Merge branch 'STABLE-BRANCH-2-4'

--
Resolved conflicts:
	NEWS
	common/exechelp-w32.c
	configure.ac

.git-blame-ignore-revs

@@ -1,2 +1,4 @@
 # indent: Modernize mem2str.
 6a80d6f9206eae2c867c45daa5cd3e7d6c6ad114
+# doc: Fix spelling errors found by lintian.
+2ed1f68b48db7b5503045386de0500fddf70077e

Makefile.am

@@ -247,8 +247,8 @@ release:
          mkopt=""; \
 	 if [ -n "$$CUSTOM_SWDB" ]; then \
             mkopt="CUSTOM_SWB=1"; \
-	    x=$$(grep '^OVERRIDE_TARBALLS=' \
+	    x=$$(grep '^[[:blank:]]*OVERRIDE_TARBALLS[[:blank:]]*=' \
-                 $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
+                 $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
 	    if [ -f "$$x/swdb.lst" ]; then \
 	      echo "/* Copying swdb.lst from the overrides directory */"; \
               cp "$$x/swdb.lst" . ; \
@@ -275,13 +275,15 @@ release:
 sign-release:
 	 +(set -e; \
 	  test $$(pwd | sed 's,.*/,,') = dist || cd dist; \
-	  x=$$(grep '^RELEASE_ARCHIVE=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
+	  x=$$(grep '^[[:blank:]]*RELEASE_ARCHIVE[[:blank:]]*=' \
+                    $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
           if [ -z "$$x" ]; then \
              echo "error: RELEASE_ARCHIVE missing in ~/.gnupg-autogen.rc">&2; \
              exit 2;\
           fi;\
           myarchive="$$x/$(RELEASE_ARCHIVE_SUFFIX)";\
-	  x=$$(grep '^RELEASE_SIGNKEY=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
+	  x=$$(grep '^[[:blank:]]*RELEASE_SIGNKEY[[:blank:]]*=' \
+                     $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
           if [ -z "$$x" ]; then \
              echo "error: RELEASE_SIGNKEY missing in ~/.gnupg-autogen.rc">&2; \
              exit 2;\

NEWS

@@ -1,6 +1,51 @@
 Noteworthy changes in version 2.5.0 (unreleased)
 ------------------------------------------------
 
+  Changes also found in 2.4.5:
+
+Noteworthy changes in version 2.4.5 (2024-03-07)
+------------------------------------------------
+
+  * gpg,gpgv: New option --assert-pubkey-algo.  [T6946]
+
+  * gpg: Emit status lines for errors in the compression layer.
+    [T6977]
+
+  * gpg: Fix invocation with --trusted-keys and --no-options.  [T7025]
+
+  * gpgsm: Allow for a longer salt in PKCS#12 files.  [T6757]
+
+  * gpgtar: Make --status-fd=2 work on Windows.  [T6961]
+
+  * scd: Support for the ACR-122U NFC reader.  [rG1682ca9f01]
+
+  * scd: Suport D-TRUST ECC cards.  [T7000,T7001]
+
+  * scd: Allow auto detaching of kernel drivers; can be disabled with
+    the new compatibility-flag ccid-no-auto-detach.  [rGa1ea3b13e0]
+
+  * scd: Allow setting a PIN length of 6 also with a reset code for
+    openpgp cards.  [T6843]
+
+  * agent: Allow GET_PASSPHRASE in restricted mode.  [rGadf4db6e20]
+
+  * dirmngr: Trust system's root CAs for checking CRL issuers.
+    [T6963]
+
+  * dirmngr: Fix regression in 2.4.4 in fetching keys via hkps.
+    [T6997]
+
+  * gpg-wks-client: Make option --mirror work properly w/o specifying
+    domains.  [rG37cc255e49]
+
+  * g13,gpg-wks-client: Allow command style options as in "g13 mount
+    foo".  [rGa09157ccb2]
+
+  * Allow tilde expansion for the foo-program options.  [T7017]
+
+  * Make the getswdb.sh tool usable outside the GnuPG tree.
+
+
   Changes also found in 2.4.4:
 
   * gpg: Do not keep an unprotected smartcard backup key on disk.  See
@@ -178,6 +223,7 @@ Noteworthy changes in version 2.5.0 (unreleased)
 Release dates of 2.4 versions
 -----------------------------
 
+Version 2.4.5 (2024-03-07) https://dev.gnupg.org/T6960
 Version 2.4.4 (2024-01-25) https://dev.gnupg.org/T6578
 Version 2.4.3 (2023-07-04) https://dev.gnupg.org/T6509
 Version 2.4.2 (2023-05-30) https://dev.gnupg.org/T6506
@@ -1392,7 +1438,7 @@ Noteworthy changes in version 2.3.0 (2021-04-07)
   Changes also found in 2.2.12:
 
   * tools: New commands --install-key and --remove-key for
-    gpg-wks-client.  This allows to prepare a Web Key Directory on a
+    gpg-wks-client.  This allows one to prepare a Web Key Directory on a
     local file system for later upload to a web server.
 
   * gpg: New --list-option "show-only-fpr-mbox".  This makes the use
@@ -1436,7 +1482,7 @@ Noteworthy changes in version 2.3.0 (2021-04-07)
     query.
 
   * gpg: Do not store the TOFU trust model in the trustdb.  This
-    allows to enable or disable a TOFO model without triggering a
+    allows one to enable or disable a TOFO model without triggering a
     trustdb rebuild.  [#4134]
 
   * scd: Fix cases of "Bad PIN" after using "forcesig".  [#4177]
@@ -1855,7 +1901,7 @@ Noteworthy changes in version 2.1.23 (2017-08-09)
     to your gpg.conf.
 
   * agent: Option --no-grab is now the default.  The new option --grab
-    allows to revert this.
+    allows one to revert this.
 
   * gpg: New import option "show-only".
 
@@ -2985,7 +3031,7 @@ Noteworthy changes in version 2.1.0 (2014-11-06)
  * gpg: Allow use of Brainpool curves.
 
  * gpg: Accepts a space separated fingerprint as user ID.  This
-   allows to copy and paste the fingerprint from the key listing.
+   allows one to copy and paste the fingerprint from the key listing.
 
  * gpg: The hash algorithm is now printed for signature records in key
    listings.
@@ -3765,7 +3811,7 @@ Noteworthy changes in version 1.9.10 (2004-07-22)
 
  * Fixed a serious bug in the checking of trusted root certificates.
 
- * New configure option --enable-agent-pnly allows to build and
+ * New configure option --enable-agent-only allows one to build and
    install just the agent.
 
  * Fixed a problem with the log file handling.
@@ -4160,7 +4206,7 @@ Noteworthy changes in version 1.1.92 (2002-09-11)
       extension specified with --load-extension are checked, along
       with their enclosing directories.
 
-    * The configure option --with-static-rnd=auto allows to build gpg
+    * The configure option --with-static-rnd=auto allows one to build gpg
       with all available entropy gathering modules included.  At
       runtime the best usable one will be selected from the list
       linux, egd, unix.  This is also the default for systems lacking
@@ -4543,7 +4589,7 @@ Noteworthy changes in version 1.0.2 (2000-07-12)
     * New command --export-secret-subkeys which outputs the
       the _primary_ key with it's secret parts deleted.  This is
       useful for automated decryption/signature creation as it
-      allows to keep the real secret primary key offline and
+      allows one to keep the real secret primary key offline and
       thereby protecting the key certificates and allowing to
       create revocations for the subkeys.  See the FAQ for a
       procedure to install such secret keys.

agent/agent.h

@@ -86,8 +86,8 @@ struct
   /* Enable pinentry debugging (--debug 1024 should also be used).  */
   int debug_pinentry;
 
-  /* Filename of the program to start as pinentry.  */
+  /* Filename of the program to start as pinentry (malloced).  */
-  const char *pinentry_program;
+  char *pinentry_program;
 
   /* Filename of the program to handle daemon tasks.  */
   const char *daemon_program[DAEMON_MAX_TYPE];

agent/command.c

@@ -1988,9 +1988,6 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
   struct pin_entry_info_s *pi2 = NULL;
   int is_generated;
 
-  if (ctrl->restricted)
-    return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
-
   opt_data = has_option (line, "--data");
   opt_check = has_option (line, "--check");
   opt_no_ask = has_option (line, "--no-ask");
@@ -2039,7 +2036,9 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
   if (!desc)
     return set_error (GPG_ERR_ASS_PARAMETER, "no description given");
 
-  if (!strcmp (cacheid, "X"))
+  /* The only limitation in restricted mode is that we don't consider
+   * the cache.  */
+  if (ctrl->restricted || !strcmp (cacheid, "X"))
     cacheid = NULL;
   if (!strcmp (errtext, "X"))
     errtext = NULL;
@@ -2121,7 +2120,7 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
           entry_errtext = NULL;
           is_generated = !!(pi->status & PINENTRY_STATUS_PASSWORD_GENERATED);
 
-          /* We don't allow an empty passpharse in this mode.  */
+          /* We don't allow an empty passphrase in this mode.  */
           if (!is_generated
               && check_passphrase_constraints (ctrl, pi->pin,
                                                pi->constraints_flags,

agent/gpg-agent.c

@@ -876,6 +876,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
       opt.debug = 0;
       opt.no_grab = 1;
       opt.debug_pinentry = 0;
+      xfree (opt.pinentry_program);
       opt.pinentry_program = NULL;
       opt.pinentry_touch_file = NULL;
       xfree (opt.pinentry_invisible_char);
@@ -936,7 +937,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
     case oNoGrab: opt.no_grab |= 1; break;
     case oGrab: opt.no_grab |= 2; break;
 
-    case oPinentryProgram: opt.pinentry_program = pargs->r.ret_str; break;
+    case oPinentryProgram:
+      xfree (opt.pinentry_program);
+      opt.pinentry_program = make_filename_try (pargs->r.ret_str, NULL);
+      break;
     case oPinentryTouchFile: opt.pinentry_touch_file = pargs->r.ret_str; break;
     case oPinentryInvisibleChar:
       xfree (opt.pinentry_invisible_char);

build-aux/getswdb.sh

@@ -28,15 +28,24 @@ cvtver () {
 usage()
 {
     cat <<EOF
-Usage: $(basename $0) [OPTIONS]
+Usage: $(basename $0) [OPTIONS] [packages]
 Get the online version of the GnuPG software version database
+and optionally download packages and verify their signatures.
+
 Options:
+    --info             Print only infos about packages
     --skip-download    Assume download has already been done.
     --skip-verify      Do not check signatures
     --skip-selfcheck   Do not check GnuPG version
+                       (default if not used in the GnuPG tree)
     --find-sha1sum     Print the name of the sha1sum utility
     --find-sha256sum   Print the name of the sha256sum utility
     --help             Print this help.
+
+Example:
+
+  getswdb.sh gnupg24 gpgme libksba libassuan
+
 EOF
     exit $1
 }
@@ -49,6 +58,9 @@ skip_verify=no
 skip_selfcheck=no
 find_sha1sum=no
 find_sha256sum=no
+info_mode=no
+packages=
+die=no
 while test $# -gt 0; do
     case "$1" in
 	# Set up `optarg'.
@@ -79,13 +91,20 @@ while test $# -gt 0; do
         --find-sha256sum)
             find_sha256sum=yes
             ;;
-	*)
+        --info)
+            info_mode=yes
+            ;;
+	--*)
 	    usage 1 1>&2
 	    ;;
+        *)
+            packages="$packages $1"
+            ;;
     esac
     shift
 done
 
