COMPAT_RESTRICT_HTTP_REDIR);
  /* By default we only use the system provided certificates with this
   * fetch command.  */
--- a/dirmngr/ks-engine-ldap.c
+++ b/dirmngr/ks-engine-ldap.c
@ -26,6 +26,13 @@
 #include <unistd.h>
 #include <stdlib.h>
 #include <npth.h>
 #ifdef HAVE_W32_SYSTEM
 # ifndef WINVER
 #  define WINVER 0x0500  /* Same as in common/sysutils.c */
 # endif
 # include <winsock2.h>
 # include <sddl.h>
 #endif
 #include "dirmngr.h"
@ -73,6 +80,9 @@ struct ks_engine_ldap_local_s
  int more_pages;       /* More pages announced by server.      */
 };
 /*-- prototypes --*/
 static char *map_rid_to_dn (ctrl_t ctrl, const char *rid);
 static char *basedn_from_rootdse (ctrl_t ctrl, parsed_uri_t uri);
@ -150,6 +160,114 @@ my_ldap_value_free (char **vals)
 }
 /* Print a description of supported variables.  */
 void
 ks_ldap_help_variables (ctrl_t ctrl)
 {
  const char data[] =
    "Supported variables in LDAP filter expressions:\n"
    "\n"
    "domain           - The defaultNamingContext.\n"
    "domain_admins    - Group of domain admins.\n"
    "domain_users     - Group with all user accounts.\n"
    "domain_guests    - Group with the builtin gues account.\n"
    "domain_computers - Group with all clients and servers.\n"
    "cert_publishers  - Group with all cert issuing computers.\n"
    "protected_users  - Group of users with extra protection.\n"
    "key_admins       - Group for delegated access to msdsKeyCredentialLink.\n"
    "enterprise_key_admins     - Similar to key_admins.\n"
    "domain_domain_controllers - Group with all domain controllers.\n"
    "sid_domain       - SubAuthority numbers.\n";
  ks_print_help (ctrl, data);
 }
 /* Helper function for substitute_vars.  */
 static const char *
 getval_for_filter (void *cookie, const char *name)
 {
  ctrl_t ctrl = cookie;
  const char *result = NULL;
  if (!strcmp (name, "sid_domain"))
    {
 #ifdef HAVE_W32_SYSTEM
      PSID mysid;
      static char *sidstr;
      char *s, *s0;
      int i;
      if (!sidstr)
        {
          mysid = w32_get_user_sid ();
          if (!mysid)
            {
              gpg_err_set_errno (ENOENT);
              goto leave;
            }
          if (!ConvertSidToStringSid (mysid, &sidstr))
            {
              gpg_err_set_errno (EINVAL);
              goto leave;
            }
          /* Example for SIDSTR:
           * S-1-5-21-3636969917-2569447256-918939550-1127 */
          for (s0=NULL,s=sidstr,i=0; (s=strchr (s, '-')); i++)
            {
              s++;
              if (i == 3)
                s0 = s;
              else if (i==6)
                {
                  s[-1] = 0;
                  break;
                }
            }
          if (!s0)
            {
              log_error ("oops: invalid SID received from OS");
              gpg_err_set_errno (EINVAL);
              LocalFree (sidstr);
              goto leave;
            }
          sidstr = s0;  /* (We never release SIDSTR thus no memmove.)  */
        }
      result = sidstr;
 #else
      gpg_err_set_errno (ENOSYS);
      goto leave;
 #endif
    }
  else if (!strcmp (name, "domain"))
    result = basedn_from_rootdse (ctrl, NULL);
  else if (!strcmp (name, "domain_admins"))
    result = map_rid_to_dn (ctrl, "512");
  else if (!strcmp (name, "domain_users"))
    result = map_rid_to_dn (ctrl, "513");
  else if (!strcmp (name, "domain_guests"))
    result = map_rid_to_dn (ctrl, "514");
  else if (!strcmp (name, "domain_computers"))
    result = map_rid_to_dn (ctrl, "515");
  else if (!strcmp (name, "domain_domain_controllers"))
    result = map_rid_to_dn (ctrl, "516");
  else if (!strcmp (name, "cert_publishers"))
    result = map_rid_to_dn (ctrl, "517");
  else if (!strcmp (name, "protected_users"))
    result = map_rid_to_dn (ctrl, "525");
  else if (!strcmp (name, "key_admins"))
    result = map_rid_to_dn (ctrl, "526");
  else if (!strcmp (name, "enterprise_key_admins"))
    result = map_rid_to_dn (ctrl, "527");
  else
    result = "";  /* Unknown variables are empty.  */
 leave:
  return result;
 }
 /* Print a help output for the schemata supported by this module. */
 gpg_error_t
@ -1396,6 +1514,63 @@ fetch_rootdse (ctrl_t ctrl, parsed_uri_t uri)
 }
 /* Return the DN for the given RID.  This is used with the Active
 * Directory.  */
 static char *
 map_rid_to_dn (ctrl_t ctrl, const char *rid)
 {
  gpg_error_t err;
  char *result = NULL;
  estream_t infp = NULL;
  uri_item_t puri;  /* The broken down URI.  */
  nvc_t nvc = NULL;
  char *filter = NULL;
  const char *s;
  char *attr[2] = {"dn", NULL};
  err = ks_action_parse_uri ("ldap:///", &puri);
  if (err)
    return NULL;
  filter = strconcat ("(objectSid=S-1-5-21-$sid_domain-", rid, ")", NULL);
  if (!filter)
    goto leave;
  err = ks_ldap_query (ctrl, puri->parsed_uri, KS_GET_FLAG_SUBST,
                       filter, attr, NULL, &infp);
  if (err)
    {
      log_error ("ldap: AD query '%s' failed: %s\n", filter,gpg_strerror (err));
      goto leave;
    }
  if ((err = nvc_parse (&nvc, NULL, infp)))
    {
      log_error ("ldap: parsing the result failed: %s\n",gpg_strerror (err));
      goto leave;
    }
  if (!(s = nvc_get_string (nvc, "Dn:")))
    {
      err = gpg_error (GPG_ERR_NOT_FOUND);
      log_error ("ldap: mapping rid '%s'failed: %s\n", rid, gpg_strerror (err));
      goto leave;
    }
  result = xtrystrdup (s);
  if (!result)
    {
      err = gpg_error_from_syserror ();
      log_error ("ldap: strdup failed: %s\n", gpg_strerror (err));
      goto leave;
    }
 leave:
  es_fclose (infp);
  release_uri_item_list (puri);
  xfree (filter);
  nvc_release (nvc);
  return result;
 }
 /* Return the baseDN for URI which might have already been cached for
 * this session.  */
 static char *
@ -2824,6 +2999,7 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
  LDAP *ldap_conn = NULL;
  char *basedn = NULL;
  estream_t fp = NULL;
  char *filter_arg_buffer = NULL;
  char *filter = NULL;
  int scope = LDAP_SCOPE_SUBTREE;
  LDAPMessage *message = NULL;
@ -2839,6 +3015,20 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
  if ((!filter_arg || !*filter_arg) && (ks_get_flags & KS_GET_FLAG_ROOTDSE))
    filter_arg = "^&base&(objectclass=*)";
  if ((ks_get_flags & KS_GET_FLAG_SUBST)
      && filter_arg && strchr (filter_arg, '$'))
    {
      filter_arg_buffer = substitute_vars (filter_arg, getval_for_filter, ctrl);
      if (!filter_arg_buffer)
        {
          err = gpg_error_from_syserror ();
          log_error ("substituting filter variables failed: %s\n",
                     gpg_strerror (err));
          goto leave;
        }
      filter_arg = filter_arg_buffer;
    }
  err = ks_ldap_prepare_my_state (ctrl, ks_get_flags, &first_mode, &next_mode);
  if (err)
    goto leave;
@ -3048,6 +3238,7 @@ ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags,
    ldap_unbind (ldap_conn);
  xfree (filter);
  xfree (filter_arg_buffer);
  return err;
 }
--- a/dirmngr/ks-engine.h
+++ b/dirmngr/ks-engine.h
@ -29,6 +29,7 @@
 #define KS_GET_FLAG_NEXT      4
 #define KS_GET_FLAG_ONLY_AD   8  /* Do this only if we have an AD.  */
 #define KS_GET_FLAG_ROOTDSE  16  /* Get the rootDSE.  */
 #define KS_GET_FLAG_SUBST    32  /* Substiture variables.  */
 /*-- ks-action.c --*/
@ -70,6 +71,7 @@ gpg_error_t ks_kdns_help (ctrl_t ctrl, parsed_uri_t uri);
 gpg_error_t ks_kdns_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp);
 /*-- ks-engine-ldap.c --*/
 void ks_ldap_help_variables (ctrl_t ctrl);
 gpg_error_t ks_ldap_help (ctrl_t ctrl, parsed_uri_t uri);
 void ks_ldap_free_state (struct ks_engine_ldap_local_s *state);
 gpg_error_t ks_ldap_search (ctrl_t ctrl, parsed_uri_t uri, const char *pattern,
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@ -32,6 +32,13 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <errno.h>
 #ifdef HAVE_W32_SYSTEM
 # ifndef WINVER
 #  define WINVER 0x0500  /* Same as in common/sysutils.c */
 # endif
 # include <winsock2.h>
 # include <sddl.h>
 #endif
 #include "dirmngr.h"
 #include <assuan.h>
@ -2701,15 +2708,21 @@ cmd_ks_put (assuan_context_t ctx, char *line)
 static const char hlp_ad_query[] =
-  "AD_QUERY [--first|--next] [--] <filter_expression> \n"
+  "AD_QUERY [--first|--next] [--] <filter> \n"
  "\n"
  "Query properties from a Windows Active Directory.\n"
-  "Our extended filter syntax may be used for the filter\n"
+  "Options:\n"
-  "expression; see gnupg/dirmngr/ldap-misc.c.  There are\n"
+  "\n"
-  "a couple of other options available:\n\n"
+  "  --rootdse        - Query the root using serverless binding,\n"
-  "  --rootdse - Query the root using serverless binding,\n"
+  "  --subst          - Substitute variables in the filter\n"
  "  --attr=<attribs> - Comma delimited list of attributes\n"
  "                     to return.\n"
  "  --help           - List supported variables\n"
  "\n"
  "Extended filter syntax is allowed:\n"
  "   ^[<base>][&<scope>]&[<filter>]\n"
  "Usual escaping rules apply.  An ampersand in <base> must\n"
  "doubled.  <scope> may be \"base\", \"one\", or \"sub\"."
  ;
 static gpg_error_t
 cmd_ad_query (assuan_context_t ctx, char *line)
@ -2723,6 +2736,7 @@ cmd_ad_query (assuan_context_t ctx, char *line)
  char **opt_attr = NULL;
  const char *s;
  gnupg_isotime_t opt_newer;
  int opt_help = 0;
  *opt_newer = 0;
@ -2733,6 +2747,10 @@ cmd_ad_query (assuan_context_t ctx, char *line)
    flags |= KS_GET_FLAG_NEXT;
  if (has_option (line, "--rootdse"))
    flags |= KS_GET_FLAG_ROOTDSE;
  if (has_option (line, "--subst"))
    flags |= KS_GET_FLAG_SUBST;
  if (has_option (line, "--help"))
    opt_help = 1;
  if ((s = option_value (line, "--newer"))
      && !string2isotime (opt_newer, s))
    {
@ -2756,6 +2774,13 @@ cmd_ad_query (assuan_context_t ctx, char *line)
  line = skip_options (line);
  filter = line;
  if (opt_help)
    {
      ks_ldap_help_variables (ctrl);
      err = 0;
      goto leave;
    }
  if ((flags & KS_GET_FLAG_NEXT))
    {
      if (*filter || (flags & ~KS_GET_FLAG_NEXT))
@ -2907,14 +2932,39 @@ cmd_getinfo (assuan_context_t ctx, char *line)
        {
          const char *s = getenv (line);
          if (!s)
-            err = set_error (GPG_ERR_NOT_FOUND, "No such envvar");
+            {
-          else
+              err = set_error (GPG_ERR_NOT_FOUND, "No such envvar");
-            err = assuan_send_data (ctx, s, strlen (s));
+              goto leave;
            }
          err = assuan_send_data (ctx, s, strlen (s));
        }
    }
 #ifdef HAVE_W32_SYSTEM
  else if (!strcmp (line, "sid"))
    {
      PSID mysid;
      char *sidstr;
      mysid = w32_get_user_sid ();
      if (!mysid)
        {
          err = set_error (GPG_ERR_NOT_FOUND, "Error getting my SID");
          goto leave;
        }
      if (!ConvertSidToStringSid (mysid, &sidstr))
        {
          err = set_error (GPG_ERR_BUG, "Error converting SID to a string");
          goto leave;
        }
      err = assuan_send_data (ctx, sidstr, strlen (sidstr));
      LocalFree (sidstr);
    }
 #endif /*HAVE_W32_SYSTEM*/
  else
    err = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");
 leave:
  return leave_cmd (ctx, err);
 }
--- a/dirmngr/t-http-basic.c
+++ b/dirmngr/t-http-basic.c
@ -165,6 +165,7 @@ test_http_prepare_redirect (void)
      ri.silent = 1;
      ri.redirects_left = 1;
      ri.orig_url = tests[tidx].url;
      ri.restrict_redir = 1; /* This is what we used to test here.  */
      err = http_prepare_redirect (&ri, 301, tests[tidx].location, &newurl);
      if (err && newurl)
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@ -167,6 +167,14 @@ Append all logging output to @var{file}.  This is very helpful in
 seeing what the agent actually does.  Use @file{socket://} to log to
 socket.
@item --compatibility-flags @var{flags}
@opindex compatibility-flags
 Set compatibility flags to work around certain problems or to emulate
 bugs.  The @var{flags} are given as a comma separated list of flag
 names and are OR-ed together.  The special flag "none" clears the list
 and allows to start over with an empty list.  To get a list of
 available flags the sole word "help" can be used.
@item --debug-level @var{level}
@opindex debug-level
 Select the debug level for investigating problems.  @var{level} may be a
@ -590,6 +598,15 @@ won't be rejected due to an unknown critical extension.  Use this
 option with care because extensions are usually flagged as critical
 for a reason.
@item --ignore-crl-extension @var{oid}
@opindex ignore-crl-extension
 Add @var{oid} to the list of ignored CRL extensions.  The @var{oid} is
 expected to be in dotted decimal form.  Critical flagged CRL
 extensions matching one of the OIDs in the list are treated as if they
 are actually handled and thus the certificate won't be rejected due to
 an unknown critical extension.  Use this option with care because
 extensions are usually flagged as critical for a reason.
@item --ignore-cert @var{fpr}|@var{file}
@opindex ignore-cert
 Entirely ignore certificates with the fingerprint @var{fpr}.  As an
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -1675,24 +1675,29 @@ prevent the creation of a @file{~/.gnupg} homedir.
@item -z @var{n}
@itemx --compress-level @var{n}
@itemx --bzip2-compress-level @var{n}
@itemx --no-compress
@opindex compress-level
@opindex bzip2-compress-level
@opindex no-compress
 Set compression level to @var{n} for the ZIP and ZLIB compression
 algorithms. The default is to use the default compression level of zlib
 (normally 6). @option{--bzip2-compress-level} sets the compression level
 for the BZIP2 compression algorithm (defaulting to 6 as well). This is a
 different option from @option{--compress-level} since BZIP2 uses a
 significant amount of memory for each additional compression level.
-@option{-z} sets both. A value of 0 for @var{n} disables compression.
+
-A value of -1 forces compression using the default level.
+Option @option{-z} sets both. A value of 0 for @var{n} disables
 compression.  A value of -1 forces compression using the default
 level.  Option @option{--no-compress} is identical to @option{-z0}.
 Except for the @option{--store} command compression is always used
 unless @command{gpg} detects that the input is already compressed.  To
-inhibit the use of compression use @option{-z0}; to force compression
+inhibit the use of compression use @option{-z0} or
-use @option{-z-1} or option @option{z} with another compression level
+@option{--no-compress}; to force compression use @option{-z-1} or
-than the default as indicated by -1.  Note that this overriding of the
+option @option{z} with another compression level than the default as
-default deection works only with @option{z} and not with the long
+indicated by -1.  Note that this overriding of the default deection
-variant of this option.
+works only with @option{z} and not with the long variant of this
 option.
@item --bzip2-decompress-lowmem
@ -2671,6 +2676,12 @@ The available properties are:
  created.  The second is the same but given as an ISO string,
  e.g. "2016-08-17". (drop-subkey)
  @item key_expires
  @itemx key_expires_d
  The expiration time of a public key or subkey or 0 if it does not
  expire.  The second is the same but given as an ISO date string or
  an empty string e.g. "2038-01-19".
  @item fpr
  The hexified fingerprint of the current subkey or primary key.
  (drop-subkey)
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@ -554,6 +554,13 @@ Assume the input data is plain base-64 encoded.
@opindex assume-binary
 Assume the input data is binary encoded.
@item --input-size-hint @var{n}
@opindex input-size-hint
 This option can be used to tell GPGSM the size of the input data in
 bytes.  @var{n} must be a positive base-10 number.  It is used by the
@option{--status-fd} line ``PROGRESS'' to provide a value for
 ``total'' if that is not available by other means.
@anchor{option --p12-charset}
@item --p12-charset @var{name}
@opindex p12-charset
@ -1721,6 +1728,9 @@ If @var{value} is true or @var{value} is not given all network access
 is disabled for this session.  This is the same as the command line
 option @option{--disable-dirmngr}.
@item input-size-hint
 This is the same as the @option{--input-size-hint} command line option.
@end table
@mansect see also
--- a/doc/tools.texi
+++ b/doc/tools.texi
@ -2049,6 +2049,12 @@ default is to take the directory name from the input filename.  If no
 input filename is known a directory named @file{GPGARCH} is used.
 This option is deprecated in favor of option @option{--directory}.
@item --no-compress
@opindex no-compress
 This option tells gpg to disable compression (i.e. using option -z0).
 It is useful for archiving only large files which are are already
 compressed (e.g. a set of videos).
@item --gpg @var{gpgcmd}
@opindex gpg
 Use the specified command @var{gpgcmd} instead of @command{gpg}.
--- a/doc/wks.texi
+++ b/doc/wks.texi
@ -216,12 +216,14 @@ addrspec, e.g. "postel@@isi.edu") per line.  Empty lines and lines
 starting with a '#' are ignored.
@item --add-revocs
@itemx --no-add-revocs
@opindex add-revocs
@opindex no-add-revocs
 If enabled append revocation certificates for the same addrspec as
 used in the WKD to the key.  Modern gpg version are able to import and
 apply them for existing keys.  Note that when used with the
@option{--mirror} command the revocation are searched in the local
-keyring and not in an LDAP directory.
+keyring and not in an LDAP directory.  The default is @option{--add-revocs}.
@item --verbose
@opindex verbose
--- a/g10/build-packet.c
+++ b/g10/build-packet.c
@ -991,12 +991,20 @@ do_plaintext( IOBUF out, int ctb, PKT_plaintext *pt )
        if (nbytes == (size_t)(-1)
            && (iobuf_error (out) || iobuf_error (pt->buf)))
            return iobuf_error (out)? iobuf_error (out):iobuf_error (pt->buf);
        /* Always get the error to catch write errors because
         * iobuf_copy does not reliable return (-1) in that case.  */
        rc = iobuf_error (out);
        if(ctb_new_format_p (ctb) && !pt->len)
          /* Turn off partial body length mode.  */
          iobuf_set_partial_body_length_mode (out, 0);
-        if( pt->len && nbytes != pt->len )
+        if (pt->len && nbytes != pt->len)
-          log_error("do_plaintext(): wrote %lu bytes but expected %lu bytes\n",
+          {
-                    (ulong)nbytes, (ulong)pt->len );
+            log_error ("do_plaintext(): wrote %lu bytes"
                       " but expected %lu bytes\n",
                       (ulong)nbytes, (ulong)pt->len );
            if (!rc) /* Just in case no error was set  */
              rc = gpg_error (GPG_ERR_EIO);
          }
      }
    return rc;
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@ -559,12 +559,12 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
  if ( !iobuf_is_pipe_filename (filename) && *filename && !opt.textmode )
    {
-      off_t tmpsize;
+      uint64_t tmpsize;
      int overflow;
-      if ( !(tmpsize = iobuf_get_filelength(inp, &overflow))
+      tmpsize = iobuf_get_filelength(inp);
-           && !overflow && opt.verbose)
+      if (!tmpsize && opt.verbose)
        log_info(_("WARNING: '%s' is an empty file\n"), filename );
      /* We can't encode the length of very large files because
         OpenPGP uses only 32 bit for file sizes.  So if the
         size of a file is larger than 2^32 minus some bytes for
@ -903,11 +903,10 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
  if (filename && *filename
      && !iobuf_is_pipe_filename (filename) && !opt.textmode )
    {
-      off_t tmpsize;
+      uint64_t tmpsize;
      int overflow;
-      if ( !(tmpsize = iobuf_get_filelength(inp, &overflow))
+      tmpsize = iobuf_get_filelength (inp);
-           && !overflow && opt.verbose)
+      if (!tmpsize && opt.verbose)
        log_info(_("WARNING: '%s' is an empty file\n"), filename );
      /* We can't encode the length of very large files because
         OpenPGP uses only 32 bit for file sizes.  So if the size
--- a/g10/filter.h
+++ b/g10/filter.h
@ -155,9 +155,9 @@ typedef struct {
 typedef struct {
    char *what;		        /* description */
    u32 last_time;		/* last time reported */
-    unsigned long last;		/* last amount reported */
+    uint64_t last;		/* last amount reported */
-    unsigned long offset;	/* current amount */
+    uint64_t offset;	        /* current amount */
-    unsigned long total;	/* total amount */
+    uint64_t total;	        /* total amount */
    int  refcount;
 } progress_filter_context_t;
--- a/g10/gpg.c
+++ b/g10/gpg.c
@ -259,6 +259,7 @@ enum cmd_and_opt_values
    oCipherAlgo,
    oDigestAlgo,
    oCertDigestAlgo,
    oNoCompress,
    oCompressAlgo,
    oCompressLevel,
    oBZ2CompressLevel,
@ -697,6 +698,7 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_n (oLockOnce,     "lock-once", "@"),
  ARGPARSE_s_n (oLockMultiple, "lock-multiple", "@"),
  ARGPARSE_s_n (oLockNever,    "lock-never", "@"),
  ARGPARSE_s_n (oNoCompress,   "no-compress", "@"),
  ARGPARSE_s_s (oCompressAlgo,"compress-algo", "@"),
  ARGPARSE_s_s (oCompressAlgo, "compression-algo", "@"), /* Alias */
  ARGPARSE_s_n (oBZ2DecompressLowmem, "bzip2-decompress-lowmem", "@"),
@ -3238,6 +3240,11 @@ main (int argc, char **argv)
 	    opt.compress_level = opt.bz2_compress_level = pargs.r.ret_int;
            opt.explicit_compress_option = 1;
 	    break;
 	  case oNoCompress:
 	    /* --no-compress is the same as  -z0 */
 	    opt.compress_level = opt.bz2_compress_level = 0;
            opt.explicit_compress_option = 1;
 	    break;
 	  case oCompressLevel: opt.compress_level = pargs.r.ret_int; break;
 	  case oBZ2CompressLevel: opt.bz2_compress_level = pargs.r.ret_int; break;
 	  case oBZ2DecompressLowmem: opt.bz2_decompress_lowmem=1; break;
@ -3499,7 +3506,13 @@ main (int argc, char **argv)
 	  case oAllowFreeformUID: opt.allow_freeform_uid = 1; break;
 	  case oNoAllowFreeformUID: opt.allow_freeform_uid = 0; break;
 	  case oNoLiteral: opt.no_literal = 1; break;
-	  case oSetFilesize: opt.set_filesize = pargs.r.ret_ulong; break;
+
 	  case oSetFilesize:
            /* There are restricts on the value (e.g. < 2^32); you
             * need to check the entire code to understand this.  */
            opt.set_filesize = pargs.r.ret_ulong;
            break;
 	  case oFastListMode: opt.fast_list_mode = 1; break;
 	  case oFixedListMode: /* Dummy */ break;
          case oLegacyListMode: opt.legacy_list_mode = 1; break;
--- a/g10/import.c
+++ b/g10/import.c
@ -1564,6 +1564,20 @@ impex_filter_getval (void *cookie, const char *propname)
        {
          result = dateonlystr_from_pk (pk);
        }
      else if (!strcmp (propname, "key_expires"))
        {
          snprintf (numbuf, sizeof numbuf, "%lu", (ulong)pk->expiredate);
          result = numbuf;
        }
      else if (!strcmp (propname, "key_expires_d"))
        {
          static char exdatestr[MK_DATESTR_SIZE];
          if (pk->expiredate)
            result = mk_datestr (exdatestr, sizeof exdatestr, pk->expiredate);
          else
            result = "";
        }
      else if (!strcmp (propname, "expired"))
        {
          result = pk->has_expired? "1":"0";
--- a/g10/keygen.c
+++ b/g10/keygen.c
@ -56,7 +56,7 @@
 /* When generating keys using the streamlined key generation dialog,
   use this as a default expiration interval.  */
-const char *default_expiration_interval = "2y";
+const char *default_expiration_interval = "3y";
 /* Flag bits used during key generation.  */
 #define KEYGEN_FLAG_NO_PROTECTION 1
--- a/g10/photoid.c
+++ b/g10/photoid.c
@ -164,12 +164,11 @@ generate_photo_id (ctrl_t ctrl, PKT_public_key *pk,const char *photo_name)
 {
  PKT_user_id *uid;
  int error=1,i;
-  unsigned int len;
+  uint64_t len;
  char *filename;
  byte *photo=NULL;
  byte header[16];
  IOBUF file;
  int overflow;
  header[0]=0x10; /* little side of photo header length */
  header[1]=0;    /* big side of photo header length */
@ -237,11 +236,18 @@ generate_photo_id (ctrl_t ctrl, PKT_public_key *pk,const char *photo_name)
 	}
-      len=iobuf_get_filelength(file, &overflow);
+      len = iobuf_get_filelength(file);
-      if(len>6144 || overflow)
+      if(len>6144)
 	{
-	  tty_printf( _("This JPEG is really large (%d bytes) !\n"),len);
+          /* We silently skip JPEGs larger than 1MiB because we have a
-	  if(!cpr_get_answer_is_yes("photoid.jpeg.size",
+           * 2MiB limit on the user ID packets and we need some limit
           * anyway because the returned u64 is larger than the u32 or
           * OpenPGP.  Note that the diagnostic may print a wrong
           * value if the value is really large; we don't fix this to
           * avoid a string change.  */
 	  tty_printf( _("This JPEG is really large (%d bytes) !\n"), (int)len);
 	  if(len > 1024*1024
             || !cpr_get_answer_is_yes("photoid.jpeg.size",
 			    _("Are you sure you want to use it? (y/N) ")))
 	  {
 	    iobuf_close(file);
--- a/g10/progress.c
+++ b/g10/progress.c
@ -72,13 +72,11 @@ release_progress_context (progress_filter_context_t *pfx)
 static void
-write_status_progress (const char *what,
+write_status_progress (const char *what, uint64_t current, uint64_t total)
                       unsigned long current, unsigned long total_arg)
 {
  char buffer[60];
  char units[] = "BKMGTPEZY?";
  int unitidx = 0;
  uint64_t total = total_arg;
  /* Although we use an unsigned long for the values, 32 bit
   * applications using GPGME will use an "int" and thus are limited
@ -91,7 +89,10 @@ write_status_progress (const char *what,
   * to display how many percent of the operation has been done and
   * thus scaling CURRENT and TOTAL down before they get to large,
   * should not have a noticeable effect except for rounding
-   * imprecision. */
+   * imprecision.
   * Update 2023-06-13: We now use uint64_t but to keep the API stable
   * we still do the scaling.