+
 # Mac OSX has only a shasum and not sha1sum
 if [ ${find_sha1sum} = yes ]; then
     for i in sha1sum shasum ; do
@@ -114,16 +133,37 @@ if [ ${find_sha256sum} = yes ]; then
 fi
 
 
+if [ $skip_verify = no ]; then
+  if [ ! -f "$distsigkey" ]; then
+     distsigkey="/usr/local/share/gnupg/distsigkey.gpg"
+     if [ ! -f "$distsigkey" ]; then
+       distsigkey="/usr/share/gnupg/distsigkey.gpg"
+       if [ ! -f "$distsigkey" ]; then
+         echo "no keyring with release keys found!" >&2
+         exit 1
+       fi
+     fi
+     echo "using release keys from $distsigkey" >&2
+     skip_selfcheck=yes
+  fi
+fi
+
+
 # Get GnuPG version from VERSION file.  For a GIT checkout this means
 # that ./autogen.sh must have been run first.  For a regular tarball
 # VERSION is always available.
-if [ ! -f "$srcdir/../VERSION" ]; then
+if [ $skip_selfcheck = no ]; then
+  if [ ! -f "$srcdir/../VERSION" ]; then
     echo "VERSION file missing - run autogen.sh first." >&2
     exit 1
+   fi
+  version=$(cat "$srcdir/../VERSION")
+else
+  version="0.0.0"
 fi
-version=$(cat "$srcdir/../VERSION")
 version_num=$(echo "$version" | cvtver)
 
+
 if [ $skip_verify = no ]; then
   if ! $GPGV --version >/dev/null 2>/dev/null ; then
     echo "command \"gpgv\" is not installed" >&2
@@ -164,10 +204,10 @@ else
   fi
 fi
 if [ $skip_verify = no ]; then
-  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
+  if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst 2>/dev/null; then
     echo "list of software versions is not valid!" >&2
     exit 1
- fi
+  fi
 fi
 
 #
@@ -188,3 +228,73 @@ if [ $skip_selfcheck = no ]; then
       exit 1
   fi
 fi
+
+
+# Download a package and check its signature.
+download_pkg () {
+    local url="$1"
+    local file="${url##*/}"
+
+    if ! $WGET -q -O -  "$url" >"${file}.tmp" ; then
+      echo "download of $file failed." >&2
+      [ -f "${file}.tmp" ] && rm "${file}.tmp"
+      return 1
+    fi
+    if [ $skip_verify = no ]; then
+        if ! $WGET -q -O - "${url}.sig" >"${file}.tmpsig" ; then
+            echo "download of $file.sig failed." >&2
+            [ -f "${file}.tmpsig" ] && rm "${file}.tmpsig"
+            return 1
+        fi
+        if ! $GPGV -q --keyring "$distsigkey" \
+             "${file}.tmpsig" "${file}.tmp" 2>/dev/null;  then
+           echo "signature of $file is not valid!" >&2
+           return 1
+        fi
+        mv "${file}.tmpsig" "${file}.sig"
+    else
+        [ -f "${file}.sig" ] && rm "${file}.sig"
+    fi
+    mv "${file}.tmp" "${file}"
+    return 0
+}
+
+
+
+baseurl=$(awk '$1=="gpgorg_base" {print $2; exit 0}' swdb.lst)
+for p in $packages; do
+    pver=$(awk '$1=="'"$p"'_ver" {print $2}' swdb.lst)
+    if [ -z "$pver" ]; then
+        echo "package '$p' not found" >&2
+        die=yes
+    else
+        pdir=$(awk '$1=="'"$p"'_dir" {print $2":"$3":"$4}' swdb.lst)
+        if [ -n "$pdir" ]; then
+            psuf=$(echo "$pdir" | cut -d: -f3)
+            pname=$(echo "$pdir" | cut -d: -f2)
+            pdir=$(echo "$pdir" | cut -d: -f1)
+        else
+            psuf=
+            pdir="$p"
+            pname="$p"
+        fi
+        if [ -z "$psuf" ]; then
+            psuf=$(awk 'BEGIN {suf="bz2"};
+                    $1=="'"$p"'_sha1_gz" {suf="gz"; exit 0};
+                    $1=="'"$p"'_sha1_xz" {suf"xz"; exit 0};
+                    END {print suf}' swdb.lst)
+        fi
+        pfullname="$pname-$pver.tar.$psuf"
+        if [ $info_mode = yes ]; then
+            echo "$baseurl/$pdir/$pfullname"
+        else
+            echo "downloading $pfullname"
+            download_pkg "$baseurl/$pdir/$pfullname" || die=yes
+        fi
+    fi
+done
+if [ $die = yes ]; then
+    echo "errors found!" >&2
+    exit 1
+fi
+exit 0

build-aux/speedo.mk

@@ -51,10 +51,13 @@
 # # This is greped by the Makefile.
 # RELEASE_ARCHIVE=foo@somehost:tarball-archive
 #
-# # The key used to sign the released sources.
+# # The key used to sign the GnuPG sources.
 # # This is greped by the Makefile.
 # RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
 #
+# # The key used to sign the VERSION files of some MSI installers.
+# VERSION_SIGNKEY=02F38DFF731FF97CB039A1DA549E695E905BA208
+#
 # # For signing Windows binaries we need to employ a Windows machine.
 # # We connect to this machine via ssh and take the connection
 # # parameters via .ssh/config. For example a VM could be specified
@@ -74,6 +77,9 @@
 # # This is greped by the Makefile.
 # AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
 #
+# # The URL for the timestamping service
+# AUTHENTICODE_TSURL=http://rfc3161timestamp.globalsign.com/advanced
+#
 # # To use osslsigncode the follwing entries are required and
 # # an empty string must be given for AUTHENTICODE_SIGNHOST.
 # # They are greped by the Makefile.
@@ -238,10 +244,11 @@ PATCHELF := $(shell patchelf --version 2>/dev/null >/dev/null || echo "echo plea
 
 # Read signing information from ~/.gnupg-autogen.rc
 define READ_AUTOGEN_template
-$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2)
+$(1) = $$(shell grep '^[[:blank:]]*$(1)[[:blank:]]*=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs)
 endef
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
+$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TSURL))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
 $(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE))
@@ -1350,7 +1357,7 @@ define AUTHENTICODE_sign
      scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
      ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \
         /a /n '"g10 Code GmbH"' \
-        /tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
+        /tr '$(AUTHENTICODE_TSURL)' /td sha256 \
         /fd sha256 /du https://gnupg.org a.exe ;\
      scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
      echo "speedo: signed file is '$(2)'" ;\
@@ -1361,13 +1368,13 @@ define AUTHENTICODE_sign
        -pkcs11module $(SCUTEMODULE) \
        -certs $(AUTHENTICODE_CERTS) \
        -h sha256 -n GnuPG -i https://gnupg.org \
-       -ts http://rfc3161timestamp.globalsign.com/advanced \
+       -ts $(AUTHENTICODE_TSURL) \
        -in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \
    elif [ -e "$(AUTHENTICODE_KEY)" ]; then \
      echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
      osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
        -pkcs12 $(AUTHENTICODE_KEY) -askpass \
-       -ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
+       -ts "$(AUTHENTICODE_TSURL)" \
        -h sha256 -n GnuPG -i https://gnupg.org \
        -in $(1) -out $(2) ;\
    else \

build-aux/speedo/w32/wixlib.wxs

@@ -61,9 +61,12 @@ and then manually edited:
       <Component Id="cmp74961776CCC7B203F500FE261DC12F92" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4B">
         <File Id="filB82A767EB9971018C006215A9FDE77EF" KeyPath="yes" Source="$(var.SourceDir)\bin\gpg-connect-agent.exe"/>
       </Component>
-      <Component Id="cmp74961776CCC7B203F500FE261DC12F94" Directory="dirAA72FFDDFA224FB221D53750596B0144" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4C">
+      <Component Id="cmp74961776CCC7B203F500FE261DC12F94" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4C">
         <File Id="filB82A767EB9971018C006215A9FDE77F1" KeyPath="yes" Source="$(var.SourceDir)\bin\gpg-card.exe"/>
       </Component>
+      <Component Id="cmp74961776CCC7B203F500FE261DC12F95" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="3134BF55-46AF-4B76-A535-DC1EDDB0DBFD">
+        <File Id="filB82A767EB9971018C006215A9FDE77F2" KeyPath="yes" Source="$(var.SourceDir)\libexec\keyboxd.exe"/>
+      </Component>
       <Component Id="cmp6C1FB70721B208E33DB24296B93AB93F" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FE29D2AA-3151-4421-B8C0-355F69F267A1">
         <File Id="fil563D2C0464DCE7ECADE6E15C0FC65821" KeyPath="yes" Source="$(var.SourceDir)\libexec\gpg-preset-passphrase.exe"/>
       </Component>

common/compliance.c

@@ -41,7 +41,7 @@ static int initialized;
 static int module;
 
 /* This value is used by DSA and RSA checks in addition to the hard
- * coded length checks.  It allows to increase the required key length
+ * coded length checks.  It allows one to increase the required key length
  * using a confue file.  */
 static unsigned int min_compliant_rsa_length;
 

common/exechelp-w32.c

@@ -437,6 +437,7 @@ check_syscall_func (void)
     }
 }
 
+
 static void
 pre_syscall (void)
 {
@@ -444,6 +445,7 @@ pre_syscall (void)
     pre_syscall_func ();
 }
 
+
 static void
 post_syscall (void)
 {
@@ -579,7 +581,7 @@ spawn_detached (const char *pgmname, char *cmdline,
                           cr_flags,      /* Creation flags.  */
                           NULL,          /* Environment.  */
                           NULL,          /* Use current drive/directory.  */
-                          (STARTUPINFOW *)&si,           /* Startup information. */
+                          (STARTUPINFOW *)&si,    /* Startup information. */
                           &pi            /* Returns process information.  */
                           );
   if (!ret)

common/status.h

@@ -54,6 +54,7 @@ enum
     STATUS_NEED_PASSPHRASE,
     STATUS_VALIDSIG,
     STATUS_ASSERT_SIGNER,
+    STATUS_ASSERT_PUBKEY_ALGO,
     STATUS_SIG_ID,
     STATUS_ENC_TO,
     STATUS_NODATA,

common/t-support.h

@@ -31,6 +31,8 @@
 #ifndef GNUPG_COMMON_T_SUPPORT_H
 #define GNUPG_COMMON_T_SUPPORT_H 1
 
+#ifndef LEAN_T_SUPPORT
+
 #ifdef GCRYPT_VERSION
 #error The regression tests should not include with gcrypt.h
 #endif
@@ -45,11 +47,6 @@
 # define getenv(a)  (NULL)
 #endif
 
-#ifndef DIM
-# define DIM(v)		     (sizeof(v)/sizeof((v)[0]))
-# define DIMof(type,member)   DIM(((type *)0)->member)
-#endif
-
 
 /* Replacement prototypes. */
 void *gcry_xmalloc (size_t n);
@@ -65,6 +62,12 @@ void  gcry_free (void *a);
 #define xstrdup(a)    gcry_xstrdup ( (a) )
 #define xfree(a)      gcry_free ( (a) )
 
+#endif /* LEAN_T_SUPPORT */
+
+#ifndef DIM
+# define DIM(v)		     (sizeof(v)/sizeof((v)[0]))
+# define DIMof(type,member)   DIM(((type *)0)->member)
+#endif
 
 /* Macros to print the result of a test.  */
 #define pass()  do { ; } while(0)

common/tlv.c

@@ -152,7 +152,7 @@ find_tlv_unchecked (const unsigned char *buffer, size_t length,
 /* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag
  * and the length part from the TLV triplet.  Update BUFFER and SIZE
  * on success.  Note that this function does not check that the value
- * fits into the provided buffer; this allows to work on the TL part
+ * fits into the provided buffer; this allows one to work on the TL part
  * of a TLV. */
 gpg_error_t
 parse_ber_header (unsigned char const **buffer, size_t *size,

dirmngr/crlcache.c

@@ -2086,6 +2086,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
 
             err = validate_cert_chain (ctrl, crlissuer_cert, NULL,
                                        (VALIDATE_FLAG_TRUST_CONFIG
+                                        | VALIDATE_FLAG_TRUST_SYSTEM
                                         | VALIDATE_FLAG_CRL
                                         | VALIDATE_FLAG_RECURSIVE),
                                        r_trust_anchor);

dirmngr/dirmngr_ldap.c

@@ -107,7 +107,7 @@ static gpgrt_opt_t opts[] = {
                                " a record oriented format"},
   { oProxy,    "proxy",     2,
                 "|NAME|ignore host part and connect through NAME"},
-  { oStartTLS, "starttls",  0, "use STARTLS for the conenction"},
+  { oStartTLS, "starttls",  0, "use STARTLS for the connection"},
   { oLdapTLS,  "ldaptls",   0, "use a TLS for the connection"},
   { oNtds,     "ntds",      0, "authenticate using AD"},
   { oARecOnly, "areconly",  0, "do only an A record lookup"},

dirmngr/http.c

@@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server)
  * NULL, decode the string and use this as input from teh server.  On
  * success the final output token is stored at PROXY->OUTTOKEN and
  * OUTTOKLEN.  IF the authentication succeeded OUTTOKLEN is zero. */
-#ifdef USE_TLS
 static gpg_error_t
 proxy_get_token (proxy_info_t proxy, const char *inputstring)
 {
@@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
 
 #endif /*!HAVE_W32_SYSTEM*/
 }
-#endif /*USE_TLS*/
 
 
 /* Use the CONNECT method to proxy our TLS stream.  */
-#ifdef USE_TLS
 static gpg_error_t
 run_proxy_connect (http_t hd, proxy_info_t proxy,
                    const char *httphost, const char *server,
@@ -2556,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
    * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
    */
   auth_basic = !!proxy->uri->auth;
+  hd->keep_alive = !auth_basic; /* We may need to send more requests.  */
 
   /* For basic authentication we need to send just one request.  */
   if (auth_basic
@@ -2577,16 +2575,15 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
                          httphost ? httphost : server,
                          port,
                          authhdr ? authhdr : "",
-                         auth_basic? "" : "Connection: keep-alive\r\n");
+                         hd->keep_alive? "Connection: keep-alive\r\n" : "");
   if (!request)
     {
       err = gpg_error_from_syserror ();
       goto leave;
     }
-  hd->keep_alive = !auth_basic; /* We may need to send more requests.  */
 
   if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
-    log_debug_with_string (request, "http.c:proxy:request:");
+    log_debug_string (request, "http.c:proxy:request:");
 
   if (!hd->fp_write)
     {
@@ -2610,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
   if (err)
     goto leave;
 
-  {
-    unsigned long count = 0;
-
-    while (es_getc (hd->fp_read) != EOF)
-      count++;
-    if (opt_debug)
-      log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
-                 count);
-  }
-
   /* Reset state.  */
   es_clearerr (hd->fp_read);
   ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
@@ -2730,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
     }
 
  leave:
+  if (hd->keep_alive)
+    {
+      es_fclose (hd->fp_write);
+      hd->fp_write = NULL;
+      /* The close has released the cookie and thus we better set it
+       * to NULL.  */
+      hd->write_cookie = NULL;
+    }
   /* Restore flags, destroy stream, reset state.  */
   hd->flags = saved_flags;
   es_fclose (hd->fp_read);
@@ -2743,7 +2738,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
   xfree (tmpstr);
   return err;
 }
-#endif /*USE_TLS*/
 
 
 /* Make a request string using a standard proxy.  On success the
@@ -2882,7 +2876,7 @@ send_request (ctrl_t ctrl,
 
   if (proxy && proxy->is_http_proxy)
     {
-      use_http_proxy = 1;  /* We want to use a proxy for the conenction.  */
+      use_http_proxy = 1;  /* We want to use a proxy for the connection.  */
       err = connect_server (ctrl,
                             *proxy->uri->host ? proxy->uri->host : "localhost",
                             proxy->uri->port ? proxy->uri->port : 80,
@@ -2903,7 +2897,6 @@ send_request (ctrl_t ctrl,
       goto leave;
     }
 
-#if USE_TLS
   if (use_http_proxy && hd->uri->use_tls)
     {
       err = run_proxy_connect (hd, proxy, httphost, server, port);
@@ -2915,7 +2908,6 @@ send_request (ctrl_t ctrl,
        * clear the flag to indicate this.  */
       use_http_proxy = 0;
     }
-#endif	/* USE_TLS */
 
 #if HTTP_USE_NTBTLS
   err = run_ntbtls_handshake (hd);
@@ -4411,7 +4403,7 @@ same_host_p (parsed_uri_t a, parsed_uri_t b)
     }
 
   /* Also consider hosts the same if they differ only in a subdomain;
-   * in both direction.  This allows to have redirection between the
+   * in both direction.  This allows one to have redirection between the
    * WKD advanced and direct lookup methods. */
   for (i=0; i < DIM (subdomains); i++)
     {

dirmngr/ks-engine-ldap.c

@@ -607,7 +607,7 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
  * including whether to use TLS and the username and password (see
  * ldap_parse_uri for a description of the various fields).  Be
  * default a PGP keyserver is assumed; if GENERIC is true a generic
- * ldap conenction is instead established.
+ * ldap connection is instead established.
  *
  * Returns: The ldap connection handle in *LDAP_CONNP, R_BASEDN is set
  * to the base DN for the PGP key space, several flags will be stored

dirmngr/server.c

@@ -3325,7 +3325,7 @@ dirmngr_status_help (ctrl_t ctrl, const char *text)
 
 
 /* Print a help status line using a printf like format.  The function
- * splits text at LFs.  With CTRL beeing NULL, the function behaves
+ * splits text at LFs.  With CTRL being NULL, the function behaves
  * like log_info.  */
 gpg_error_t
 dirmngr_status_helpf (ctrl_t ctrl, const char *format, ...)

doc/DETAILS

@@ -532,6 +532,12 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
     --assert-signer is used.  The fingerprint is printed with
     uppercase hex digits.
 
+*** ASSERT_PUBKEY_ALGO <fingerprint> <state> <algostr>
+    This is emitted when option --assert-pubkey-algo is used and the
+    signing algorithms is accepted according to that list if state is
+    1 or denied if state is 0.  The fingerprint is printed with
+    uppercase hex digits.
+
 *** SIG_ID  <radix64_string>  <sig_creation_date>  <sig-timestamp>
     This is emitted only for signatures of class 0 or 1 which have
     been verified okay.  The string is a signature id and may be used

doc/dirmngr.texi

@@ -172,7 +172,7 @@ socket.
 Set compatibility flags to work around certain problems or to emulate
 bugs.  The @var{flags} are given as a comma separated list of flag
 names and are OR-ed together.  The special flag "none" clears the list
-and allows to start over with an empty list.  To get a list of
+and allows one to start over with an empty list.  To get a list of
 available flags the sole word "help" can be used.
 
 @item --faked-system-time @var{epoch}

doc/gpg-agent.texi

@@ -302,7 +302,7 @@ debugging.
 @item --steal-socket
 @opindex steal-socket
 In @option{--daemon} mode, gpg-agent detects an already running
-gpg-agent and does not allow to start a new instance. This option can
+gpg-agent and does not allow one to start a new instance. This option can
 be used to override this check: the new gpg-agent process will try to
 take over the communication sockets from the already running process
 and start anyway.  This option should in general not be used.
@@ -643,7 +643,7 @@ gpg-agent as a replacement for PuTTY's Pageant, the option
 In this mode of operation, the agent does not only implement the
 gpg-agent protocol, but also the agent protocol used by OpenSSH
 (through a separate socket or via Named Pipes) or the protocol used by
-PuTTY.  Consequently, this allows to use the gpg-agent as a drop-in
+PuTTY.  Consequently, this allows one to use the gpg-agent as a drop-in
 replacement for the ssh-agent.
 