   */
  if (!total && opt.input_size_hint)
    total = opt.input_size_hint;
@ -121,7 +122,7 @@ write_status_progress (const char *what,
    unitidx = 9;
  snprintf (buffer, sizeof buffer, "%.20s ? %lu %lu %c%s",
-            what? what : "?", current, (unsigned long)total,
+            what? what : "?", (unsigned long)current, (unsigned long)total,
            units[unitidx],
            unitidx? "iB" : "");
  write_status_text (STATUS_PROGRESS, buffer);
@ -181,7 +182,7 @@ progress_filter (void *opaque, int control,
 void
 handle_progress (progress_filter_context_t *pfx, IOBUF inp, const char *name)
 {
-  off_t filesize = 0;
+  uint64_t filesize = 0;
  if (!pfx)
    return;
@ -190,7 +191,7 @@ handle_progress (progress_filter_context_t *pfx, IOBUF inp, const char *name)
  log_assert (is_status_enabled ());
  if ( !iobuf_is_pipe_filename (name) && *name )
-    filesize = iobuf_get_filelength (inp, NULL);
+    filesize = iobuf_get_filelength (inp);
  else if (opt.set_filesize)
    filesize = opt.set_filesize;
--- a/g10/sign.c
+++ b/g10/sign.c
@ -823,11 +823,10 @@ write_plaintext_packet (iobuf_t out, iobuf_t inp,
  /* Try to calculate the length of the data. */
  if ( !iobuf_is_pipe_filename (fname) && *fname)
    {
-      off_t tmpsize;
+      uint64_t tmpsize;
      int overflow;
-      if (!(tmpsize = iobuf_get_filelength (inp, &overflow))
+      tmpsize = iobuf_get_filelength (inp);
-          && !overflow && opt.verbose)
+      if (!tmpsize && opt.verbose)
        log_info (_("WARNING: '%s' is an empty file\n"), fname);
      /* We can't encode the length of very large files because
--- a/kbx/kbxserver.c
+++ b/kbx/kbxserver.c
@ -946,9 +946,15 @@ kbxd_start_command_handler (ctrl_t ctrl, gnupg_fd_t fd, unsigned int session_id)
    }
  else
    {
      /* The fd-passing does not work reliable on Windows, and even it
       * it is not used by gpg and gpgsm the current libassuan slows
       * down things if it is allowed for the server.*/
      rc = assuan_init_socket_server (ctx, fd,
                                      (ASSUAN_SOCKET_SERVER_ACCEPTED
-                                       |ASSUAN_SOCKET_SERVER_FDPASSING));
+#ifndef HAVE_W32_SYSTEM
                                       |ASSUAN_SOCKET_SERVER_FDPASSING
 #endif
                                       ));
    }
  if (rc)
--- a/po/ca.po
+++ b/po/ca.po
@ -784,11 +784,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "error en la lectura de «%s»: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -4116,6 +4111,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "No podeu canviar la data de caducitat de les claus v3\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 # Photo ID com abans.  ivb
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
@ -8289,6 +8288,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "no es pot crear el directori «%s»: %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "error en la lectura de «%s»: %s\n"
 # No em passe! ;)  ivb
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
--- a/po/cs.po
+++ b/po/cs.po
@ -4,7 +4,7 @@
 # Magda Procházková <magda@math.muni.cz> 2001,
 # Roman Pavlik <rp@tns.cz> 2001, 2002, 2003, 2004, 2005.
 # Petr Pisar <petr.pisar@atlas.cz>, 2009, 2010, 2011, 2013, 2014, 2015, 2016.
-# Petr Pisar <petr.pisar@atlas.cz>, 2017, 2018, 2019, 2020, 2021, 2022.
+# Petr Pisar <petr.pisar@atlas.cz>, 2017, 2018, 2019, 2020, 2021, 2022, 2023.
 #
 # A "%%0A" is used by Pinentry to insert a line break. The double percent
 # sign is actually needed because it is also a printf format string. If you
@ -26,6 +26,7 @@
 # kvalifikovaný certifikát/podpis
 #
 # action → způsob užití (klíče)
 # additional decryption subkey → dodatečný dešifrovací klíč
 # administrator → správce
 # cache → keš
 # compliance rules → pravidla normy
@ -38,9 +39,9 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: gnupg2 2.3.8\n"
+"Project-Id-Version: gnupg2 2.4.2\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2022-11-13 14:21+01:00\n"
+"PO-Revision-Date: 2023-06-03 15:45+02:00\n"
 "Last-Translator: Petr Pisar <petr.pisar@atlas.cz>\n"
 "Language-Team: Czech <gnupg-i18n@gnupg.org>\n"
 "Language: cs\n"
@ -153,11 +154,10 @@ msgstr "Heslo:"
 msgid "does not match - try again"
 msgstr "neshodují se – zkuste to znovu"
 #, fuzzy
 #| msgid "Passphrase"
 msgid "Passphrases match."
-msgstr "Heslo"
+msgstr "Heslo se shoduje."
 # TODO: Pluralize
 #. TRANSLATORS: The string is appended to an error message in
 #. the pinentry.  The %s is the actual error message, the
 #. two %d give the current and maximum number of tries.
@ -423,7 +423,7 @@ msgid "enable putty support"
 msgstr "zapnout podporu pro PuTTY"
 msgid "enable Win32-OpenSSH support"
-msgstr "zapnout podporu pro Win32-OpenSSH"
+msgstr "zapnout podporu Win32-OpenSSH"
 msgid "Options controlling the security"
 msgstr "Volby ovlivňující bezpečnost"
@ -761,10 +761,6 @@ msgstr "V pořádku"
 msgid "Wrong"
 msgstr "Špatně"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "chyba při přejmenování „%s“ na „%s“: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr "Poznámka: Toto heslo nikdy nebylo změněno.%0AProsím, nyní jej změňte."
@ -1435,7 +1431,7 @@ msgstr "vyžadováno"
 #, c-format
 msgid "Please try command \"%s\" if the listing does not look correct\n"
-msgstr ""
+msgstr "Pokud výpis nevypadá v pořádku, zkuste příkaz „%s“\n"
 msgid "Error: Only plain ASCII is currently allowed.\n"
 msgstr "Chyba: V současné verzi je povolenou pouze plain ASCII.\n"
@ -1701,7 +1697,7 @@ msgid "change the User Interaction Flag"
 msgstr "změní příznak interakce uživatele (UIF)"
 msgid "switch to the OpenPGP app"
-msgstr ""
+msgstr "přepne do aplikace OpenPGP"
 msgid "gpg/card> "
 msgstr "gpg/karta> "
@ -1829,7 +1825,7 @@ msgstr "chyba při vytváření hesla: %s\n"
 #, c-format
 msgid "can't use a SKESK packet due to the S2K mode\n"
-msgstr "v režimu S2K nelze použít symetrický ESK paket\n"
+msgstr "v režimu S2K nelze použít SKESK paket\n"
 #, c-format
 msgid "using cipher %s.%s\n"
@ -1899,18 +1895,14 @@ msgstr "odstranit nepoužitelné části z klíče při exportu"
 msgid "remove as much as possible from key during export"
 msgstr "odstranit při exportu z klíče vše, co lze"
 #, fuzzy
 #| msgid "generate a revocation certificate"
 msgid "export only revocation certificates"
-msgstr "vytvořit revokační certifikát"
+msgstr "exportovat pouze revokační certifikáty"
 msgid "use the GnuPG key backup format"
 msgstr "použít záložní formát klíče GnuPG"
 #, fuzzy
 #| msgid "exporting secret keys not allowed\n"
 msgid "export secret keys using the GnuPG format"
-msgstr "exportování tajného klíče není povoleno\n"
+msgstr "exportovat tajné klíče do formátu GnuPG"
 msgid " - skipped"
 msgstr " – přeskočeno"
@ -2346,10 +2338,8 @@ msgstr "ukazovat odvolané a prošlé ID uživatelů při výpisu klíčů"
 msgid "show revoked and expired subkeys in key listings"
 msgstr "ukazovat odvolané a prošlé podklíče při výpisu klíčů"
 #, fuzzy
 #| msgid "show expiration dates during signature listings"
 msgid "show signatures with invalid algorithms during signature listings"
-msgstr "ukazovat data expirace během výpisu podpisů"
+msgstr "ukazovat podpisy s neplatnými algoritmy během výpisu podpisů"
 msgid "show the keyring name in key listings"
 msgstr "ukazovat název souboru s klíči při výpisu klíčů"
@ -2357,10 +2347,8 @@ msgstr "ukazovat název souboru s klíči při výpisu klíčů"
 msgid "show expiration dates during signature listings"
 msgstr "ukazovat data expirace během výpisu podpisů"
 #, fuzzy
 #| msgid "list preferences (expert)"
 msgid "show preferences"
-msgstr "vypsat seznam předvoleb (pro experty)"
+msgstr "vypsat předvolby"
 #, c-format
 msgid "unknown TOFU policy '%s'\n"
@ -2968,7 +2956,7 @@ msgstr "klíč %s: chyba při odesílání dat agentovi: %s\n"
 #, c-format
 msgid "key %s: card reference is overridden by key material\n"
-msgstr ""
+msgstr "klíč %s: odkaz na kartu je přebit hodnotou klíče\n"
 #. TRANSLATORS: For a smartcard, each private key on host has a
 #. * reference (stub) to a smartcard and actual private key data
@ -3485,10 +3473,8 @@ msgstr "smazat vybrané podklíče"
 msgid "add a revocation key"
 msgstr "přidat revokační klíč"
 #, fuzzy
 #| msgid "Data decryption succeeded"
 msgid "add an additional decryption subkey"
-msgstr "Dešifrování dat uspělo"
+msgstr "přidat dodatečný dešifrovací podklíč"
 msgid "delete signatures from the selected user IDs"
 msgstr "smazat podpisy z vybraných uživatelských ID"
@ -3551,11 +3537,10 @@ msgstr "Tajný klíč je dostupný.\n"
 msgid "Secret subkeys are available.\n"
 msgstr "Tajné podklíče jsou dostupné.\n"
 #, fuzzy
 #| msgid "Note: Only the secret part of the shown subkey will be deleted.\n"
 msgid ""
 "Note: the local copy of the secret key will only be deleted with \"save\".\n"
-msgstr "Poznámka: Smazána bude pouze tajná část zobrazeného podklíče.\n"
+msgstr ""
 "Poznámka: Místní kopie tajného klíče bude smazána až s příkazem „save“.\n"
 msgid "Need the secret key to do this.\n"
 msgstr "Pro provedení této operace je potřeba tajný klíč.\n"
@ -3665,11 +3650,9 @@ msgstr "Uložit změny? (a/N) "
 msgid "Quit without saving? (y/N) "
 msgstr "Ukončit bez uložení? (a/N) "
-# The first argument is a "key" or "subkey"
+#, c-format
 #, fuzzy, c-format
 #| msgid "deleting secret %s failed: %s\n"
 msgid "deleting copy of secret key failed: %s\n"
-msgstr "smazání tajného %s se nezdařilo: %s\n"
+msgstr "smazání kopie tajného klíče se nezdařilo: %s\n"
 #, c-format
 msgid "Key not changed so no update needed.\n"
@ -3809,6 +3792,10 @@ msgstr "POZOR: Vašemu šifrovacímu podklíči brzy vyprší platnost.\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "Dobu platnosti také můžete změnit.\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "POZOR: Nezbyl žádný platný šifrovací podklíč.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -3904,17 +3891,15 @@ msgid ""
 msgstr "Jste si jistí, že tento klíč chcete pověřit odvoláním? (a/N) "
 msgid "Enter the fingerprint of the additional decryption subkey: "
-msgstr ""
+msgstr "Zadejte otisk dodatečného dešifrovacího podklíče: "
-#, fuzzy, c-format
+#, c-format
 #| msgid "(unless you specify the key by fingerprint)\n"
 msgid "Did you specify the fingerprint of a subkey?\n"
-msgstr "(dokud neurčíte klíč jeho otiskem)\n"
+msgstr "Zadali jste otisk podklíče?\n"
-#, fuzzy, c-format
+#, c-format
 #| msgid "Subkey %s is already revoked.\n"
 msgid "key \"%s\" is already on this keyblock\n"
-msgstr "Podklíč %s je již odvolán.\n"
+msgstr "klíč „%s“ je již v tomto bloku klíče.\n"
 msgid ""
 "Are you sure you want to change the expiration time for multiple subkeys? (y/"
@ -7831,6 +7816,10 @@ msgstr "prosím, zjistěte příčinu a soubor ručně smažte\n"
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "vytvoření dočasného kešového dir souboru „%s“ selhalo: %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "chyba při přejmenování „%s“ na „%s“: %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "nelze vypočítat haš „%s“: %s\n"
@ -8991,9 +8980,6 @@ msgstr "Příkazy pro správu Yubikey"
 msgid "manage the command history"
 msgstr "spravuje historii příkazů"
 #~ msgid "continuing verification anyway due to option %s\n"
 #~ msgstr "přesto se pokračuje v ověřování kvůli volbě %s\n"
 #~ msgid "selected AEAD algorithm is invalid\n"
 #~ msgstr "vybraný algoritmus AEAD je neplatný\n"
@ -9003,6 +8989,9 @@ msgstr "spravuje historii příkazů"
 #~ msgid "AEAD algorithm '%s' may not be used in %s mode\n"
 #~ msgstr "AEAD algoritmus „%s“ se nesmí používat v režimu %s\n"
 #~ msgid "continuing verification anyway due to option %s\n"
 #~ msgstr "přesto se pokračuje v ověřování kvůli volbě %s\n"
 #~ msgid "error writing to temporary file: %s\n"
 #~ msgstr "chyba při zápisu do dočasného souboru: %s\n"
--- a/po/da.po
+++ b/po/da.po
@ -835,11 +835,6 @@ msgstr "Korrekt"
 msgid "Wrong"
 msgstr "Forkert"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "fejl ved læsning af »%s«: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr "Bemærk: Denne adgangsfrase er aldrig blevet ændret.%0AÆndr den nu."