 SSH keys, which are to be used through the agent, need to be added to
@@ -693,7 +693,7 @@ The order in which keys are presented to ssh are:
 @item Negative Use-for-ssh values
       If a key file has the attribute "Use-for-ssh" and its value is
       negative, these keys are presented first to ssh.  The negative
-      values are capped at -999 with -999 beeing lower ranked than -1.
+      values are capped at -999 with -999 being lower ranked than -1.
       These values can be used to prefer on-disk keys over keys taken
       from active cards.
 

doc/gpg-card.texi

@@ -226,7 +226,7 @@ OpenPGP or X.509 keys.
 @item LOGIN [--clear] [< @var{file}]
 @opindex login
 Set the login data object of OpenPGP cards.  If @var{file} is given
-the data is is read from that file.  This allows to store binary data
+the data is is read from that file.  This allows one to store binary data
 in the login field.  The option @option{--clear} deletes the login
 data object.
 

doc/gpg.texi

@@ -716,7 +716,7 @@ inserted smartcard, the special string ``card'' can be used for
 will figure them out and creates an OpenPGP key consisting of the
 usual primary key and one subkey.  This works only with certain
 smartcards.  Note that the interactive @option{--full-gen-key} command
-allows to do the same but with greater flexibility in the selection of
+allows one to do the same but with greater flexibility in the selection of
 the smartcard keys.
 
 Note that it is possible to create a primary key and a subkey using
@@ -1290,19 +1290,22 @@ are usually found in the option file.
 
 @item --default-key @var{name}
 @opindex default-key
-Use @var{name} as the default key to sign with. If this option is not
+Use @var{name} as the default key to sign with.  It is suggested to
-used, the default key is the first key found in the secret keyring.
+use a fingerprint or at least a long keyID for @var{name}.  If this
-Note that @option{-u} or @option{--local-user} overrides this option.
+option is not used, the default key is the first key found in the
-This option may be given multiple times.  In this case, the last key
+secret keyring.  Note that @option{-u} or @option{--local-user}
-for which a secret key is available is used.  If there is no secret
+overrides this option.  This option may be given multiple times.  In
-key available for any of the specified values, GnuPG will not emit an
+this case, the last key for which a secret key is available is used.
-error message but continue as if this option wasn't given.
+If there is no secret key available for any of the specified values,
+GnuPG will not emit an error message but continue as if this option
+wasn't given.
+
 
 @item --default-recipient @var{name}
 @opindex default-recipient
 Use @var{name} as default recipient if option @option{--recipient} is
 not used and don't ask if this is a valid one. @var{name} must be
-non-empty.
+non-empty and it is suggested to use a fingerprint for @var{name}.
 
 @item --default-recipient-self
 @opindex default-recipient-self
@@ -1773,7 +1776,9 @@ useful if you don't want to keep your secret keys (or one of them)
 online but still want to be able to check the validity of a given
 recipient's or signator's key.  If the given key is not locally
 available but an LDAP keyserver is configured the missing key is
-imported from that server.
+imported from that server.  The value "none" is explicitly allowed to
+distinguish between the use of any trusted-key option and no use of
+this option at all (e.g. due to the @option{--no-options} option).
 
 @item --add-desig-revoker [sensitive:]@var{fingerprint}
 @opindex add-desig-revoker
@@ -1914,6 +1919,29 @@ is guaranteed to return with an exit code of 0 if and only if a
 signature has been encountered, is valid, and the key matches one of
 the fingerprints given by this option.
 
+@item --assert-pubkey-algo @var{algolist}
+@opindex assert-pubkey-algo
+During data signature verification this options checks whether the
+used public key algorithm matches the algorithms given by
+@var{algolist}.  This option can be given multiple times to
+concatenate more algorithms to the list; the delimiter of the list are
+either commas or spaces.
+
+The algorithm names given in the list may either be verbatim names
+like "ed25519" with an optional leading single equal sign, or being
+prefixed with ">", ">=", "<=", or "<".  That prefix operator is
+applied to the number part of the algorithm name; for example 2048 in
+"rsa2048" or 384 in "brainpoolP384r1".  If the the leading non-digits
+in the name matches, the prefix operator is used to compare the number
+part, a trailing suffix is ignored in this case.  For example an
+algorithm list ">rsa3000, >=brainpool384r1, =ed25519" allows RSA
+signatures with more that 3000 bits, Brainpool curves 384 and 512,
+and the ed25519 algorithm.
+
+With this option gpg (and also gpgv) is guaranteed to return with an
+exit code of 0 if and only if all valid signatures on data are made
+using a matching algorithm from the given list.
+
 
 @item --auto-key-locate @var{mechanisms}
 @itemx --no-auto-key-locate
@@ -1947,20 +1975,20 @@ list.  The default is "local,wkd".
 
   @item ntds
   Locate the key using the Active Directory (Windows only).  This
-  method also allows to search by fingerprint using the command
+  method also allows one to search by fingerprint using the command
   @option{--locate-external-key}.  Note that this mechanism is
   actually a shortcut for the mechanism @samp{keyserver} but using
   "ldap:///" as the keyserver.
 
   @item keyserver
-  Locate a key using a keyserver.  This method also allows to search
+  Locate a key using a keyserver.  This method also allows one to search
   by fingerprint using the command @option{--locate-external-key} if
   any of the configured keyservers is an LDAP server.
 
   @item keyserver-URL
   In addition, a keyserver URL as used in the @command{dirmngr}
   configuration may be used here to query that particular keyserver.
-  This method also allows to search by fingerprint using the command
+  This method also allows one to search by fingerprint using the command
   @option{--locate-external-key} if the URL specifies an LDAP server.
 
   @item local
@@ -2336,19 +2364,21 @@ the key in this file is fully valid.
 @opindex encrypt-to
 Same as @option{--recipient} but this one is intended for use in the
 options file and may be used with your own user-id as an
-"encrypt-to-self". These keys are only used when there are other
+"encrypt-to-self".  It is suggested to use a fingerprint or at least a
-recipients given either by use of @option{--recipient} or by the asked
+long keyID for @var{name}.  These keys are only used when there are
-user id.  No trust checking is performed for these user ids and even
+other recipients given either by use of @option{--recipient} or by the
-disabled keys can be used.
+asked user id.  No trust checking is performed for these user ids and
+even disabled keys can be used.
 
 @item --hidden-encrypt-to @var{name}
 @opindex hidden-encrypt-to
-Same as @option{--hidden-recipient} but this one is intended for use in the
+Same as @option{--hidden-recipient} but this one is intended for use
-options file and may be used with your own user-id as a hidden
+in the options file and may be used with your own user-id as a hidden
-"encrypt-to-self". These keys are only used when there are other
+"encrypt-to-self".  It is suggested to use a fingerprint or at least a
-recipients given either by use of @option{--recipient} or by the asked user id.
+long keyID for @var{name}.  These keys are only used when there are
-No trust checking is performed for these user ids and even disabled
+other recipients given either by use of @option{--recipient} or by the
-keys can be used.
+asked user id.  No trust checking is performed for these user ids and
+even disabled keys can be used.
 
 @item --no-encrypt-to
 @opindex no-encrypt-to
@@ -2899,24 +2929,6 @@ done with @code{--with-colons}.
 
 @table @gnupgtabopt
 
-@item -t, --textmode
-@itemx --no-textmode
-@opindex textmode
-Treat input files as text and store them in the OpenPGP canonical text
-form with standard "CRLF" line endings. This also sets the necessary
-flags to inform the recipient that the encrypted or signed data is text
-and may need its line endings converted back to whatever the local
-system uses. This option is useful when communicating between two
-platforms that have different line ending conventions (UNIX-like to Mac,
-Mac to Windows, etc). @option{--no-textmode} disables this option, and
-is the default.
-
-@item --force-v3-sigs
-@itemx --no-force-v3-sigs
-@item --force-v4-certs
-@itemx --no-force-v4-certs
-These options are obsolete and have no effect since GnuPG 2.1.
-
 @item --force-ocb
 @itemx --force-aead
 @opindex force-ocb
@@ -3151,7 +3163,7 @@ Prompt before overwriting any files.
 Set compatibility flags to work around problems due to non-compliant
 keys or data.  The @var{flags} are given as a comma separated
 list of flag names and are OR-ed together.  The special flag "none"
-clears the list and allows to start over with an empty list.  To get a
+clears the list and allows one to start over with an empty list.  To get a
 list of available flags the sole word "help" can be used.
 
 @item --debug-level @var{level}
@@ -3207,7 +3219,7 @@ and may thus be changed or removed at any time without notice.
 
 @item --debug-allow-large-chunks
 @opindex debug-allow-large-chunks
-To facilitate software tests and experiments this option allows to
+To facilitate software tests and experiments this option allows one to
 specify a limit of up to 4 EiB (@code{--chunk-size 62}).
 
 @item --debug-ignore-expiration
@@ -3378,9 +3390,23 @@ to display the message. This option overrides @option{--set-filename}.
 @itemx --no-use-embedded-filename
 @opindex use-embedded-filename
 Try to create a file with a name as embedded in the data. This can be
-a dangerous option as it enables overwriting files.  Defaults to no.
+a dangerous option as it enables overwriting files by giving the
+sender control on how to store files.  Defaults to no.
 Note that the option @option{--output} overrides this option.
 
+A better approach than using this option is to decrypt to a temporary
+filename and then rename that file to the embedded file name after
+checking that the embedded filename is harmless.  When using the
+@option{--status-fd} option gpg tells the filename as part of the
+PLAINTEXT status message.  If the filename is important, the use of
+@command{gpgtar} is another option because gpgtar will never overwrite
+a file but decrypt the files to a new directory.
+
+Note also that unless a modern version 5 signature is used the
+embedded filename is not part of the signed data.
+
+
+
 @item --cipher-algo @var{name}
 @opindex cipher-algo
 Use @var{name} as cipher algorithm. Running the program with the
@@ -3646,7 +3672,7 @@ not need to be listed explicitly.
 @opindex allow-weak-key-signatures
 To avoid a minor risk of collision attacks on third-party key
 signatures made using SHA-1, those key signatures are considered
-invalid.  This options allows to override this restriction.
+invalid.  This options allows one to override this restriction.
 
 @item --override-compliance-check
 This was a temporary introduced option and has no more effect.
@@ -3891,6 +3917,25 @@ all on Windows.
 