@ -4129,6 +4124,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Du kan ikke ændre udløbsdatoen for en v3-nøgle\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8372,6 +8371,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "kunne ikke oprette midlertidig fil »%s«: %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "fejl ved læsning af »%s«: %s\n"
 #, fuzzy, c-format
 #| msgid "can't access `%s': %s\n"
 msgid "can't hash '%s': %s\n"
--- a/po/de.po
+++ b/po/de.po
@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg-2.4.1\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2023-03-21 09:31+0100\n"
+"PO-Revision-Date: 2023-05-30 13:46+0200\n"
 "Last-Translator: Werner Koch <wk@gnupg.org>\n"
 "Language-Team: German\n"
 "Language: de\n"
@ -745,10 +745,6 @@ msgstr "Korrekt"
 msgid "Wrong"
 msgstr "Falsch"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "Fehler beim Umbenennen von `%s` nach `%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3834,6 +3830,11 @@ msgstr "WARNUNG: Ihr Unterschlüssel zum Verschlüsseln wird bald verfallen.\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "Bitte erwägen Sie, dessen Verfallsdatum auch zu ändern.\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 "WARNUNG: Es sind keine Unterschlüssel zum Verschlüsseln mehr vorhanden.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -7934,6 +7935,10 @@ msgstr ""
 "Die temporäre Zwischenspeicherverzeichnisdatei `%s' konnte nicht erzeugt "
 "werden: %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "Fehler beim Umbenennen von `%s` nach `%s': %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "Hashwert von `%s' kann nicht gebildet werden: %s\n"
--- a/po/el.po
+++ b/po/el.po
@ -751,11 +751,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "σφάλμα κατά την ανάγνωση του `%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -4013,6 +4008,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Δεν μπορείτε να αλλάξετε την ημερομηνία λήξης σε ένα v3 κλειδί\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8127,6 +8126,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "αδυναμία δημιουργίας καταλόγου `%s': %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "σφάλμα κατά την ανάγνωση του `%s': %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "αδυναμία κλεισίματος του `%s': %s\n"
--- a/po/eo.po
+++ b/po/eo.po
@ -750,11 +750,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "eraro dum legado de '%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3986,6 +3981,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Vi ne povas ŝanĝi la daton de eksvalidiĝo de v3-ŝlosilo\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8038,6 +8037,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "%s: ne povas krei dosierujon: %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "eraro dum legado de '%s': %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "ne povas fermi '%s': %s\n"
--- a/po/es.po
+++ b/po/es.po
@ -788,10 +788,6 @@ msgstr "Correcto"
 msgid "Wrong"
 msgstr "Incorrecto"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "error al renombrar '%s' a '%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3886,6 +3882,11 @@ msgstr "AVISO: Tu subclave de cifrado caduca pronto.\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "Puede que también quieras cambiar su fecha de caducidad.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "AVISO: Tu subclave de cifrado caduca pronto.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -7954,6 +7955,10 @@ msgstr "chequea el problema y borra este archivo manualmente\n"
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "no se puede crear el fichero de cache '%s': %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "error al renombrar '%s' a '%s': %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "no se puede hacer el hash de '%s': %s\n"
--- a/po/et.po
+++ b/po/et.po
@ -748,11 +748,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "viga `%s' lugemisel: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3985,6 +3980,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "v3 võtme aegumise aega ei saa muuta.\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8044,6 +8043,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "kataloogi `%s' ei õnnestu luua: %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "viga `%s' lugemisel: %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "`%s' ei õnnestu sulgeda: %s\n"
--- a/po/fi.po
+++ b/po/fi.po
@ -765,11 +765,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "virhe luettaessa tiedostoa \"%s\": %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -4009,6 +4004,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Et voi muuttaa v3-avainten vanhentumispäivää\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8110,6 +8109,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "hakemiston \"%s\" luominen ei onnistu: %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "virhe luettaessa tiedostoa \"%s\": %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "tiedostoa \"%s\" ei voi sulkea: %s\n"
--- a/po/fr.po
+++ b/po/fr.po
@ -789,10 +789,6 @@ msgstr "Exact"
 msgid "Wrong"
 msgstr "Faux"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "erreur en renommant « %s » en « %s » : %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -4015,6 +4011,11 @@ msgstr "Attention : votre sous-clef de chiffrement expire bientôt.\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "Vous pourriez modifier aussi sa date d’expiration.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "Attention : votre sous-clef de chiffrement expire bientôt.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8258,6 +8259,10 @@ msgstr "veuillez vérifier la raison et effacer vous-même ce fichier\n"
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "impossible de créer le répertoire de cache temporaire « %s » : %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "erreur en renommant « %s » en « %s » : %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "impossible de hacher « %s » : %s\n"
--- a/po/gl.po
+++ b/po/gl.po
@ -753,11 +753,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "erro lendo `%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -4009,6 +4004,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Non pode cambia-la data de expiración dunha chave v3\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8118,6 +8117,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "non se pode crea-lo directorio `%s': %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "erro lendo `%s': %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "non se pode pechar `%s': %s\n"
--- a/po/hu.po
+++ b/po/hu.po
@ -748,11 +748,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "Hiba \"%s\" olvasásakor: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3986,6 +3981,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Nem változtathatja meg egy v3 kulcs lejárati dátumát!\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8071,6 +8070,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "Nem tudom a \"%s\" könyvtárat létrehozni: %s.\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "Hiba \"%s\" olvasásakor: %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "Nem tudom bezárni a(z) \"%s\" állományt: %s.\n"
--- a/po/id.po
+++ b/po/id.po
@ -753,11 +753,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "kesalahan membaca `%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3992,6 +3987,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Anda tidak dapat merubah batas waktu kunci v3\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8070,6 +8069,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "tidak dapat membuat direktori `%s': %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "kesalahan membaca `%s': %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "tidak dapat menutup `%s': %s\n"
--- a/po/it.po
+++ b/po/it.po
@ -737,10 +737,6 @@ msgstr "Corretto"
 msgid "Wrong"
 msgstr "Sbagliato"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "errore durante la ridenominazione di '%s' in '%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3826,6 +3822,11 @@ msgstr "AVVISO: la sottochiave di crittografia scade a breve.\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "Si consiglia di modificare anche la sua data di scadenza.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "AVVISO: la sottochiave di crittografia scade a breve.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -7883,6 +7884,10 @@ msgstr "si prega di controllare il motivo ed eliminare manualmente quel file\n"
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "impossibile creare il file dir della cache temporanea '%s': %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "errore durante la ridenominazione di '%s' in '%s': %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "impossibile eseguire l'hashing '%s': %s\n"
--- a/po/ja.po
+++ b/po/ja.po
@ -727,10 +727,6 @@ msgstr "正しい"
 msgid "Wrong"
 msgstr "誤り"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "'%s'から'%s'へ名前変更のエラー: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr "注意: パスフレーズは変更されていません。%0A今、変更してください。"
@ -7588,6 +7584,10 @@ msgstr "理由を確認し、手動でそのファイルを削除してくださ
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "一時キャッシュ・ディレクトリ・ファイル'%s'が作成できません: %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "'%s'から'%s'へ名前変更のエラー: %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "'%s'をハッシュできません: %s\n"
--- a/po/nb.po
+++ b/po/nb.po
@ -749,10 +749,6 @@ msgstr "Riktig"
 msgid "Wrong"
 msgstr "Feil"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "klarte ikke å gi «%s» det nye navnet «%s»: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3849,6 +3845,11 @@ msgstr "ADVARSEL: Undernøkkel for kryptering utløper snart.\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "Du bør vurdere å endre utløpsdato samtidig.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "ADVARSEL: Undernøkkel for kryptering utløper snart.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -7873,6 +7874,10 @@ msgstr "kontroller årsaken og slett fila manuelt\n"
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "klarte ikke å lage midlertidig hurtiglagermappe-fil «%s»: %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "klarte ikke å gi «%s» det nye navnet «%s»: %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "klarte ikke å summere «%s»: %s\n"
--- a/po/pl.po
+++ b/po/pl.po
@ -744,10 +744,6 @@ msgstr "Akceptuj"
 msgid "Wrong"
 msgstr "Odrzuć"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "błąd zmiany nazwy ,,%s'' na ,,%s'': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr "Uwaga: To hasło nie było nigdy zmieniane.%0AProszę zmienić je teraz."
@ -3862,6 +3858,11 @@ msgstr "OSTRZEŻENIE: podklucz do szyfrowania wkrótce wygaśnie.\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "Może warto także zmienić jego datę ważności.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "OSTRZEŻENIE: podklucz do szyfrowania wkrótce wygaśnie.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -7982,6 +7983,10 @@ msgstr ""
 "nie udało się utworzyć pliku tymczasowego katalogu pamięci podręcznej ,,"
 "%s'': %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "błąd zmiany nazwy ,,%s'' na ,,%s'': %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "nie można policzyć skrótu ,,%s'': %s\n"
--- a/po/pt.po
+++ b/po/pt.po
@ -752,11 +752,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "erro na leitura de `%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3996,6 +3991,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Você não pode modificar a data de validade de uma chave v3\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8067,6 +8066,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "%s: impossível criar directoria: %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "erro na leitura de `%s': %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "impossível fechar `%s': %s\n"
--- a/po/ro.po
+++ b/po/ro.po
@ -762,11 +762,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "eroare la citire `%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -4044,6 +4039,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Nu puteţi schimba data de expirare a unei chei v3\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8193,6 +8192,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "nu pot crea directorul `%s': %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "eroare la citire `%s': %s\n"
 #, fuzzy, c-format
 #| msgid "can't access `%s': %s\n"
 msgid "can't hash '%s': %s\n"
--- a/po/ru.po
+++ b/po/ru.po
@ -754,10 +754,6 @@ msgstr "Подтверждаю"
 msgid "Wrong"
 msgstr "Неверно"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "ошибка переименования '%s' в '%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3866,6 +3862,11 @@ msgstr "Внимание: Срок действия Вашего подключ
 msgid "You may want to change its expiration date too.\n"
 msgstr "Возможно, надо поменять также срок действия.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "Внимание: Срок действия Вашего подключа для шифрования истекает.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -7942,6 +7943,10 @@ msgstr "выясните причину и удалите этот файл вр
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "невозможно создание временного файла '%s': %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "ошибка переименования '%s' в '%s': %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "невозможно получить хеш '%s': %s\n"
--- a/po/sk.po
+++ b/po/sk.po
@ -753,11 +753,6 @@ msgstr ""
 msgid "Wrong"
 msgstr ""
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "chyba pri čítaní `%s': %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -4012,6 +4007,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Nemôžete zmeniť dobu platnosti kľúča verzie 3\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8101,6 +8100,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "nemôžem vytvoriť adresár `%s': %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "chyba pri čítaní `%s': %s\n"
 #, fuzzy, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "nemôžem zavrieť `%s': %s\n"
--- a/po/sv.po
+++ b/po/sv.po
@ -851,11 +851,6 @@ msgstr "Korrekt"
 msgid "Wrong"
 msgstr "Fel"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "fel vid läsning av \"%s\": %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -4194,6 +4189,10 @@ msgstr ""
 msgid "You may want to change its expiration date too.\n"
 msgstr "Du kan inte ändra giltighetsdatum för en v3-nyckel\n"
 #, c-format
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr ""
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8506,6 +8505,11 @@ msgstr ""
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "misslyckades med att skapa temporärfilen \"%s\": %s\n"
 #, fuzzy, c-format
 #| msgid "error reading `%s': %s\n"
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "fel vid läsning av \"%s\": %s\n"
 #, fuzzy, c-format
 #| msgid "can't access `%s': %s\n"
 msgid "can't hash '%s': %s\n"
--- a/po/tr.po
+++ b/po/tr.po
@ -1,12 +1,12 @@
 # Turkish translations for GnuPG messages.
 # Nilgün Belma Bugüner <nilgun@belgeler.gen.tr>, 2001-2008,
-# Emir SARI <emir_sari@icloud.com>, 2022
+# Emir SARI <emir_sari@icloud.com>, 2022, 2023
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: gnupg 2.3.4\n"
+"Project-Id-Version: gnupg 2.4.0\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2022-04-23 15:00+0300\n"
+"PO-Revision-Date: 2023-05-30 23:45+0300\n"
 "Last-Translator: Emir SARI <emir_sari@icloud.com>\n"
 "Language-Team: Turkish\n"
 "Language: tr\n"
@ -14,7 +14,6 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 "X-Generator: KBabel 1.11.4\n"
 #, c-format
 msgid "failed to acquire the pinentry lock: %s\n"
@ -124,10 +123,8 @@ msgstr "Anahtar Parolası:"
 msgid "does not match - try again"
 msgstr "eşleşmiyor - yeniden deneyin"
 #, fuzzy
 #| msgid "Passphrase Entry"
 msgid "Passphrases match."
-msgstr "Anahtar Parolası Girişi"
+msgstr "Anahtar parolaları eşleşiyor."
 #. TRANSLATORS: The string is appended to an error message in
 #. the pinentry.  The %s is the actual error message, the
@ -325,7 +322,7 @@ msgstr "Yine de bunu kullan"
 #, c-format
 msgid "Please enter the passphrase to%0Aprotect your new key"
-msgstr "Yeni anahtarınızı korumak için lütfen%0Aanahtar parolanızı girin"
+msgstr "Yeni anahtarınızı korumak için lütfen anahtar%0Aparolanızı girin"
 msgid "Please enter the new passphrase"
 msgstr "Lütfen yeni anahtar parolasını girin"
@ -393,10 +390,8 @@ msgstr "|ALGO|ssh parmak izlerini göstermek için ALGO kullan"
 msgid "enable putty support"
 msgstr "putty desteğini etkinleştir"
 #, fuzzy
 #| msgid "enable putty support"
 msgid "enable Win32-OpenSSH support"
-msgstr "putty desteğini etkinleştir"
+msgstr "Win32-OpenSSH desteğini etkinleştir"
 msgid "Options controlling the security"
 msgstr "Güvenliği denetleyen seçenekler"
@ -736,10 +731,6 @@ msgstr "Doğru"
 msgid "Wrong"
 msgstr "Yanlış"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "'%s > '%s' olarak yeniden adlandırırken hata: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -763,22 +754,19 @@ msgid "Please insert the card with serial number"
 msgstr "Lütfen seri numarayı içeren kartı takın"
 # Check
-#, fuzzy, c-format
+#, c-format
 #| msgid ""
 #| "An ssh process requested the use of key%%0A  %s%%0A  (%s)%%0ADo you want "
 #| "to allow this?"
 msgid "Requested the use of key%%0A  %s%%0A  %s%%0ADo you want to allow this?"
 msgstr ""
-"Bir ssh işlemi,%%0A  %s%%A  (%s)%%0Aanahtarının kullanımı için istekte "
+"%%0A  %s%%0A  %s%%0Aanahtarının kullanımı için istekte bulunuldu. Buna izin "
-"bulundu. Buna izin vermek istiyor musunuz?"
+"vermek istiyor musunuz?"
 #, c-format
 msgid ""
 "Do you really want to delete the key identified by keygrip%%0A  %s%%0A  %%C"
 "%%0A?"
 msgstr ""
-"Anahtar maşası tarafından tanımlanan şu anahtarı silmek istediğnizden emin "
+"%%0A  %s%%0A  %%C%%0A anahtar maşası tarafından tanımlanan anahtarı silmek "
-"misiniz:%%0A  %s%%0A  %%C%%0A?"
+"istediğnizden emin misiniz?"
 msgid "Delete key"
 msgstr "Anahtarı sil"
@ -1419,7 +1407,7 @@ msgstr "zorlandı"
 #, c-format
 msgid "Please try command \"%s\" if the listing does not look correct\n"
-msgstr ""
+msgstr "Listeleme doğru görünmüyorsa lütfen \"%s\" komutunu deneyin\n"
 msgid "Error: Only plain ASCII is currently allowed.\n"
 msgstr "Hata: Şimdilik yalnızca US-ASCII mümkün.\n"
@ -1516,7 +1504,7 @@ msgstr "%u bite yuvarlandı\n"
 #, c-format
 msgid "%s keysizes must be in the range %u-%u\n"
-msgstr "%s anahtar uzunlukları %u-%u eriminde olmalı\n"
+msgstr "%s anahtar uzunlukları %u-%u eriminde olmalıdır\n"
 msgid "Changing card key attribute for: "
 msgstr "Şunun için anahtar özniteliği değiştiriliyor: "
@ -1531,7 +1519,7 @@ msgid "Authentication key\n"
 msgstr "Kimlik doğrulama anahtarı\n"
 msgid "Please select what kind of key you want:\n"
-msgstr "Lütfen istediğiniz anahtar türünü seçiniz:\n"
+msgstr "Lütfen istediğiniz anahtar türünü seçin:\n"
 #, c-format
 msgid "   (%d) RSA\n"
@ -1574,7 +1562,7 @@ msgid "Note: keys are already stored on the card!\n"
 msgstr "Not: Anahtarlar halihazırda kart üzerinde depolanıyor!\n"
 msgid "Replace existing keys? (y/N) "
-msgstr "Mevcut anahtarlar başkalarıyla değiştirilsin mi? (e/H) "
+msgstr "Var olan anahtarlar başkalarıyla değiştirilsin mi? (e/H) "
 #, c-format
 msgid ""
@ -1587,7 +1575,7 @@ msgstr ""
 "Bunları --change-pin komutunu kullanarak değiştirmelisiniz\n"
 msgid "Please select the type of key to generate:\n"
-msgstr "Lütfen üretilecek anahtar türünü seçiniz:\n"
+msgstr "Lütfen üretilecek anahtar türünü seçin:\n"
 msgid "   (1) Signature key\n"
 msgstr "   (1) İmzalama anahtarı\n"
@ -1599,7 +1587,7 @@ msgid "   (3) Authentication key\n"
 msgstr "   (3) Kimlik doğrulama anahtarı\n"
 msgid "Please select where to store the key:\n"
-msgstr "Lütfen anahtarın depolanacağı yeri seçiniz:\n"
+msgstr "Lütfen anahtarın depolanacağı yeri seçin:\n"
 #, c-format
 msgid "KEYTOCARD failed: %s\n"
@ -1684,7 +1672,7 @@ msgid "change the User Interaction Flag"
 msgstr "Kullanıcı etkileşim bayrağını değiştir"
 msgid "switch to the OpenPGP app"
-msgstr ""
+msgstr "OpenPGP uygulamasına geç"
 msgid "gpg/card> "
 msgstr "gpg/card> "
@ -1803,10 +1791,9 @@ msgstr "UYARI: %s anahtarı, %s kipinde şifreleme için uygun değil\n"
 msgid "error creating passphrase: %s\n"
 msgstr "anahtar parolası oluşturulurken hata: %s\n"
-#, fuzzy, c-format
+#, c-format
 #| msgid "can't use a symmetric ESK packet due to the S2K mode\n"
 msgid "can't use a SKESK packet due to the S2K mode\n"
-msgstr "S2K kipi sayesinde bir simetrik ESK paketi kullanılamıyor\n"
+msgstr "S2K kipi nedeniyle bir SKESK paketi kullanılamıyor\n"
 #, c-format
 msgid "using cipher %s.%s\n"
@ -1877,18 +1864,14 @@ msgstr "dışa aktarım sırasında anahtardan kullanışsız parçaları kaldı
 msgid "remove as much as possible from key during export"
 msgstr "dışa aktarım sırasında anahtardan olabildiğince çok şey kaldır"
 #, fuzzy
 #| msgid "generate a revocation certificate"
 msgid "export only revocation certificates"
-msgstr "bir yürürlükten kaldırma sertifikası üret"
+msgstr "yalnızca yürürlükten kaldırma sertifikalarını dışa aktar"
 msgid "use the GnuPG key backup format"
 msgstr "GnuPG yedekleme biçimini kullan"
 #, fuzzy
 #| msgid "exporting secret keys not allowed\n"
 msgid "export secret keys using the GnuPG format"
-msgstr "gizli anahtarların dışa aktarımına izin verilmez\n"
+msgstr "GnuPG biçimini kullanan gizli anahtarları dışa aktar"
 msgid " - skipped"
 msgstr " - atlandı"
@ -2319,10 +2302,8 @@ msgstr ""
 "anahtar listelerinde yürürlükten kaldırılmış ve zaman aşımına uğramış "
 "yardımcı anahtarlar göster"
 #, fuzzy
 #| msgid "show expiration dates during signature listings"
 msgid "show signatures with invalid algorithms during signature listings"
-msgstr "imza listelemesi sırasında zaman aşımı tarihleri göster"
+msgstr "imza listelemesi sırasında geçersiz algoritmalı imzaları göster"
 msgid "show the keyring name in key listings"
 msgstr "anahtar zinciri adını anahtar listelerinde göster"
@ -2330,10 +2311,8 @@ msgstr "anahtar zinciri adını anahtar listelerinde göster"
 msgid "show expiration dates during signature listings"
 msgstr "imza listelemesi sırasında zaman aşımı tarihleri göster"
 #, fuzzy
 #| msgid "list preferences (expert)"
 msgid "show preferences"
-msgstr "tercihleri listele (uzman)"
+msgstr "tercihleri göster"
 #, c-format
 msgid "unknown TOFU policy '%s'\n"
@ -2503,23 +2482,23 @@ msgstr "seçili sertifikalama özet algoritması geçersiz\n"
 #, c-format
 msgid "completes-needed must be greater than 0\n"
-msgstr "\"completes-needed\" 0'dan büyük olmalı\n"
+msgstr "\"completes-needed\" 0'dan büyük olmalıdır\n"
 #, c-format
 msgid "marginals-needed must be greater than 1\n"
-msgstr "\"marginals-needed\" 1'den büyük olmalı\n"
+msgstr "\"marginals-needed\" 1'den büyük olmalıdır\n"
 #, c-format
 msgid "max-cert-depth must be in the range from 1 to 255\n"
-msgstr "\"max-cert-depth\" 1-255 arasında olmalı\n"
+msgstr "\"max-cert-depth\" 1-255 arasında olmalıdır\n"
 #, c-format
 msgid "invalid default-cert-level; must be 0, 1, 2, or 3\n"
-msgstr "öntanımlı sertifika düzeyi geçersiz; 0, 1, 2 veya 3 olmalı\n"
+msgstr "öntanımlı sertifika düzeyi geçersiz; 0, 1, 2 veya 3 olmalıdır\n"
 #, c-format
 msgid "invalid min-cert-level; must be 1, 2, or 3\n"
-msgstr "asgari sertifika düzeyi geçersiz; 1, 2 veya 3 olmalı\n"
+msgstr "en küçük sertifika düzeyi geçersiz; 1, 2 veya 3 olmalıdır\n"
 #, c-format
 msgid "Note: simple S2K mode (0) is strongly discouraged\n"
@ -2527,7 +2506,7 @@ msgstr "Not: Basit S2K kipi (0) kesinlikle tavsiye edilmez\n"
 #, c-format
 msgid "invalid S2K mode; must be 0, 1 or 3\n"
-msgstr "geçersiz S2K kipi; 0, 1 veya 3 olmalı\n"
+msgstr "geçersiz S2K kipi; 0, 1 veya 3 olmalıdır\n"
 #, c-format
 msgid "invalid default preferences\n"
@ -2944,6 +2923,7 @@ msgstr "%s anahtarı: Aracıya gönderirken hata: %s\n"
 #, c-format
 msgid "key %s: card reference is overridden by key material\n"
 msgstr ""
 "%s anahtarı: Kart başvurusu, anahtar malzemesi tarafından geçersiz kılındı\n"
 #. TRANSLATORS: For a smartcard, each private key on host has a
 #. * reference (stub) to a smartcard and actual private key data
@ -3466,10 +3446,8 @@ msgstr "seçili yardımcı anahtarları sil"
 msgid "add a revocation key"
 msgstr "bir yürürlükten kaldırma anahtarı ekle"
 #, fuzzy
 #| msgid "Data decryption succeeded"
 msgid "add an additional decryption subkey"
-msgstr "Veri şifresi çözülmesi başarılı"
+msgstr "ek bir şifre çözümü alt anahtarı ekle"
 msgid "delete signatures from the selected user IDs"
 msgstr "seçili kullanıcı kimliklerinden imzaları sile"
@ -3536,11 +3514,9 @@ msgstr "Gizli anahtar mevcut.\n"
 msgid "Secret subkeys are available.\n"
 msgstr "Gizli yardımcı anahtarlar mevcut.\n"
 #, fuzzy
 #| msgid "Note: Only the secret part of the shown subkey will be deleted.\n"
 msgid ""
 "Note: the local copy of the secret key will only be deleted with \"save\".\n"
-msgstr "Not: Yalnızca gösterilen yardımcı anahtarın gizli kısmı silinecek.\n"
+msgstr "Not: Gizli anahtarın yerel kopyası yalnızca \"save\" ile silinir.\n"
 msgid "Need the secret key to do this.\n"
 msgstr "Bunu yapmak için gizli anahtar gerekli.\n"
@ -3656,10 +3632,9 @@ msgstr "Değişiklikler kaydedilsin mi? (e/H) "
 msgid "Quit without saving? (y/N) "
 msgstr "Kaydetmeden çıkılsın mı? (e/H) "
-#, fuzzy, c-format
+#, c-format
 #| msgid "deleting secret %s failed: %s\n"
 msgid "deleting copy of secret key failed: %s\n"
-msgstr "gizli %s silinmesi başarısız: %s\n"
+msgstr "gizli anahtarın kopyasının silinmesi başarısız: %s\n"
 #, c-format
 msgid "Key not changed so no update needed.\n"
@ -3800,6 +3775,11 @@ msgstr "UYARI: Şifreleme yardımcı anahtarının yakın zamanda süresi dolaca
 msgid "You may want to change its expiration date too.\n"
 msgstr "Son kullanma tarihini de değiştirmek isteyebilirsiniz.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "UYARI: Şifreleme yardımcı anahtarının yakın zamanda süresi dolacak.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -3906,17 +3886,15 @@ msgstr ""
 "misiniz? (e/H) "
 msgid "Enter the fingerprint of the additional decryption subkey: "
-msgstr ""
+msgstr "Ek şifre çözümü alt anahtarının parmak izini gir: "
-#, fuzzy, c-format
+#, c-format
 #| msgid "(unless you specify the key by fingerprint)\n"
 msgid "Did you specify the fingerprint of a subkey?\n"
-msgstr "(anahtar parmak izi ile belirtilmedikçe)\n"
+msgstr "Bir alt anahtarın parmak izini mi belirttiniz?\n"
-#, fuzzy, c-format
+#, c-format
 #| msgid "Subkey %s is already revoked.\n"
 msgid "key \"%s\" is already on this keyblock\n"
-msgstr "%s yardımcı anahtarı zaten yürürlükten kaldırılmış.\n"
+msgstr "\"%s\" anahtarı halihazırda bu anahtar blokunda\n"
 msgid ""
 "Are you sure you want to change the expiration time for multiple subkeys? (y/"
@ -4249,7 +4227,7 @@ msgstr "%u bite yuvarlandı\n"
 #, c-format
 msgid "%s keys may be between %u and %u bits long.\n"
-msgstr "%s anahtarları %u bit ile %u bit arasında olmalı.\n"
+msgstr "%s anahtarları %u bit ile %u bit arasında olmalıdır.\n"
 #, c-format
 msgid "What keysize do you want for the subkey? (%u) "
@ -4303,10 +4281,10 @@ msgid "invalid value\n"
 msgstr "geçersiz değer\n"
 msgid "Key does not expire at all\n"
-msgstr "Anahtar hep geçerli olacak\n"
+msgstr "Anahtarın geçerliliği hiçbir zaman bitmeyecek\n"
 msgid "Signature does not expire at all\n"
-msgstr "İmza hep geçerli olacak\n"
+msgstr "İmzanın geçerliliği hiçbir zaman bitmeyecek\n"
 #, c-format
 msgid "Key expires at %s\n"
@ -5248,7 +5226,7 @@ msgid ""
 "The minimum trust level for this key is: %s\n"
 "\n"
 msgstr ""
-"Bu anahtar için asgari güvence düzeyi: %s\n"
+"Bu anahtar için en düşük güvence düzeyi: %s\n"
 "\n"
 msgid "Your decision? "
@ -6662,7 +6640,7 @@ msgstr "||Lütfen kart kilidini açın"
 #, c-format
 msgid "PIN for CHV%d is too short; minimum length is %d\n"
-msgstr "CHV%d için PIN çok kısa; asgari uzunluk: %d\n"
+msgstr "CHV%d için PIN çok kısa; gereken en kısa uzunluk %d\n"
 #, c-format
 msgid "verify CHV%d failed: %s\n"
@ -6693,7 +6671,7 @@ msgstr "||Lütfen kart için Sıfırlama Kodunu giriniz"
 #, c-format
 msgid "Reset Code is too short; minimum length is %d\n"
-msgstr "Sıfırlama Kodu çok kısa; asgari uzunluk: %d\n"
+msgstr "Sıfırlama Kodu çok kısa; gereken en kısa uzunluk %d\n"
 #. TRANSLATORS: Do not translate the "|*|" prefixes but
 #. keep it at the start of the string.  We need this elsewhere
@ -7782,6 +7760,10 @@ msgstr "lütfen nedenini denetleyin ve o dosyayı el ile silin\n"
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "geçici önbellek dizin dosyası '%s' oluşturulamadı: %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "'%s > '%s' olarak yeniden adlandırırken hata: %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "'%s' sağlaması yapılamıyor: %s\n"
@ -8933,22 +8915,3 @@ msgstr "Yubikey yönetim konsolu"
 msgid "manage the command history"
 msgstr "komut geçmişini yönet"
 #~ msgid "continuing verification anyway due to option %s\n"
 #~ msgstr "%s seçeneğinden dolayı doğrulama yine de sürdürülüyor\n"
 #~ msgid "selected AEAD algorithm is invalid\n"
 #~ msgstr "seçili AEAD algoritması geçersiz\n"
 #~ msgid "invalid personal AEAD preferences\n"
 #~ msgstr "geçersiz kişisel AEAD tercihler\n"
 #~ msgid "AEAD algorithm '%s' may not be used in %s mode\n"
 #~ msgstr "'%s' AEAD algoritması, %s kipinde kullanılamayabilir\n"
 #~ msgid "run in supervised mode"
 #~ msgstr "yönetilen kipte çalıştır"
 #~ msgid "forcing symmetric cipher %s (%d) violates recipient preferences\n"
 #~ msgstr ""
 #~ "simetrik şifreleme %s (%d) zorlamak alıcı tercihlerine karşı geliyor\n"
--- a/po/uk.po
+++ b/po/uk.po
@ -754,10 +754,6 @@ msgstr "Підтверджую"
 msgid "Wrong"
 msgstr "Не підтверджую"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "помилка під час спроби перейменування «%s» на «%s»: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr ""
@ -3905,6 +3901,11 @@ msgstr "УВАГА: строк дії вашого підключа імпорт
 msgid "You may want to change its expiration date too.\n"
 msgstr "Ймовірно, вам варто змінити також і його строк дії.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "УВАГА: строк дії вашого підключа імпортування невдовзі завершиться.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -8052,6 +8053,10 @@ msgstr "будь ласка, перевірте причину і вилучіт
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "не вдалося створити тимчасовий файл каталогу кешу «%s»: %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "помилка під час спроби перейменування «%s» на «%s»: %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "не вдалося хешувати «%s»: %s\n"
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@ -717,10 +717,6 @@ msgstr "正确"
 msgid "Wrong"
 msgstr "错误"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "将‘%s’重命名为‘%s’时出现错误：%s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr "注意：此密码从未被修改过。%0A请立即修改。"
@ -3692,6 +3688,11 @@ msgstr "警告： 您的加密用子密钥将在不久后过期。\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "您可能也想要变更它的过期日期。\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "警告： 您的加密用子密钥将在不久后过期。\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -7528,6 +7529,10 @@ msgstr "请检查理由并手动删除那个文件\n"
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "创建临时缓存目录文件‘%s’时失败：%s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "将‘%s’重命名为‘%s’时出现错误：%s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "无法取‘%s’的散列：%s\n"
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@ -753,10 +753,6 @@ msgstr "正確"
 msgid "Wrong"
 msgstr "錯了"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "把 '%s' 重新命名成 '%s' 時出錯: %s\n"
 #, c-format
 msgid "Note: This passphrase has never been changed.%0APlease change it now."
 msgstr "請注意: 密語從未變更過.%0A請現在就變更."