 @table @gnupgtabopt
 
+@item -t, --textmode
+@itemx --no-textmode
+@opindex textmode
+Treat input files as text and store them in the OpenPGP canonical text
+form with standard "CRLF" line endings. This also sets the necessary
+flags to inform the recipient that the encrypted or signed data is text
+and may need its line endings converted back to whatever the local
+system uses. This option was useful when communicating between two
+platforms with different line ending conventions (UNIX-like to Mac,
+Mac to Windows, etc). @option{--no-textmode} disables this option, and
+is the default.  Note that this is a legacy option which should not
+anymore be used by any modern software.
+
+@item --force-v3-sigs
+@itemx --no-force-v3-sigs
+@item --force-v4-certs
+@itemx --no-force-v4-certs
+These options are obsolete and have no effect since GnuPG 2.1.
+
 @item --show-photos
 @itemx --no-show-photos
 @opindex show-photos
@@ -4111,7 +4156,7 @@ Operation is further controlled by a few environment variables:
 
   @item GNUPG_EXEC_DEBUG_FLAGS
   @efindex GNUPG_EXEC_DEBUG_FLAGS
-  This variable allows to enable diagnostics for process management.
+  This variable allows one to enable diagnostics for process management.
   A numeric decimal value is expected.  Bit 0 enables general
   diagnostics, bit 1 enables certain warnings on Windows.
 

doc/gpgsm.texi

@@ -767,7 +767,7 @@ is given as fingerprint or keygrip.
 Set compatibility flags to work around problems due to non-compliant
 certificates or data.  The @var{flags} are given as a comma separated
 list of flag names and are OR-ed together.  The special flag "none"
-clears the list and allows to start over with an empty list.  To get a
+clears the list and allows one to start over with an empty list.  To get a
 list of available flags the sole word "help" can be used.
 
 @item --debug-level @var{level}

doc/gpgv.texi

@@ -140,6 +140,10 @@ This option enables a mode in which filenames of the form
 @file{-&n}, where n is a non-negative decimal number,
 refer to the file descriptor n and not to a file with that name.
 
+@item --assert-pubkey-algo @var{algolist}
+@opindex assert-pubkey-algo
+This option works in the same way as described for @command{gpg}.
+
 @end table
 
 @mansect return value
@@ -198,4 +202,3 @@ the allowed keys, using a legacy format.
 @mansect see also
 @command{gpg}(1)
 @include see-also-note.texi
-

doc/scdaemon.texi

@@ -309,7 +309,7 @@ with lower priority should be used by default.
 
 @item --application-priority @var{namelist}
 @opindex application-priority
-This option allows to change the order in which applications of a card
+This option allows one to change the order in which applications of a card
 a tried if no specific application was requested.  @var{namelist} is a
 space or comma delimited list of application names.  Unknown names are
 simply skipped.  Applications not mentioned in the list are put in the

doc/tools.texi

@@ -400,7 +400,7 @@ expected in the current GnuPG home directory.  This command is usually
 not required because GnuPG is able to detect and remove stale lock
 files.  Before using the command make sure that the file protected by
 the lock file is actually not in use.  The lock command may be used to
-lock an accidently removed lock file.  Note that the commands have no
+lock an accidentally removed lock file.  Note that the commands have no
 effect on Windows because the mere existence of a lock file does not
 mean that the lock is active.
 

doc/wks.texi

@@ -136,6 +136,8 @@ The command @option{--print-wkd-url} prints the URLs used to fetch the
 key for the given user-ids from WKD.  The meanwhile preferred format
 with sub-domains is used here.
 
+All commands may also be given without the two leading dashes.
+
 @mansect options
 @noindent
 @command{gpg-wks-client} understands these options:

g10/Makefile.am

@@ -183,7 +183,7 @@ gpgv_LDFLAGS =
 
 
 t_common_ldadd =
-module_tests = t-rmd160 t-keydb t-keydb-get-keyblock t-stutter
+module_tests = t-rmd160 t-keydb t-keydb-get-keyblock t-stutter t-keyid
 t_rmd160_SOURCES = t-rmd160.c rmd160.c
 t_rmd160_LDADD = $(t_common_ldadd)
 t_keydb_SOURCES = t-keydb.c test-stubs.c $(common_source)
@@ -200,6 +200,10 @@ t_stutter_SOURCES = t-stutter.c test-stubs.c \
 t_stutter_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \
 	      $(LIBASSUAN_LIBS) $(NPTH_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
 	      $(LIBICONV) $(t_common_ldadd)
+t_keyid_SOURCES = t-keyid.c test-stubs.c $(common_source)
+t_keyid_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \
+              $(LIBASSUAN_LIBS) $(NPTH_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
+	      $(LIBICONV) $(t_common_ldadd)
 
 
 $(PROGRAMS): $(needed_libs) ../common/libgpgrl.a

g10/build-packet.c

@@ -306,7 +306,9 @@ gpg_mpi_write (iobuf_t out, gcry_mpi_t a, unsigned int *r_nwritten)
       p = gcry_mpi_get_opaque (a, &nbits);
       if (p)
         {
-          /* Strip leading zero bits.  */
+          /* First get nbits back to full bytes.  */
+          nbits = ((nbits + 7) / 8) * 8;
+          /* Then strip leading zero bits.  */
           for (; nbits >= 8 && !*p; p++, nbits -= 8)
             ;
           if (nbits >= 8 && !(*p & 0x80))

g10/compress-bz2.c

@@ -53,7 +53,11 @@ init_compress( compress_filter_context_t *zfx, bz_stream *bzs )
     }
 
   if((rc=BZ2_bzCompressInit(bzs,level,0,0))!=BZ_OK)
-    log_fatal("bz2lib problem: %d\n",rc);
+    {
+      log_error ("bz2lib problem: %d\n",rc);
+      write_status_error ("bzip2.init", gpg_error (GPG_ERR_INTERNAL));
+      g10_exit (2);
+    }
 
   zfx->outbufsize = 8192;
   zfx->outbuf = xmalloc( zfx->outbufsize );
@@ -80,7 +84,11 @@ do_compress(compress_filter_context_t *zfx, bz_stream *bzs, int flush, IOBUF a)
       if( zrc == BZ_STREAM_END && flush == BZ_FINISH )
 	;
       else if( zrc != BZ_RUN_OK && zrc != BZ_FINISH_OK )
-	log_fatal("bz2lib deflate problem: rc=%d\n", zrc );
+        {
+          log_error ("bz2lib deflate problem: rc=%d\n", zrc );
+          write_status_error ("bzip2.deflate", gpg_error (GPG_ERR_INTERNAL));
+          g10_exit (2);
+        }
 
       n = zfx->outbufsize - bzs->avail_out;
       if( DBG_FILTER )
@@ -91,7 +99,7 @@ do_compress(compress_filter_context_t *zfx, bz_stream *bzs, int flush, IOBUF a)
 
       if( (rc=iobuf_write( a, zfx->outbuf, n )) )
 	{
-	  log_debug("bzCompress: iobuf_write failed\n");
+	  log_error ("bzCompress: iobuf_write failed\n");
 	  return rc;
 	}
     }
@@ -106,7 +114,11 @@ init_uncompress( compress_filter_context_t *zfx, bz_stream *bzs )
   int rc;
 
   if((rc=BZ2_bzDecompressInit(bzs,0,opt.bz2_decompress_lowmem))!=BZ_OK)
-    log_fatal("bz2lib problem: %d\n",rc);
+    {
+      log_error ("bz2lib problem: %d\n",rc);
+      write_status_error ("bzip2.init.un", gpg_error (GPG_ERR_INTERNAL));
+      g10_exit (2);
+    }
 
   zfx->inbufsize = 2048;
   zfx->inbuf = xmalloc( zfx->inbufsize );
@@ -159,7 +171,11 @@ do_uncompress( compress_filter_context_t *zfx, bz_stream *bzs,
       if( zrc == BZ_STREAM_END )
 	rc = -1; /* eof */
       else if( zrc != BZ_OK && zrc != BZ_PARAM_ERROR )
-	log_fatal("bz2lib inflate problem: rc=%d\n", zrc );
+        {
+          log_error ("bz2lib inflate problem: rc=%d\n", zrc );
+          write_status_error ("bzip2.inflate", gpg_error (GPG_ERR_BAD_DATA));
+          g10_exit (2);
+        }
       else if (zrc == BZ_OK && eofseen
                && !bzs->avail_in && bzs->avail_out > 0)
         {

g10/compress.c

@@ -73,10 +73,12 @@ init_compress( compress_filter_context_t *zfx, z_stream *zs )
 					    -13, 8, Z_DEFAULT_STRATEGY)
 			    : deflateInit( zs, level )
 			    ) != Z_OK ) {
-	log_fatal("zlib problem: %s\n", zs->msg? zs->msg :
+	log_error ("zlib problem: %s\n", zs->msg? zs->msg :
 			       rc == Z_MEM_ERROR ? "out of core" :
 			       rc == Z_VERSION_ERROR ? "invalid lib version" :
 						       "unknown error" );
+        write_status_error ("zlib.init", gpg_error (GPG_ERR_INTERNAL));
+        g10_exit (2);
     }
 
     zfx->outbufsize = 8192;
@@ -104,9 +106,11 @@ do_compress( compress_filter_context_t *zfx, z_stream *zs, int flush, IOBUF a )
 	    ;
 	else if( zrc != Z_OK ) {
 	    if( zs->msg )
-		log_fatal("zlib deflate problem: %s\n", zs->msg );
+		log_error ("zlib deflate problem: %s\n", zs->msg );
 	    else
-		log_fatal("zlib deflate problem: rc=%d\n", zrc );
+		log_error ("zlib deflate problem: rc=%d\n", zrc );
+            write_status_error ("zlib.deflate", gpg_error (GPG_ERR_INTERNAL));
+            g10_exit (2);
 	}
 	n = zfx->outbufsize - zs->avail_out;
 	if( DBG_FILTER )
@@ -116,7 +120,7 @@ do_compress( compress_filter_context_t *zfx, z_stream *zs, int flush, IOBUF a )
 					       (unsigned)n, zrc );
 
 	if( (rc=iobuf_write( a, zfx->outbuf, n )) ) {
-	    log_debug("deflate: iobuf_write failed\n");
+	    log_error ("deflate: iobuf_write failed\n");
 	    return rc;
 	}
     } while( zs->avail_in || (flush == Z_FINISH && zrc != Z_STREAM_END) );
@@ -140,10 +144,12 @@ init_uncompress( compress_filter_context_t *zfx, z_stream *zs )
      */
     if( (rc = zfx->algo == 1? inflateInit2( zs, -15)
 			    : inflateInit( zs )) != Z_OK ) {
-	log_fatal("zlib problem: %s\n", zs->msg? zs->msg :
+	log_error ("zlib problem: %s\n", zs->msg? zs->msg :
-			       rc == Z_MEM_ERROR ? "out of core" :
+                   rc == Z_MEM_ERROR ? "out of core" :
-			       rc == Z_VERSION_ERROR ? "invalid lib version" :
+                   rc == Z_VERSION_ERROR ? "invalid lib version" :
-						       "unknown error" );
+                                            "unknown error" );
+        write_status_error ("zlib.init.un", gpg_error (GPG_ERR_INTERNAL));
+        g10_exit (2);
     }
 
     zfx->inbufsize = 2048;
@@ -198,9 +204,11 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
 	    rc = -1; /* eof */
 	else if( zrc != Z_OK && zrc != Z_BUF_ERROR ) {
 	    if( zs->msg )
-		log_fatal("zlib inflate problem: %s\n", zs->msg );
+		log_error ("zlib inflate problem: %s\n", zs->msg );
 	    else
-		log_fatal("zlib inflate problem: rc=%d\n", zrc );
+		log_error ("zlib inflate problem: rc=%d\n", zrc );
+            write_status_error ("zlib.inflate", gpg_error (GPG_ERR_BAD_DATA));
+            g10_exit (2);
 	}
     } while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR
              && !leave);

g10/export.c

@@ -129,6 +129,8 @@ parse_export_options(char *str,unsigned int *options,int noisy)
        N_("export revocation keys marked as \"sensitive\"")},
       {"export-clean",EXPORT_CLEAN,NULL,
        N_("remove unusable parts from key during export")},
+      {"export-realclean",EXPORT_MINIMAL|EXPORT_REALCLEAN|EXPORT_CLEAN,NULL,
+       NULL},
       {"export-minimal",EXPORT_MINIMAL|EXPORT_CLEAN,NULL,
        N_("remove as much as possible from key during export")},
 