@ -3882,6 +3878,11 @@ msgstr "警告: 你的加密子鑰很快將到期.\n"
 msgid "You may want to change its expiration date too.\n"
 msgstr "你可能也會想變更其使用期限.\n"
 #, fuzzy, c-format
 #| msgid "WARNING: Your encryption subkey expires soon.\n"
 msgid "WARNING: No valid encryption subkey left over.\n"
 msgstr "警告: 你的加密子鑰很快將到期.\n"
 msgid ""
 "WARNING: This is a PGP2-style key.  Adding a photo ID may cause some "
 "versions\n"
@ -7871,6 +7872,10 @@ msgstr "請檢查其原因並手動刪除該檔案\n"
 msgid "failed to create temporary cache dir file '%s': %s\n"
 msgstr "建立暫存快取目錄檔案 '%s' 失敗: %s\n"
 #, c-format
 msgid "error renaming '%s' to '%s': %s\n"
 msgstr "把 '%s' 重新命名成 '%s' 時出錯: %s\n"
 #, c-format
 msgid "can't hash '%s': %s\n"
 msgstr "無法計算 '%s' 的雜湊: %s\n"
--- a/scd/app-p15.c
+++ b/scd/app-p15.c
@ -87,7 +87,8 @@ typedef enum
    CARD_PRODUCT_UNKNOWN,
    CARD_PRODUCT_RSCS,     /* Rohde&Schwarz Cybersecurity       */
    CARD_PRODUCT_DTRUST,   /* D-Trust GmbH (bundesdruckerei.de) */
-    CARD_PRODUCT_GENUA     /* GeNUA mbH                         */
+    CARD_PRODUCT_GENUA,    /* GeNUA mbH                         */
    CARD_PRODUCT_NEXUS     /* Technology Nexus                  */
  }
 card_product_t;
@ -550,6 +551,7 @@ cardproduct2str (card_product_t cardproduct)
    case CARD_PRODUCT_RSCS:    return "R&S";
    case CARD_PRODUCT_DTRUST:  return "D-Trust";
    case CARD_PRODUCT_GENUA:   return "GeNUA";
    case CARD_PRODUCT_NEXUS:   return "Nexus";
    }
  return "";
 }
@ -3605,14 +3607,20 @@ read_p15_info (app_t app)
  release_lists (app);
-  if (IS_CARDOS_5 (app)
+  /* Set a product type from the manufacturer_id.  */
-      && app->app_local->manufacturer_id
+  if (IS_CARDOS_5 (app) && app->app_local->manufacturer_id)
      && !ascii_strcasecmp (app->app_local->manufacturer_id, "GeNUA mbH"))
    {
-      if (!app->app_local->card_product)
+      const char *manu = app->app_local->manufacturer_id;
      if (app->app_local->card_product)
        ; /* Already set.  */
      else if (!ascii_strcasecmp (manu, "GeNUA mbH"))
        app->app_local->card_product = CARD_PRODUCT_GENUA;
      else if (!ascii_strcasecmp (manu, "Technology Nexus"))
        app->app_local->card_product = CARD_PRODUCT_NEXUS;
    }
  /* Read the ODF so that we know the location of all directory
     files. */
  /* Fixme: We might need to get a non-standard ODF FID from TokenInfo. */
@ -5079,9 +5087,7 @@ get_dispserialno (app_t app, prkdf_object_t prkdf)
      if (serial && (n=strlen (serial)) > 8)
        memmove (serial, serial + n - 8, 9);
    }
-  else if (IS_CARDOS_5 (app) && app->app_local->manufacturer_id
+  else if (app->app_local->card_product == CARD_PRODUCT_NEXUS
           && !ascii_strcasecmp (app->app_local->manufacturer_id,
                                 "Technology Nexus")
           && APP_CARD(app)->serialno && APP_CARD(app)->serialnolen == 4+9
           && !memcmp (APP_CARD(app)->serialno, "\xff\x00\x00\xff", 4)
           && !any_control_or_space_mem (APP_CARD(app)->serialno + 4, 9))
@ -5615,11 +5621,12 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
          err = gpg_error_from_syserror ();
          goto leave;
        }
-      if (app->app_local->card_type == CARD_TYPE_BELPIC)
+      if (app->app_local->card_type == CARD_TYPE_BELPIC
          || app->app_local->card_product == CARD_PRODUCT_NEXUS)
        {
-          /* This card wants only the plain hash w/o any prefix.  */
+          /* The default for these cards is to use a plain hash.  We
-          /* FIXME: We may want to remove this code because it is unlikely
+           * assume that due to the used certificate the correct hash
-           * that such cards are still in use.  */
+           * algo is used.  */
          memcpy (frame, indata, indatalen);
          framelen = indatalen;
        }
--- a/sm/Makefile.am
+++ b/sm/Makefile.am
@ -77,8 +77,8 @@ gpgsm_LDFLAGS =
 gpgsm_DEPENDENCIES = $(resource_objs)
-module_tests =
+module_tests = t-minip12
-module_maint_tests = t-minip12
+module_maint_tests =
 t_common_src =
 t_common_ldadd = $(libcommon) $(LIBGCRYPT_LIBS) $(KSBA_LIBS) \
--- a/sm/call-dirmngr.c
+++ b/sm/call-dirmngr.c
@ -1001,16 +1001,17 @@ static gpg_error_t
 run_command_inq_cb (void *opaque, const char *line)
 {
  struct run_command_parm_s *parm = opaque;
  gpg_error_t err;
  const char *s;
  int rc = 0;
  ksba_cert_t cert = NULL;
  ksba_sexp_t ski = NULL;
  const unsigned char *der;
  size_t derlen, n;
  if ((s = has_leading_keyword (line, "SENDCERT")))
-    { /* send the given certificate */
+    {
-      int err;
+      /* Send the given certificate.  */
      ksba_cert_t cert;
      const unsigned char *der;
      size_t derlen;
      line = s;
      if (!*line)
        return gpg_error (GPG_ERR_ASS_PARAMETER);
@ -1029,11 +1030,36 @@ run_command_inq_cb (void *opaque, const char *line)
            rc = gpg_error (GPG_ERR_INV_CERT_OBJ);
          else
            rc = assuan_send_data (parm->ctx, der, derlen);
-          ksba_cert_release (cert);
+        }
    }
  else if ((s = has_leading_keyword (line, "SENDCERT_SKI")))
    {
      /* Send a certificate where a sourceKeyIdentifier is included. */
      line = s;
      ski = make_simple_sexp_from_hexstr (line, &n);
      line += n;
      while (*line == ' ')
        line++;
      err = gpgsm_find_cert (parm->ctrl, line, ski, &cert,
                             FIND_CERT_ALLOW_AMBIG|FIND_CERT_WITH_EPHEM);
      if (err)
        {
          log_error ("certificate not found: %s\n", gpg_strerror (err));
          rc = gpg_error (GPG_ERR_NOT_FOUND);
        }
      else
        {
          der = ksba_cert_get_image (cert, &derlen);
          if (!der)
            rc = gpg_error (GPG_ERR_INV_CERT_OBJ);
          else
            rc = assuan_send_data (parm->ctx, der, derlen);
        }
    }
  else if ((s = has_leading_keyword (line, "PRINTINFO")))
-    { /* Simply show the message given in the argument. */
+    {
      /* Simply show the message given in the argument. */
      line = s;
      log_info ("dirmngr: %s\n", line);
    }
@ -1043,7 +1069,6 @@ run_command_inq_cb (void *opaque, const char *line)
         root certificate.  */
      char fpr[41];
      struct rootca_flags_s rootca_flags;
      int n;
      line = s;
@ -1067,6 +1092,8 @@ run_command_inq_cb (void *opaque, const char *line)
      rc = gpg_error (GPG_ERR_ASS_UNKNOWN_INQUIRE);
    }
  ksba_cert_release (cert);
  xfree (ski);
  return rc;
 }
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@ -1107,6 +1107,10 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
      goto leave;
    }
  gnupg_ksba_set_progress_cb (b64writer, gpgsm_progress_cb, ctrl);
  if (ctrl->input_size_hint)
    gnupg_ksba_set_total (b64writer, ctrl->input_size_hint);
  rc = ksba_cms_new (&cms);
  if (rc)
    goto leave;
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@ -653,6 +653,10 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
      goto leave;
    }
  gnupg_ksba_set_progress_cb (b64writer, gpgsm_progress_cb, ctrl);
  if (ctrl->input_size_hint)
    gnupg_ksba_set_total (b64writer, ctrl->input_size_hint);
  err = ksba_cms_new (&cms);
  if (err)
    {
@ -828,7 +832,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
      err = ksba_cms_build (cms, &stopreason);
      if (err)
        {
-          log_debug ("ksba_cms_build failed: %s\n", gpg_strerror (err));
+          log_error ("creating CMS object failed: %s\n", gpg_strerror (err));
          rc = err;
          goto leave;
        }
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@ -139,6 +139,7 @@ enum cmd_and_opt_values {
  oAssumeArmor,
  oAssumeBase64,
  oAssumeBinary,
  oInputSizeHint,
  oBase64,
  oNoArmor,
@ -326,6 +327,7 @@ static gpgrt_opt_t opts[] = {
                N_("assume input is in base-64 format")),
  ARGPARSE_s_n (oAssumeBinary, "assume-binary",
                N_("assume input is in binary format")),
  ARGPARSE_s_s (oInputSizeHint, "input-size-hint", "@"),
  ARGPARSE_header ("Output", N_("Options controlling the output")),
@ -802,7 +804,7 @@ set_debug (void)
  /* minip12.c may be used outside of GnuPG, thus we don't have the
   * opt structure over there.  */
-  p12_set_verbosity (opt.verbose);
+  p12_set_verbosity (opt.verbose, opt.debug);
 }
@ -1188,6 +1190,10 @@ main ( int argc, char **argv)
          ctrl.is_base64 = 0;
          break;
        case oInputSizeHint:
          ctrl.input_size_hint = string_to_u64 (pargs.r.ret_str);
          break;
        case oDisableCRLChecks:
          opt.no_crl_check = 1;
          break;
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@ -250,6 +250,11 @@ struct server_control_s
  int is_pem;         /* Is in PEM format */
  int is_base64;      /* is in plain base-64 format */
  /* If > 0 a hint with the expected number of input data bytes.  This
   * is not necessary an exact number but intended to be used for
   * progress info and to decide on how to allocate buffers.  */
  uint64_t input_size_hint;
  int create_base64;  /* Create base64 encoded output */
  int create_pem;     /* create PEM output */
  const char *pem_name; /* PEM name to use */
@ -316,6 +321,7 @@ gpg_error_t gpgsm_status_with_err_code (ctrl_t ctrl, int no, const char *text,
                                        gpg_err_code_t ec);
 gpg_error_t gpgsm_status_with_error (ctrl_t ctrl, int no, const char *text,
                                     gpg_error_t err);
 gpg_error_t gpgsm_progress_cb (ctrl_t ctrl, uint64_t current, uint64_t total);
 gpg_error_t gpgsm_proxy_pinentry_notify (ctrl_t ctrl,
                                         const unsigned char *line);
--- a/sm/minip12.c
+++ b/sm/minip12.c
--- a/sm/minip12.h
+++ b/sm/minip12.h
@ -23,7 +23,7 @@
 #include <gcrypt.h>
-void p12_set_verbosity (int verbose);
+void p12_set_verbosity (int verbose, int debug);
 gcry_mpi_t *p12_parse (const unsigned char *buffer, size_t length,
                       const char *pw,
--- a/sm/server.c
+++ b/sm/server.c
@ -298,6 +298,10 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
            opt.request_origin = i;
        }
    }
  else if (!strcmp (key, "input-size-hint"))
    {
      ctrl->input_size_hint = string_to_u64 (value);
    }
  else
    err = gpg_error (GPG_ERR_UNKNOWN_OPTION);
@ -1506,7 +1510,14 @@ gpgsm_status2 (ctrl_t ctrl, int no, ...)
            }
        }
      putc ('\n', statusfp);
-      fflush (statusfp);
+      if (ferror (statusfp))
        err = gpg_error_from_syserror ();
      else
        {
          fflush (statusfp);
          if (ferror (statusfp))
            err = gpg_error_from_syserror ();
        }
    }
  else
    {
@ -1551,6 +1562,45 @@ gpgsm_status_with_error (ctrl_t ctrl, int no, const char *text,
 }
 /* This callback is used to emit progress status lines.  */
 gpg_error_t
 gpgsm_progress_cb (ctrl_t ctrl, uint64_t current, uint64_t total)
 {
  char buffer[60];
  char units[] = "BKMGTPEZY?";
  int unitidx = 0;
  if (total)
    {
      if (current > total)
        current = total;
      while (total > 1024*1024)
        {
          total /= 1024;
          current /= 1024;
          unitidx++;
        }
    }
  else
    {
      while (current > 1024*1024)
        {
          current /= 1024;
          unitidx++;
        }
    }
  if (unitidx > 9)
    unitidx = 9;
  snprintf (buffer, sizeof buffer, "? %lu %lu %c%s",
            (unsigned long)current, (unsigned long)total,
            units[unitidx], unitidx? "iB" : "");
  return gpgsm_status2 (ctrl, STATUS_PROGRESS, "?", buffer, NULL);
 }
 /* Helper to notify the client about Pinentry events.  Because that
   might disturb some older clients, this is only done when enabled
   via an option.  Returns an gpg error code. */
--- a/sm/sign.c
+++ b/sm/sign.c
@ -687,6 +687,10 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
      goto leave;
    }
  gnupg_ksba_set_progress_cb (b64writer, gpgsm_progress_cb, ctrl);
  if (ctrl->input_size_hint)
    gnupg_ksba_set_total (b64writer, ctrl->input_size_hint);
  err = ksba_cms_new (&cms);
  if (err)
    {
@ -1027,7 +1031,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
      err = ksba_cms_build (cms, &stopreason);
      if (err)
        {
-          log_debug ("ksba_cms_build failed: %s\n", gpg_strerror (err));
+          log_error ("creating CMS object failed: %s\n", gpg_strerror (err));
          rc = err;
          goto leave;
        }
--- a/sm/t-minip12.c
+++ b/sm/t-minip12.c
@ -1,5 +1,5 @@
 /* t-minip12.c - Test driver for minip12.c
- * Copyright (C) 2020 g10 Code GmbH
+ * Copyright (C) 2020, 2023 g10 Code GmbH
 *
 * This file is part of GnuPG.
 *
@ -15,6 +15,7 @@
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, see <https://www.gnu.org/licenses/>.
 * SPDX-License-Identifier: GPL-3.0-or-later
 */
 #include <config.h>
@ -22,6 +23,8 @@
 #include <stdlib.h>
 #include <sys/stat.h>
 #include <unistd.h>
 #include <stdarg.h>
 #include <ctype.h>
 #include "../common/util.h"
 #include "minip12.h"
@ -31,7 +34,336 @@
 static int verbose;
 static int debug;
 static int any_error;
 static void die (const char *format, ...) GPGRT_ATTR_NR_PRINTF(1,2);
 static void err (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
 static void inf (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
 /* static void dbg (const char *format, ...) GPGRT_ATTR_PRINTF(1,2); */
 static void printresult (const char *format, ...) GPGRT_ATTR_PRINTF(1,2);
 static char *my_xstrconcat (const char *s1, ...) GPGRT_ATTR_SENTINEL(0);
 #define xstrconcat my_xstrconcat
 #define trim_spaces(a) my_trim_spaces ((a))
 #define my_isascii(c) (!((c) & 0x80))
 /* Print diagnostic message and exit with failure. */
 static void
 die (const char *format, ...)
 {
  va_list arg_ptr;
  fflush (stdout);
  fprintf (stderr, "%s: ", PGM);
  va_start (arg_ptr, format);
  vfprintf (stderr, format, arg_ptr);
  va_end (arg_ptr);
  if (!*format || format[strlen(format)-1] != '\n')
    putc ('\n', stderr);
  exit (1);
 }
 /* Print diagnostic message. */
 static void
 err (const char *format, ...)
 {
  va_list arg_ptr;
  any_error = 1;
  fflush (stdout);
  fprintf (stderr, "%s: ", PGM);
  va_start (arg_ptr, format);
  vfprintf (stderr, format, arg_ptr);
  va_end (arg_ptr);
  if (!*format || format[strlen(format)-1] != '\n')
    putc ('\n', stderr);
 }
 /* Print an info message. */
 static void
 inf (const char *format, ...)
 {
  va_list arg_ptr;
  if (verbose)
    {
      fprintf (stderr, "%s: ", PGM);
      va_start (arg_ptr, format);
      vfprintf (stderr, format, arg_ptr);
      va_end (arg_ptr);
      if (!*format || format[strlen(format)-1] != '\n')
        putc ('\n', stderr);
    }
 }
 /* Print a debug message. */
 /* static void */
 /* dbg (const char *format, ...) */
 /* { */
 /*   va_list arg_ptr; */
 /*   if (debug) */
 /*     { */
 /*       fprintf (stderr, "%s: DBG: ", PGM); */
 /*       va_start (arg_ptr, format); */
 /*       vfprintf (stderr, format, arg_ptr); */
 /*       va_end (arg_ptr); */
 /*       if (!*format || format[strlen(format)-1] != '\n') */
 /*         putc ('\n', stderr); */
 /*     } */
 /* } */
 /* Print a result line to stdout.  */
 static void
 printresult (const char *format, ...)
 {
  va_list arg_ptr;
  fflush (stdout);
 #ifdef HAVE_FLOCKFILE
  flockfile (stdout);
 #endif
  va_start (arg_ptr, format);
  vfprintf (stdout, format, arg_ptr);
  if (*format && format[strlen(format)-1] != '\n')
    putc ('\n', stdout);
  va_end (arg_ptr);
  fflush (stdout);
 #ifdef HAVE_FLOCKFILE
  funlockfile (stdout);
 #endif
 }
 /* Helper for xstrconcat and strconcat.  */
 static char *
 do_strconcat (int xmode, const char *s1, va_list arg_ptr)
 {
  const char *argv[48];
  size_t argc;
  size_t needed;
  char *buffer, *p;
  argc = 0;
  argv[argc++] = s1;
  needed = strlen (s1);
  while (((argv[argc] = va_arg (arg_ptr, const char *))))
    {
      needed += strlen (argv[argc]);
      if (argc >= DIM (argv)-1)
        die ("too may args for strconcat\n");
      argc++;
    }
  needed++;
  buffer = xmode? xmalloc (needed) : malloc (needed);
  for (p = buffer, argc=0; argv[argc]; argc++)
    p = stpcpy (p, argv[argc]);
  return buffer;
 }
 /* Concatenate the string S1 with all the following strings up to a
   NULL.  Returns a malloced buffer with the new string or dies on error. */
 static char *
 my_xstrconcat (const char *s1, ...)
 {
  va_list arg_ptr;
  char *result;
  if (!s1)
    result = xstrdup ("");
  else
    {
      va_start (arg_ptr, s1);
      result = do_strconcat (1, s1, arg_ptr);
      va_end (arg_ptr);
    }
  return result;
 }
 static char *
 my_trim_spaces (char *str )
 {
  char *string, *p, *mark;
  string = str;
  for (p=string; *p && isspace (*(unsigned char *)p) ; p++)
    ;
  for (mark=NULL; (*string = *p); string++, p++ )
    if (isspace (*(unsigned char *)p))
      {
        if (!mark)
          mark = string;
      }
    else
      mark = NULL;
  if (mark)
    *mark = '\0';
  return str ;
 }
 /* Prepend FNAME with the srcdir environment variable's value and
 * return an allocated filename.  */
 static char *
 prepend_srcdir (const char *fname)
 {
  static const char *srcdir;
  if (!srcdir && !(srcdir = getenv ("srcdir")))
    return xstrdup (fname);
  else
    return xstrconcat (srcdir, "/", fname, NULL);
 }
 /* (BUFFER,BUFLEN) and return a malloced hexstring.  */
 static char *
 hash_buffer (const void *buffer, size_t buflen)
 {
  unsigned char hash[20];
  char *result;
  int i;
  gcry_md_hash_buffer (GCRY_MD_SHA1, hash, buffer, buflen);
  result = xmalloc (41);
  for (i=0; i < 20; i++)
    snprintf (result + 2*i, 3, "%02x", hash[i]);
  return result;
 }
 /* Read next line but skip over empty and comment lines.  Caller must
   xfree the result.  */
 static char *
 read_textline (FILE *fp, int *lineno)
 {
  char line[4096];
  char *p;
  do
    {
      if (!fgets (line, sizeof line, fp))
        {
          if (feof (fp))
            return NULL;
          die ("error reading input line: %s\n", strerror (errno));
        }
      ++*lineno;
      p = strchr (line, '\n');
      if (!p)
        die ("input line %d not terminated or too long\n", *lineno);
      *p = 0;
      for (p--;p > line && my_isascii (*p) && isspace (*p); p--)
        *p = 0;
    }
  while (!*line || *line == '#');
  return xstrdup (line);
 }
 /* Copy the data after the tag to BUFFER.  BUFFER will be allocated as
   needed.  */
 static void
 copy_data (char **buffer, const char *line, int lineno)
 {
  const char *s;
  xfree (*buffer);
  *buffer = NULL;
  s = strchr (line, ':');
  if (!s)
    {
      err ("syntax error at input line %d", lineno);
      return;
    }
  for (s++; my_isascii (*s) && isspace (*s); s++)
    ;
  *buffer = xstrdup (s);
 }
 static void
 hexdowncase (char *string)
 {
  char *p;
  if (string)
    for (p=string; *p; p++)
      if (my_isascii (*p))
        *p = tolower (*p);
 }
 /* Return the value of the variable VARNAME from ~/.gnupg-autogen.rc
 * or NULL if it does not exists or is empty.  */
 static char *
 value_from_gnupg_autogen_rc (const char *varname)
 {
  const char *home;
  char *fname;
  FILE *fp;
  char *line = NULL;
  char *p;
  int lineno = 0;
  if (!(home = getenv ("HOME")))
    home = "";
  fname = xstrconcat (home, "/.gnupg-autogen.rc", NULL);
  fp = fopen (fname, "r");
  if (!fp)
    goto leave;
  while ((line = read_textline (fp, &lineno)))
    {
      p = strchr (line, '=');
      if (p)
        {
          *p++ = 0;
          trim_spaces (line);
          if (!strcmp (line, varname))
            {
              trim_spaces (p);
              if (*p)
                {
                  memmove (line, p, strlen (p)+1);
                  if (*line == '~' && line[1] == '/')
                    {
                      p = xstrconcat (home, line+1, NULL);
                      xfree (line);
                      line = p;
                    }
                  break; /* found.  */
                }
            }
        }
      xfree (line);
    }
 leave:
  if (fp)
    fclose (fp);
  xfree (fname);
  return line;
 }
 static void
@ -45,13 +377,10 @@ cert_cb (void *opaque, const unsigned char *cert, size_t certlen)
 }
-
+/* Parse one PKCS#12 file.   Returns zero on success.  */
-int
+static int
-main (int argc, char **argv)
+one_file (const char *name, const char *pass)
 {
  int last_argc = -1;
  char const *name = NULL;
  char const *pass = NULL;
  FILE *fp;
  struct stat st;
  unsigned char *buf;
@ -60,63 +389,6 @@ main (int argc, char **argv)
  int badpass;
  char *curve = NULL;
  if (argc)
    { argc--; argv++; }
  while (argc && last_argc != argc )
    {
      last_argc = argc;
      if (!strcmp (*argv, "--"))
        {
          argc--; argv++;
          break;
        }
      else if (!strcmp (*argv, "--help"))
        {
          fputs ("usage: " PGM " <pkcs12file> [<passphrase>]\n"
                 "Options:\n"
                 "  --verbose           print timings etc.\n"
                 "  --debug             flyswatter\n"
                 , stdout);
          exit (0);
        }
      else if (!strcmp (*argv, "--verbose"))
        {
          verbose++;
          argc--; argv++;
        }
      else if (!strcmp (*argv, "--debug"))
        {
          verbose += 2;
          debug++;
          argc--; argv++;
        }
      else if (!strncmp (*argv, "--", 2))
        {
          fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
          exit (1);
        }
    }
  if (argc == 1)
    {
      name = argv[0];
      pass = "";
    }
  else if (argc == 2)
    {
      name = argv[0];
      pass = argv[1];
    }
  else
    {
      fprintf (stderr, "usage: " PGM " <file> [<passphrase>]\n");
      exit (1);
    }
  gcry_control (GCRYCTL_DISABLE_SECMEM, NULL);
  gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL);
  fp = fopen (name, "rb");
  if (!fp)
    {
@ -131,8 +403,8 @@ main (int argc, char **argv)
    }
  buflen = st.st_size;
-  buf = gcry_malloc (buflen+1);
+  buf = xmalloc (buflen+1);
-  if (!buf || fread (buf, buflen, 1, fp) != 1)
+  if (fread (buf, buflen, 1, fp) != 1)
    {
      fprintf (stderr, "error reading '%s': %s\n", name, strerror (errno));
      return 1;
@ -160,6 +432,358 @@ main (int argc, char **argv)
            }
        }
    }
  if (badpass)
    log_error ("Bad password given?\n");
  xfree (buf);
  return 0;
 }
 static void
 cert_collect_cb (void *opaque, const unsigned char *cert, size_t certlen)
 {
  char **certstr = opaque;
  char *hash, *save;
  hash = hash_buffer (cert, certlen);
  if (*certstr)
    {
      save = *certstr;
      *certstr = xstrconcat (save, ",", hash, NULL);
      xfree (save);
      xfree (hash);
    }
  else
    *certstr = hash;
 }
 static int
 run_one_test (const char *name, const char *desc, const char *pass,
              const char *certexpected, const char *keyexpected)
 {
  FILE *fp;
  struct stat st;
  unsigned char *buf;
  size_t buflen;
  gcry_mpi_t *result;
  int badpass;
  char *curve = NULL;
  char *resulthash = NULL;
  char *p;
  char *certstr = NULL;
  int ret;
  inf ("testing '%s' (%s)", name , desc? desc:"");
  fp = fopen (name, "rb");
  if (!fp)
    {
      err ("can't open '%s': %s\n", name, strerror (errno));
      printresult ("FAIL: %s - test file not found\n", name);
      return 1;
    }
  if (fstat (fileno (fp), &st))
    {
      err ("can't stat '%s': %s\n", name, strerror (errno));
      printresult ("FAIL: %s - error stating test file\n", name);
      fclose (fp);
      return 1;
    }
  buflen = st.st_size;
  buf = xmalloc (buflen+1);
  if (fread (buf, buflen, 1, fp) != 1)
    {
      err ("error reading '%s': %s\n", name, strerror (errno));
      printresult ("FAIL: %s - error reading test file\n", name);
      fclose (fp);
      xfree (buf);
      return 1;
    }
  fclose (fp);
  result = p12_parse (buf, buflen, pass? pass:"", cert_collect_cb, &certstr,
                      &badpass, &curve);
  if (result)
    {
      int i, rc;
      char *tmpstring;
      unsigned char *tmpbuf;
      char numbuf[20];
      if (curve)
        {
          if (verbose > 1)
            inf ("curve: %s\n", curve);
          tmpstring = xstrconcat ("curve:", curve, "\n", NULL);
        }
      else
        tmpstring = xstrdup ("\n");
      for (i=0; result[i]; i++)
        {
          rc = gcry_mpi_aprint (GCRYMPI_FMT_HEX, &tmpbuf, NULL, result[i]);
          if (rc)
            die ("result %d: [error printing number: %s]\n",
                 i, gpg_strerror (rc));
          else
            {
              if (verbose > 1)
                inf ("result %d: %s\n", i, tmpbuf);
              snprintf (numbuf, sizeof numbuf, "%d:", i);
              p = xstrconcat (tmpstring, numbuf, tmpbuf, "\n", NULL);
              xfree (tmpstring);
              tmpstring = p;
              gcry_free (tmpbuf);
            }
        }
      resulthash = hash_buffer (tmpstring, strlen (tmpstring));
      xfree (tmpstring);
    }
  if (verbose > 1)
    {
      inf ("cert(exp)=%s", certexpected);
      inf ("cert(got)=%s", certstr? certstr:"[null]");
      inf ("key(exp)=%s", keyexpected);
      inf ("key(got)=%s", resulthash? resulthash:"[null]");
    }
  ret = 1;
  if (!result)
    printresult ("FAIL: %s - error from parser\n", name);
  else if (certexpected && !certstr)
    printresult ("FAIL: %s - expected certs but got none\n", name);
  else if (!certexpected && certstr)
    printresult ("FAIL: %s - no certs expected but got one\n", name);
  else if (certexpected && certstr && strcmp (certexpected, certstr))
    printresult ("FAIL: %s - certs not as expected\n", name);
  else if (keyexpected && !resulthash)