@@ -166,7 +168,7 @@ parse_export_options(char *str,unsigned int *options,int noisy)
     {
       *options |= (EXPORT_LOCAL_SIGS | EXPORT_ATTRIBUTES
                    | EXPORT_SENSITIVE_REVKEYS);
-      *options &= ~(EXPORT_CLEAN | EXPORT_MINIMAL
+      *options &= ~(EXPORT_CLEAN | EXPORT_MINIMAL | EXPORT_REALCLEAN
                     | EXPORT_DANE_FORMAT);
     }
 
@@ -643,7 +645,7 @@ canon_pk_algo (enum gcry_pk_algos algo)
 }
 
 
-/* Take an s-expression wit the public and private key and change the
+/* Take an s-expression with the public and private key and change the
  * parameter array in PK to include the secret parameters.  */
 static gpg_error_t
 secret_key_to_mode1003 (gcry_sexp_t s_key, PKT_public_key *pk)
@@ -2366,8 +2368,7 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
       if ((options & EXPORT_CLEAN))
         {
           merge_keys_and_selfsig (ctrl, keyblock);
-          clean_all_uids (ctrl, keyblock, opt.verbose,
+          clean_all_uids (ctrl, keyblock, opt.verbose, options, NULL, NULL);
-                          (options&EXPORT_MINIMAL), NULL, NULL);
           clean_all_subkeys (ctrl, keyblock, opt.verbose,
                              (options&EXPORT_MINIMAL)? KEY_CLEAN_ALL
                              /**/                    : KEY_CLEAN_AUTHENCR,

g10/getkey.c

@@ -1921,7 +1921,7 @@ get_pubkey_byfprint_fast (ctrl_t ctrl, PKT_public_key * pk,
  * R_HD may be NULL.  If LOCK is set the handle has been opend in
  * locked mode and keydb_disable_caching () has been called.  On error
  * R_KEYBLOCK is set to NULL but R_HD must be released by the caller;
- * it may have a value of NULL, though.  This allows to do an insert
+ * it may have a value of NULL, though.  This allows one to do an insert
  * operation on a locked keydb handle.  */
 gpg_error_t
 get_keyblock_byfprint_fast (ctrl_t ctrl,

g10/gpg.c

@@ -451,6 +451,7 @@ enum cmd_and_opt_values
     oCompatibilityFlags,
     oAddDesigRevoker,
     oAssertSigner,
+    oAssertPubkeyAlgo,
     oKbxBufferSize,
 
     oNoop
@@ -715,6 +716,7 @@ static gpgrt_opt_t opts[] = {
 #endif
   ARGPARSE_s_s (oAddDesigRevoker, "add-desig-revoker", "@"),
   ARGPARSE_s_s (oAssertSigner,    "assert-signer", "@"),
+  ARGPARSE_s_s (oAssertPubkeyAlgo,"assert-pubkey-algo", "@"),
 
   ARGPARSE_header ("Input", N_("Options controlling the input")),
 
@@ -753,7 +755,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_n (oNoEscapeFrom, "no-escape-from-lines", "@"),
   ARGPARSE_s_n (oMimemode, "mimemode", "@"),
   ARGPARSE_s_n (oTextmodeShort, NULL, "@"),
-  ARGPARSE_s_n (oTextmode,   "textmode", N_("use canonical text mode")),
+  ARGPARSE_s_n (oTextmode,   "textmode", "@"),
   ARGPARSE_s_n (oNoTextmode, "no-textmode", "@"),
   ARGPARSE_s_s (oSetFilename, "set-filename", "@"),
   ARGPARSE_s_n (oForYourEyesOnly, "for-your-eyes-only", "@"),
@@ -1045,9 +1047,12 @@ static struct compatibility_flags_s compatibility_flags [] =
 
 /* Can be set to true to force gpg to return with EXIT_FAILURE.  */
 int g10_errors_seen = 0;
-/* If opt.assert_signer_list is used and this variabale is not true
+/* If opt.assert_signer_list is used and this variable is not true
  * gpg will be forced to return EXIT_FAILURE.  */
 int assert_signer_true = 0;
+/* If opt.assert_pubkey_algo is used and this variable is not true
+ * gpg will be forced to return EXIT_FAILURE.  */
+int assert_pubkey_algo_false = 0;
 
 
 static int utf8_strings =
@@ -3584,9 +3589,18 @@ main (int argc, char **argv)
           case oPersonalCompressPreferences:
 	    pers_compress_list=pargs.r.ret_str;
 	    break;
-          case oAgentProgram: opt.agent_program = pargs.r.ret_str;  break;
+          case oAgentProgram:
-          case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str;  break;
+            xfree (opt.agent_program);
-          case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break;
+            opt.agent_program = make_filename (pargs.r.ret_str, NULL);
+            break;
+          case oKeyboxdProgram:
+            xfree (opt.keyboxd_program);
+            opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL);
+            break;
+          case oDirmngrProgram:
+            xfree (opt.dirmngr_program);
+            opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL);
+            break;
 	  case oDisableDirmngr: opt.disable_dirmngr = 1;  break;
           case oWeakDigest:
 	    additional_weak_digest(pargs.r.ret_str);
@@ -3767,6 +3781,18 @@ main (int argc, char **argv)
             add_to_strlist (&opt.assert_signer_list, pargs.r.ret_str);
 	    break;
 
+          case oAssertPubkeyAlgo:
+            if (!opt.assert_pubkey_algos)
+              opt.assert_pubkey_algos = xstrdup (pargs.r.ret_str);
+            else
+              {
+                char *tmp = opt.assert_pubkey_algos;
+                opt.assert_pubkey_algos = xstrconcat (tmp, ",",
+                                                      pargs.r.ret_str, NULL);
+                xfree (tmp);
+              }
+	    break;
+
           case oKbxBufferSize:
             keybox_set_buffersize (pargs.r.ret_ulong, 0);
             break;
@@ -5471,6 +5497,17 @@ emergency_cleanup (void)
 void
 g10_exit( int rc )
 {
+  if (rc)
+    ;
+  else if (log_get_errorcount(0))
+    rc = 2;
+  else if (g10_errors_seen)
+    rc = 1;
+  else if (opt.assert_signer_list && !assert_signer_true)
+    rc = 1;
+  else if (opt.assert_pubkey_algos && assert_pubkey_algo_false)
+    rc = 1;
+
   /* If we had an error but not printed an error message, do it now.
    * Note that write_status_failure will never print a second failure
    * status line. */
@@ -5495,15 +5532,6 @@ g10_exit( int rc )
   gnupg_block_all_signals ();
   emergency_cleanup ();
 
-  if (rc)
-    ;
-  else if (log_get_errorcount(0))
-    rc = 2;
-  else if (g10_errors_seen)
-    rc = 1;
-  else if (opt.assert_signer_list && !assert_signer_true)
-    rc = 1;
-
   exit (rc);
 }
 

g10/gpgv.c

@@ -68,6 +68,7 @@ enum cmd_and_opt_values {
   oWeakDigest,
   oEnableSpecialFilenames,
   oDebug,
+  oAssertPubkeyAlgo,
   aTest
 };
 
@@ -91,6 +92,7 @@ static gpgrt_opt_t opts[] = {
                 N_("|ALGO|reject signatures made with ALGO")),
   ARGPARSE_s_n (oEnableSpecialFilenames, "enable-special-filenames", "@"),
   ARGPARSE_s_s (oDebug, "debug", "@"),
+  ARGPARSE_s_s (oAssertPubkeyAlgo,"assert-pubkey-algo", "@"),
 
   ARGPARSE_end ()
 };
@@ -119,6 +121,7 @@ static struct debug_flags_s debug_flags [] =
 
 int g10_errors_seen = 0;
 int assert_signer_true = 0;
+int assert_pubkey_algo_false = 0;
 
 static char *
 make_libversion (const char *libname, const char *(*getfnc)(const char*))
@@ -251,6 +254,19 @@ main( int argc, char **argv )
         case oEnableSpecialFilenames:
           enable_special_filenames ();
           break;
+
+        case oAssertPubkeyAlgo:
+          if (!opt.assert_pubkey_algos)
+            opt.assert_pubkey_algos = xstrdup (pargs.r.ret_str);
+          else
+            {
+              char *tmp = opt.assert_pubkey_algos;
+              opt.assert_pubkey_algos = xstrconcat (tmp, ",",
+                                                    pargs.r.ret_str, NULL);
+              xfree (tmp);
+            }
+          break;
+
         default : pargs.err = ARGPARSE_PRINT_ERROR; break;
 	}
     }
@@ -288,10 +304,18 @@ main( int argc, char **argv )
 
 
 void
-g10_exit( int rc )
+g10_exit (int rc)
 {
-  rc = rc? rc : log_get_errorcount(0)? 2 : g10_errors_seen? 1 : 0;
+  if (rc)
-  exit(rc );
+    ;
+  else if (log_get_errorcount(0))
+    rc = 2;
+  else if (g10_errors_seen)
+    rc = 1;
+  else if (opt.assert_pubkey_algos && assert_pubkey_algo_false)
+    rc = 1;
+
+  exit (rc);
 }
 