    printresult ("FAIL: %s - expected key but got none\n", name);
  else if (!keyexpected && resulthash)
    printresult ("FAIL: %s - key not expected but got one\n", name);
  else if (keyexpected && resulthash && strcmp (keyexpected, resulthash))
    printresult ("FAIL: %s - keys not as expected\n", name);
  else
    {
      printresult ("PASS: %s\n", name);
      ret = 0;
    }
  if (result)
    {
      int i;
      for (i=0; result[i]; i++)
        gcry_mpi_release (result[i]);
      gcry_free (result);
    }
  xfree (certstr);
  xfree (resulthash);
  xfree (curve);
  xfree (buf);
  return ret;
 }
 /* Run a regression test using the Info take from DESCFNAME.  */
 static int
 run_tests_from_file (const char *descfname)
 {
  FILE *fp;
  char *descdir;
  int lineno, ntests;
  char *line;
  char *name = NULL;
  char *desc = NULL;
  char *pass = NULL;
  char *cert = NULL;
  char *key = NULL;
  int ret = 0;
  char *p;
  inf ("Running tests from '%s'", descfname);
  descdir = xstrdup (descfname);
  p = strrchr (descdir, '/');
  if (p)
    *p = 0;
  else
    {
      xfree (descdir);
      descdir = xstrdup (".");
    }
  fp = fopen (descfname, "r");
  if (!fp)
    die ("error opening '%s': %s\n", descfname, strerror (errno));
  lineno = ntests = 0;
  while ((line = read_textline (fp, &lineno)))
    {
      if (!strncmp (line, "Name:", 5))
        {
          if (name)
            ret |= run_one_test (name, desc, pass, cert, key);
          xfree (cert); cert = NULL;
          xfree (desc); desc = NULL;
          xfree (pass); pass = NULL;
          xfree (key);  key = NULL;
          copy_data (&name, line, lineno);
          if (name)
            {
              p = xstrconcat (descdir, "/", name, NULL);
              xfree (name);
              name = p;
            }
        }
      else if (!strncmp (line, "Desc:", 5))
        copy_data (&desc, line, lineno);
      else if (!strncmp (line, "Pass:", 5))
        copy_data (&pass, line, lineno);
      else if (!strncmp (line, "Cert:", 5))
        {
          p = NULL;
          copy_data (&p, line, lineno);
          hexdowncase (p);
          if (p && cert)
            {
              char *save = cert;
              cert = xstrconcat (save, ",", p, NULL);
              xfree (save);
              xfree (p);
            }
          else
            cert = p;
        }
      else if (!strncmp (line, "Key:", 4))
        {
          copy_data (&key, line, lineno);
          hexdowncase (key);
        }
      else
        inf ("%s:%d: unknown tag ignored", descfname, lineno);
      xfree (line);
    }
  if (name)
    ret |= run_one_test (name, desc, pass, cert, key);
  xfree (name);
  xfree (desc);
  xfree (pass);
  xfree (cert);
  xfree (key);
  fclose (fp);
  xfree (descdir);
  return ret;
 }
 int
 main (int argc, char **argv)
 {
  int last_argc = -1;
  char const *name = NULL;
  char const *pass = NULL;
  int ret;
  int no_extra = 0;
  if (argc)
    { argc--; argv++; }
  while (argc && last_argc != argc )
    {
      last_argc = argc;
      if (!strcmp (*argv, "--"))
        {
          argc--; argv++;
          break;
        }
      else if (!strcmp (*argv, "--help"))
        {
          fputs ("usage: " PGM " <pkcs12file> [<passphrase>]\n"
                 "Without <pkcs12file> a regression test is run\n"
                 "Options:\n"
                 "  --no-extra          do not run extra tests\n"
                 "  --verbose           print timings etc.\n"
                 "                      given twice shows more\n"
                 "  --debug             flyswatter\n"
                 , stdout);
          exit (0);
        }
      else if (!strcmp (*argv, "--no-extra"))
        {
          no_extra = 1;
          argc--; argv++;
        }
      else if (!strcmp (*argv, "--verbose"))
        {
          verbose++;
          argc--; argv++;
        }
      else if (!strcmp (*argv, "--debug"))
        {
          verbose += 2;
          debug++;
          argc--; argv++;
        }
      else if (!strncmp (*argv, "--", 2))
        {
          fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
          exit (1);
        }
    }
  if (!argc)
    {
      name = NULL;
      pass = NULL;
    }
  else if (argc == 1)
    {
      name = argv[0];
      pass = "";
    }
  else if (argc == 2)
    {
      name = argv[0];
      pass = argv[1];
    }
  else
    {
      fprintf (stderr, "usage: " PGM " [<file> [<passphrase>]]\n");
      exit (1);
    }
  gcry_control (GCRYCTL_DISABLE_SECMEM, NULL);
  gcry_control (GCRYCTL_INITIALIZATION_FINISHED, NULL);
  if (name)
    {
      p12_set_verbosity (verbose, debug);
      ret = one_file (name, pass);
    }
  else
    {
      char *descfname, *p;
      if (verbose > 1)
        p12_set_verbosity (verbose > 1? (verbose - 1):0, debug);
      descfname = prepend_srcdir ("../tests/cms/samplekeys/Description-p12");
      ret = run_tests_from_file (descfname);
      xfree (descfname);
      /* Check whether we have non-public regression test cases. */
      p = no_extra? NULL:value_from_gnupg_autogen_rc ("GNUPG_EXTRA_TESTS_DIR");
      if (p)
        {
          descfname = xstrconcat  (p, "/pkcs12/Description", NULL);
          xfree (p);
          ret |= run_tests_from_file (descfname);
          xfree (descfname);
        }
    }
  return ret;
 }
--- a/sm/verify.c
+++ b/sm/verify.c
@ -158,6 +158,10 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
        }
    }
  gnupg_ksba_set_progress_cb (b64writer, gpgsm_progress_cb, ctrl);
  if (ctrl->input_size_hint)
    gnupg_ksba_set_total (b64writer, ctrl->input_size_hint);
  rc = ksba_cms_new (&cms);
  if (rc)
    goto leave;
--- a/tests/cms/Makefile.am
+++ b/tests/cms/Makefile.am
@ -86,13 +86,19 @@ TEST_FILES = plain-1.cms.asc \
 testscripts = sm-sign+verify sm-verify
 EXTRA_DIST = $(XTESTS) $(KEYS) $(CERTS) $(TEST_FILES) \
             samplemsgs/README \
 	     samplekeys/Description-p12 \
 	     samplekeys/steed-self-signing-nonthority.pem \
 	     samplekeys/68A638998DFABAC510EA645CE34F9686B2EDF7EA.key \
             samplekeys/32100C27173EF6E9C4E9A25D3D69F86D37A4F939.key \
             samplekeys/cert_g10code_pete1.pem \
             samplekeys/cert_g10code_test1.pem \
             samplekeys/cert_g10code_theo1.pem \
-             samplemsgs/README \
+             samplekeys/ov-user.p12 \
             samplekeys/ov-server.p12 \
             samplekeys/opensc-test.p12 \
             samplekeys/t5793-openssl.pfx \
             samplekeys/t5793-test.pfx \
             samplemsgs/pwri-sample.cbc.p7m \
             samplemsgs/pwri-sample.cbc-2.p7m \
             samplemsgs/pwri-sample.gcm.p7m \
--- a/tests/cms/samplekeys/Description-p12
+++ b/tests/cms/samplekeys/Description-p12
@ -0,0 +1,32 @@
 # Description-p12  - Machine readable description of our P12 test vectors
 Name: ov-user.p12
 Desc: Private test key from www.openvalidation.org
 Pass: start
 Cert: 4753a910e0c8b4caa8663ca0e4273a884eb5397d
 Key:  93be89edd11214ab74280d988a665b6beef876c5
 Name: ov-server.p12
 Desc: Private test key from www.openvalidation.org
 Pass: start
 Cert: 1997fadf6cc1af03e4845c4cba38fb2397315143
 Key:  63b1d7233e75c3a462cb4b8ea3ad285e8ecba91c
 Name: opensc-test.p12
 Desc: PKCS#12 key and certificates taken from OpenSC (RC2+3DES,PKCS#8)
 Pass: password
 Cert: 115abfc3ae554092a57ade74177fedf9459af5d2
 Cert: a0d6d318952c313ff8c33cd3f629647ff1de76b3
 Key:  5a36c61706367ecdb52e8779e3a32bbac1069fa1
 Name: t5793-openssl.pfx
 Desc: self-signed key issued keys
 Pass: test
 Cert: 80348a438e4b803b99e708da0b7fdd0659dedd15
 Key:  c271e44ab4fb19ca1aae71102ea4d7292ccc981d
 Name: t5793-test.pfx
 Desc: QuaVadis format of t5793-openssl
 Pass: test
 Cert: 80348a438e4b803b99e708da0b7fdd0659dedd15
 Key:  c271e44ab4fb19ca1aae71102ea4d7292ccc981d
--- a/tests/cms/samplekeys/README
+++ b/tests/cms/samplekeys/README
@ -1,10 +1,5 @@
 This is a collection of keys we use with the regression tests.
-
+For the *.p12 files see Description-p12
 opensc-tests.p12   PKCS#12 key and certificates taken from OpenSC.
 		   Passphrase is "password"
 ov-user.p12        Private tests keys from www.openvalidation.org.
 ov-server.p12      Passphrase for both is "start"
 ossl-rentec-user.pem  An OpenSSL generated user certificate using a
                      bunch of attributes and DC RDNs.
@ -21,4 +16,3 @@ steed-self-signing-nonthority.pem
                   The STEED Self-Signing Nonthority.
 68A638998DFABAC510EA645CE34F9686B2EDF7EA.key
                   The private Key of The STEED Self-Signing Nonthority.
--- a/tests/cms/samplekeys/t5793-openssl.pfx
+++ b/tests/cms/samplekeys/t5793-openssl.pfx
--- a/tests/cms/samplekeys/t5793-test.pfx
+++ b/tests/cms/samplekeys/t5793-test.pfx
--- a/tools/gpg-wks-client.c
+++ b/tools/gpg-wks-client.c
@ -77,6 +77,7 @@ enum cmd_and_opt_values
    oBlacklist,
    oNoAutostart,
    oAddRevocs,
    oNoAddRevocs,
    oDummy
  };
@ -121,6 +122,7 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_s (oBlacklist, "blacklist", "@"),
  ARGPARSE_s_s (oDirectory, "directory", "@"),
  ARGPARSE_s_n (oAddRevocs, "add-revocs", "add revocation certificates"),
  ARGPARSE_s_n (oNoAddRevocs, "no-add-revocs", "do not add revocation certificates"),
  ARGPARSE_s_s (oFakeSubmissionAddr, "fake-submission-addr", "@"),
@ -158,7 +160,7 @@ static gpg_error_t proc_userid_from_stdin (gpg_error_t (*func)(const char *),
                                           const char *text);
 static gpg_error_t command_supported (char *userid);
 static gpg_error_t command_check (char *userid);
-static gpg_error_t command_send (const char *fingerprint, const char *userid);
+static gpg_error_t command_create (const char *fingerprint, const char *userid);
 static gpg_error_t encrypt_response (estream_t *r_output, estream_t input,
                                     const char *addrspec,
                                     const char *fingerprint);
@ -262,6 +264,9 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
        case oAddRevocs:
          opt.add_revocs = 1;
          break;
        case oNoAddRevocs:
          opt.add_revocs = 0;
          break;
 	case aSupported:
 	case aCreate:
@ -304,6 +309,8 @@ main (int argc, char **argv)
  assuan_set_gpg_err_source (GPG_ERR_SOURCE_DEFAULT);
  setup_libassuan_logging (&opt.debug, NULL);
  opt.add_revocs = 1;  /* Default add revocation certs.  */
  /* Parse the command line. */
  pargs.argc  = &argc;
  pargs.argv  = &argv;
@ -397,7 +404,7 @@ main (int argc, char **argv)
    case aCreate:
      if (argc != 2)
        wrong_args ("--create FINGERPRINT USER-ID");
-      err = command_send (argv[0], argv[1]);
+      err = command_create (argv[0], argv[1]);
      if (err)
        log_error ("creating request failed: %s\n", gpg_strerror (err));
      break;
@ -1153,7 +1160,7 @@ command_check (char *userid)
 /* Locate the key by fingerprint and userid and send a publication
 * request.  */
 static gpg_error_t
-command_send (const char *fingerprint, const char *userid)
+command_create (const char *fingerprint, const char *userid)
 {
  gpg_error_t err;
  KEYDB_SEARCH_DESC desc;
--- a/tools/gpgtar-create.c
+++ b/tools/gpgtar-create.c
@ -1283,6 +1283,8 @@ gpgtar_create (char **inpattern, const char *files_from, int null_names,
          ccparray_put (&ccp, "--recipient");
          ccparray_put (&ccp, arg->d);
        }
      if (opt.no_compress)
        ccparray_put (&ccp, "-z0");
      for (arg = opt.gpg_arguments; arg; arg = arg->next)
        ccparray_put (&ccp, arg->d);
--- a/tools/gpgtar.c
+++ b/tools/gpgtar.c
@ -76,6 +76,7 @@ enum cmd_and_opt_values
    oSetFilename,
    oNull,
    oUtf8Strings,
    oNoCompress,
    oBatch,
    oAnswerYes,
@ -121,6 +122,7 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_s (oSetFilename, "set-filename", "@"),
  ARGPARSE_s_n (oOpenPGP, "openpgp", "@"),
  ARGPARSE_s_n (oCMS, "cms", "@"),
  ARGPARSE_s_n (oNoCompress,   "no-compress", "@"),
  ARGPARSE_s_n (oBatch, "batch", "@"),
  ARGPARSE_s_n (oAnswerYes, "yes", "@"),
@ -350,6 +352,7 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
        case oFilesFrom: files_from = pargs->r.ret_str; break;
        case oNull: null_names = 1; break;
        case oUtf8Strings: opt.utf8strings = 1; break;
        case oNoCompress:  opt.no_compress = 1; break;
 	case aList:
        case aDecrypt:
--- a/tools/gpgtar.h
+++ b/tools/gpgtar.h
@ -33,6 +33,7 @@ struct
  int quiet;
  int dry_run;
  int utf8strings;
  int no_compress;
  const char *gpg_program;
  strlist_t gpg_arguments;
  const char *outfile;
--- a/tools/wks-util.c
+++ b/tools/wks-util.c
@ -246,7 +246,7 @@ wks_get_key (estream_t *r_key, const char *fingerprint, const char *addrspec,
  ccparray_put (&ccp, "--always-trust");
  if (!binary)
    ccparray_put (&ccp, "--armor");
-  ccparray_put (&ccp, "--export-options=export-minimal");
+  ccparray_put (&ccp, "--export-options=export-clean");
  ccparray_put (&ccp, "--export-filter");
  ccparray_put (&ccp, filterexp);
  ccparray_put (&ccp, "--export");