 

g10/import.c

@@ -2081,7 +2081,9 @@ import_one_real (ctrl_t ctrl,
     {
       merge_keys_and_selfsig (ctrl, keyblock);
       clean_all_uids (ctrl, keyblock,
-                      opt.verbose, (options&IMPORT_MINIMAL), NULL, NULL);
+                      opt.verbose,
+                      (options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0,
+                      NULL, NULL);
       clean_all_subkeys (ctrl, keyblock, opt.verbose, KEY_CLEAN_NONE,
                          NULL, NULL);
     }
@@ -2233,7 +2235,8 @@ import_one_real (ctrl_t ctrl,
       if ((options & IMPORT_CLEAN))
         {
           merge_keys_and_selfsig (ctrl, keyblock);
-          clean_all_uids (ctrl, keyblock, opt.verbose, (options&IMPORT_MINIMAL),
+          clean_all_uids (ctrl, keyblock, opt.verbose,
+                          (options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0,
                           &n_uids_cleaned,&n_sigs_cleaned);
           clean_all_subkeys (ctrl, keyblock, opt.verbose, KEY_CLEAN_NONE,
                              NULL, NULL);
@@ -2331,7 +2334,7 @@ import_one_real (ctrl_t ctrl,
         {
           merge_keys_and_selfsig (ctrl, keyblock_orig);
           clean_all_uids (ctrl, keyblock_orig, opt.verbose,
-                          (options&IMPORT_MINIMAL),
+                          (options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0,
                           &n_uids_cleaned,&n_sigs_cleaned);
           clean_all_subkeys (ctrl, keyblock_orig, opt.verbose, KEY_CLEAN_NONE,
                              NULL, NULL);

g10/key-clean.c

@@ -91,6 +91,7 @@ mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
           continue;
         }
       node->flag |= 1<<NF_CONSIDER;
+
     }
   /* Reset the remaining flags. */
   for (; node; node = node->next)
@@ -215,9 +216,22 @@ mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
 }
 
 
+/* Return true if the signature at NODE has is from a key specified by
+ * the --trusted-key option and is exportable.  */
+static int
+is_trusted_key_sig (kbnode_t node)
+{
+  if (!node->pkt->pkt.signature->flags.exportable)
+    return 0;
+  /* Not yet implemented.  */
+  return 0;
+}
+
+
+/* Note: OPTIONS are from the EXPORT_* set. */
 static int
 clean_sigs_from_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
-                     int noisy, int self_only)
+                     int noisy, unsigned int options)
 {
   int deleted = 0;
   kbnode_t node;
@@ -256,8 +270,15 @@ clean_sigs_from_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
     {
       int keep;
 
-      keep = self_only? (node->pkt->pkt.signature->keyid[0] == keyid[0]
+      if ((options & EXPORT_REALCLEAN))
-                         && node->pkt->pkt.signature->keyid[1] == keyid[1]) : 1;
+        keep = ((node->pkt->pkt.signature->keyid[0] == keyid[0]
+                 && node->pkt->pkt.signature->keyid[1] == keyid[1])
+                || is_trusted_key_sig (node));
+      else if ((options & EXPORT_MINIMAL))
+        keep = (node->pkt->pkt.signature->keyid[0] == keyid[0]
+                && node->pkt->pkt.signature->keyid[1] == keyid[1]);
+      else
+        keep = 1;
 
       /* Keep usable uid sigs ... */
       if ((node->flag & (1<<NF_USABLE)) && keep)
@@ -364,10 +385,12 @@ clean_uid_from_key (kbnode_t keyblock, kbnode_t uidnode, int noisy)
 }
 
 
-/* Needs to be called after a merge_keys_and_selfsig() */
+/* Needs to be called after a merge_keys_and_selfsig().
+ * Note: OPTIONS are from the EXPORT_* set.  */
 void
 clean_one_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
-               int noisy, int self_only, int *uids_cleaned, int *sigs_cleaned)
+               int noisy, unsigned int options,
+               int *uids_cleaned, int *sigs_cleaned)
 {
   int dummy = 0;
 
@@ -386,15 +409,15 @@ clean_one_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
   *uids_cleaned += clean_uid_from_key (keyblock, uidnode, noisy);
   if (!uidnode->pkt->pkt.user_id->flags.compacted)
     *sigs_cleaned += clean_sigs_from_uid (ctrl, keyblock, uidnode,
-                                          noisy, self_only);
+                                          noisy, options);
 }
 
 
 /* NB: This function marks the deleted nodes only and the caller is
  * responsible to skip or remove them.  Needs to be called after a
- * merge_keys_and_selfsig().  */
+ * merge_keys_and_selfsig.  Note: OPTIONS are from the EXPORT_* set. */
 void
-clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only,
+clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, unsigned int options,
                 int *uids_cleaned, int *sigs_cleaned)
 {
   kbnode_t node;
@@ -405,7 +428,7 @@ clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only,
        node = node->next)
     {
       if (node->pkt->pkttype == PKT_USER_ID)
-        clean_one_uid (ctrl, keyblock, node, noisy, self_only,
+        clean_one_uid (ctrl, keyblock, node, noisy, options,
                        uids_cleaned, sigs_cleaned);
     }
 

g10/key-clean.h

@@ -40,9 +40,10 @@ void mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
                             u32 curtime, u32 *next_expire);
 
 void clean_one_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
-                    int noisy, int self_only,
+                    int noisy, unsigned int options,
                     int *uids_cleaned, int *sigs_cleaned);
-void clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only,
+void clean_all_uids (ctrl_t ctrl, kbnode_t keyblock,
+                     int noisy, unsigned int options,
                      int *uids_cleaned,int *sigs_cleaned);
 void clean_all_subkeys (ctrl_t ctrl, kbnode_t keyblock,
                         int noisy, int clean_level,

g10/keydb.h

@@ -487,6 +487,7 @@ const char *key_origin_string (int origin);
 /*-- keyid.c --*/
 int pubkey_letter( int algo );
 char *pubkey_string (PKT_public_key *pk, char *buffer, size_t bufsize);
+int compare_pubkey_string (const char *astr, const char *bstr);
 #define PUBKEY_STRING_SIZE 32
 u32 v3_keyid (gcry_mpi_t a, u32 *ki);
 void hash_public_key( gcry_md_hd_t md, PKT_public_key *pk );
@@ -572,6 +573,7 @@ const char *colon_expirestr_from_sig (PKT_signature *sig);
 byte *fingerprint_from_pk( PKT_public_key *pk, byte *buf, size_t *ret_len );
 byte *v5_fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len);
 void fpr20_from_pk (PKT_public_key *pk, byte array[20]);
+void fpr20_from_fpr (const byte *fpr, unsigned int fprlen, byte array[20]);
 char *hexfingerprint (PKT_public_key *pk, char *buffer, size_t buflen);
 char *v5hexfingerprint (PKT_public_key *pk, char *buffer, size_t buflen);
 char *format_hexfingerprint (const char *fingerprint,

g10/keyedit.c

@@ -70,7 +70,7 @@ static int menu_adduid (ctrl_t ctrl, kbnode_t keyblock,
                         int photo, const char *photo_name, const char *uidstr);
 static void menu_deluid (KBNODE pub_keyblock);
 static int menu_delsig (ctrl_t ctrl, kbnode_t pub_keyblock);
-static int menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only);
+static int menu_clean (ctrl_t ctrl, kbnode_t keyblock, unsigned int options);
 static void menu_delkey (KBNODE pub_keyblock);
 static int menu_addrevoker (ctrl_t ctrl, kbnode_t pub_keyblock, int sensitive);
 static int menu_addadsk (ctrl_t ctrl, kbnode_t pub_keyblock,
@@ -2258,7 +2258,7 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
 	  break;
 
 	case cmdMINIMIZE:
-	  if (menu_clean (ctrl, keyblock, 1))
+	  if (menu_clean (ctrl, keyblock, EXPORT_MINIMAL))
 	    redisplay = modified = 1;
 	  break;
 
@@ -4543,11 +4543,13 @@ menu_delsig (ctrl_t ctrl, kbnode_t pub_keyblock)
 }
 
 
+/* Note: OPTIONS are from the EXPORT_* set. */
 static int
-menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only)
+menu_clean (ctrl_t ctrl, kbnode_t keyblock, unsigned int options)
 {
   KBNODE uidnode;
-  int modified = 0, select_all = !count_selected_uids (keyblock);
+  int modified = 0;
+  int select_all = !count_selected_uids (keyblock);
 
   for (uidnode = keyblock->next;
        uidnode && uidnode->pkt->pkttype != PKT_PUBLIC_SUBKEY;
@@ -4561,8 +4563,8 @@ menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only)
 				       uidnode->pkt->pkt.user_id->len,
 				       0);
 
-	  clean_one_uid (ctrl, keyblock, uidnode, opt.verbose, self_only, &uids,
+	  clean_one_uid (ctrl, keyblock, uidnode, opt.verbose, options,
-			 &sigs);
+                         &uids, &sigs);
 	  if (uids)
 	    {
 	      const char *reason;
@@ -4587,7 +4589,7 @@ menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only)
 	    }
 	  else
 	    {
-	      tty_printf (self_only == 1 ?
+	      tty_printf ((options & EXPORT_MINIMAL)?
 			  _("User ID \"%s\": already minimized\n") :
 			  _("User ID \"%s\": already clean\n"), user);
 	    }

g10/keyid.c

@@ -145,6 +145,130 @@ pubkey_string (PKT_public_key *pk, char *buffer, size_t bufsize)
 }
 
 
+/* Helper for compare_pubkey_string.  This skips leading spaces,
+ * commas and optional condition operators and returns a pointer to
+ * the first non-space character or NULL in case of an error.  The
+ * length of a prefix consisting of letters is then returned ar PFXLEN
+ * and the value of the number (e.g. 384 for "brainpoolP384r1") at
+ * NUMBER.  R_LENGTH receives the entire length of the algorithm name
+ * which is terminated by a space, nul, or a comma.  If R_CONDITION is
+ * not NULL, 0 is stored for a leading "=", 1 for a ">", 2 for a ">=",
+ * -1 for a "<", and -2 for a "<=".  If R_CONDITION is NULL no
+ * condition prefix is allowed.  */
+static const char *
+parse_one_algo_string (const char *str, size_t *pfxlen, unsigned int *number,
+                       size_t *r_length, int *r_condition)
+{
+  int condition = 0;
+  const char *result;
+
+  while (spacep (str) || *str ==',')
+    str++;
+  if (!r_condition)
+    ;
+  else if (*str == '>' && str[1] == '=')
+    condition = 2, str += 2;
+  else if (*str == '>' )
+    condition = 1, str += 1;
+  else if (*str == '<' && str[1] == '=')
+    condition = -2, str += 2;
+  else if (*str == '<')
+    condition = -1, str += 1;
+  else if (*str == '=')  /* Default.  */
+    str += 1;
+
+  if (!alphap (str))
+    return NULL;  /* Error.  */
+
+  *pfxlen = 1;
+  for (result = str++; alphap (str); str++)
+    ++*pfxlen;
+  while (*str == '-' || *str == '+')
+    str++;
+  *number = atoi (str);
+  while (*str && !spacep (str) && *str != ',')
+    str++;
+
+  *r_length = str - result;
+  if (r_condition)
+    *r_condition = condition;
+  return result;
+}
+
+/* Helper for compare_pubkey_string.  If BPARSED is set to 0 on
+ * return, an error in ASTR or BSTR was found and further checks are
+ * not possible.  */
+static int
+compare_pubkey_string_part (const char *astr, const char *bstr_arg,
+                            size_t *bparsed)
+{
+  const char *bstr = bstr_arg;
+  size_t alen, apfxlen, blen, bpfxlen;
+  unsigned int anumber, bnumber;
+  int condition;
+
+  *bparsed = 0;
+  astr = parse_one_algo_string (astr, &apfxlen, &anumber, &alen, &condition);
+  if (!astr)
+    return 0;  /* Invalid algorithm name.  */
+  bstr = parse_one_algo_string (bstr, &bpfxlen, &bnumber, &blen, &condition);
+  if (!bstr)
+    return 0;  /* Invalid algorithm name.  */
+  *bparsed = blen + (bstr - bstr_arg);
+  if (apfxlen != bpfxlen || ascii_strncasecmp (astr, bstr, apfxlen))
+    return 0;  /* false.  */
+  switch (condition)
+    {
+    case 2: return anumber >= bnumber;
+    case 1: return anumber > bnumber;
+    case -1: return anumber < bnumber;
+    case -2: return anumber <= bnumber;
+    }
+
+  return alen == blen && !ascii_strncasecmp (astr, bstr, alen);
+}
+
+
+/* Check whether ASTR matches the constraints given by BSTR.  ASTR may
+ * be any algo string like "rsa2048", "ed25519" and BSTR may be a
+ * constraint which is in the simplest case just another algo string.
+ * BSTR may have more that one string in which case they are comma
+ * separated and any match will return true.  It is possible to prefix
+ * BSTR with ">", ">=", "<=", or "<".  That prefix operator is applied
+ * to the number part of the algorithm, i.e. the first sequence of
+ * digits found before end-of-string or a comma.  Examples:
+ *
+ * | ASTR     | BSTR                 | result |
+ * |----------+----------------------+--------|
+ * | rsa2048  | rsa2048              | true   |
+ * | rsa2048  | >=rsa2048            | true   |
+ * | rsa2048  | >rsa2048             | false  |
+ * | ed25519  | >rsa1024             | false  |
+ * | ed25519  | ed25519              | true   |
+ * | nistp384 | >nistp256            | true   |
+ * | nistp521 | >=rsa3072, >nistp384 | true   |
+ */
+int
+compare_pubkey_string (const char *astr, const char *bstr)
+{
+  size_t bparsed;
+  int result;
+
+  while (*bstr)
+    {
+      result = compare_pubkey_string_part (astr, bstr, &bparsed);
+      if (result)
+        return 1;
+      if (!bparsed)
+        return 0; /* Syntax error in ASTR or BSTR.  */
+      bstr += bparsed;
+    }
+
+  return 0;
+}
+
+
+
 /* Hash a public key and allow to specify the to be used format.
  * Note that if the v5 format is requested for a v4 key, a 0x04 as
  * version is hashed instead of the 0x05. */
@@ -239,20 +363,16 @@ do_hash_public_key (gcry_md_hd_t md, PKT_public_key *pk, int use_v5)
   if (use_v5)
     {
       gcry_md_putc ( md, 0x9a );     /* ctb */
-      gcry_md_putc ( md, n >> 24 );  /* 4 byte length header */
+      gcry_md_putc ( md, n >> 24 );  /* 4 byte length header (upper bits) */
       gcry_md_putc ( md, n >> 16 );
-      gcry_md_putc ( md, n >>  8 );
-      gcry_md_putc ( md, n       );
-      /* Note that the next byte may either be 4 or 5.  */
-      gcry_md_putc ( md, pk->version );
     }
   else
     {
       gcry_md_putc ( md, 0x99 );     /* ctb */
-      gcry_md_putc ( md, n >> 8 );   /* 2 byte length header */
-      gcry_md_putc ( md, n );
-      gcry_md_putc ( md, pk->version );
     }
+  gcry_md_putc ( md, n >> 8 );       /* lower bits of the length header.  */
+  gcry_md_putc ( md, n );
+  gcry_md_putc ( md, pk->version );
   gcry_md_putc ( md, pk->timestamp >> 24 );
   gcry_md_putc ( md, pk->timestamp >> 16 );
   gcry_md_putc ( md, pk->timestamp >>  8 );
@@ -260,7 +380,7 @@ do_hash_public_key (gcry_md_hd_t md, PKT_public_key *pk, int use_v5)
 
   gcry_md_putc ( md, pk->pubkey_algo );
 
-  if (use_v5)
+  if (use_v5) /* Hash the 32 bit length */
     {
       n -= 10;
       gcry_md_putc ( md, n >> 24 );
@@ -935,6 +1055,32 @@ v5_fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len)
 }
 
 
+/*
+ * This is the core of fpr20_from_pk which directly takes a
+ * fingerprint and its length instead of the public key.  See below
+ * for details.
+ */
+void
+fpr20_from_fpr (const byte *fpr, unsigned int fprlen, byte array[20])
+{
+  if (fprlen >= 32)            /* v5 fingerprint (or larger) */
+    {
+      memcpy (array +  0, fpr + 20, 4);
+      memcpy (array +  4, fpr + 24, 4);
+      memcpy (array +  8, fpr + 28, 4);
+      memcpy (array + 12, fpr +  0, 4); /* kid[0] */
+      memcpy (array + 16, fpr +  4, 4); /* kid[1] */
+    }
+  else if (fprlen == 20)       /* v4 fingerprint */
+    memcpy (array, fpr, 20);
+  else                         /* v3 or too short: fill up with zeroes.  */
+    {
+      memset (array, 0, 20);
+      memcpy (array, fpr, fprlen);
+    }
+}
+
+
 /*
  * Get FPR20 for the given PK/SK into ARRAY.
  *
@@ -951,19 +1097,7 @@ fpr20_from_pk (PKT_public_key *pk, byte array[20])
   if (!pk->fprlen)
     compute_fingerprint (pk);
 
-  if (!array)
+  fpr20_from_fpr (pk->fpr, pk->fprlen, array);
-    array = xmalloc (pk->fprlen);
-
-  if (pk->fprlen == 32)         /* v5 fingerprint */
-    {
-      memcpy (array +  0, pk->fpr + 20, 4);
-      memcpy (array +  4, pk->fpr + 24, 4);
-      memcpy (array +  8, pk->fpr + 28, 4);
-      memcpy (array + 12, pk->fpr +  0, 4); /* kid[0] */
-      memcpy (array + 16, pk->fpr +  4, 4); /* kid[1] */
-    }
-  else                          /* v4 fingerprint */
-    memcpy (array, pk->fpr, 20);
 }
 
 

g10/main.h

@@ -84,6 +84,7 @@ struct weakhash
 /*-- gpg.c --*/
 extern int g10_errors_seen;
 extern int assert_signer_true;
+extern int assert_pubkey_algo_false;
 
 #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 5 )
   void g10_exit(int rc) __attribute__ ((__noreturn__));
@@ -495,6 +496,7 @@ int verify_files (ctrl_t ctrl, int nfiles, char **files );
 int gpg_verify (ctrl_t ctrl, gnupg_fd_t sig_fd, gnupg_fd_t data_fd,
                 estream_t out_fp);
 void check_assert_signer_list (const char *mainpkhex, const char *pkhex);
+void check_assert_pubkey_algo (const char *algostr, const char *pkhex);
 
 /*-- decrypt.c --*/
 int decrypt_message (ctrl_t ctrl, const char *filename );

g10/mainproc.c

@@ -898,7 +898,7 @@ proc_encrypted (CTX c, PACKET *pkt)
    * encrypted packet.  */
   literals_seen++;
 
-  /* The --require-compliance option allows to simplify decryption in
+  /* The --require-compliance option allows one to simplify decryption in
    * de-vs compliance mode by just looking at the exit status.  */
   if (opt.flags.require_compliance
       && opt.compliance == CO_DE_VS
@@ -1876,6 +1876,8 @@ check_sig_and_print (CTX c, kbnode_t node)
   const void *extrahash = NULL;
   size_t extrahashlen = 0;
   kbnode_t included_keyblock = NULL;
+  char pkstrbuf[PUBKEY_STRING_SIZE] = { 0 };
+
 
   if (opt.skip_verify)
     {
@@ -2409,8 +2411,14 @@ check_sig_and_print (CTX c, kbnode_t node)
             show_notation (sig, 0, 2, 0);
         }
 
+      /* Fill PKSTRBUF with the algostring in case we later need it.  */
+      if (pk)
+        pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
+
       /* For good signatures print the VALIDSIG status line.  */
-      if (!rc && (is_status_enabled () || opt.assert_signer_list) && pk)
+      if (!rc && (is_status_enabled ()
+                  || opt.assert_signer_list
+                  || opt.assert_pubkey_algos) && pk)
         {
           char pkhex[MAX_FINGERPRINT_LEN*2+1];
           char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
@@ -2432,6 +2440,8 @@ check_sig_and_print (CTX c, kbnode_t node)
                                mainpkhex);
           /* Handle the --assert-signer option.  */
           check_assert_signer_list (mainpkhex, pkhex);
+          /* Handle the --assert-pubkey-algo option.  */
+          check_assert_pubkey_algo (pkstrbuf, pkhex);
 	}
 
       /* Print compliance warning for Good signatures.  */
@@ -2464,13 +2474,6 @@ check_sig_and_print (CTX c, kbnode_t node)
 
       if (opt.verbose)
         {
-          char pkstrbuf[PUBKEY_STRING_SIZE];
-
-          if (pk)
-            pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
-          else
-            *pkstrbuf = 0;
-
           log_info (_("%s signature, digest algorithm %s%s%s\n"),
                     sig->sig_class==0x00?_("binary"):
                     sig->sig_class==0x01?_("textmode"):_("unknown"),

g10/options.h

@@ -126,9 +126,9 @@ struct
   int marginals_needed;
   int completes_needed;
   int max_cert_depth;
-  const char *agent_program;
+  char *agent_program;
-  const char *keyboxd_program;
+  char *keyboxd_program;
-  const char *dirmngr_program;
+  char *dirmngr_program;
   int disable_dirmngr;
 
   const char *def_new_key_algo;
@@ -241,6 +241,10 @@ struct
    * modify to be uppercase if they represent a fingerrint */
   strlist_t assert_signer_list;
 
+  /* A single string with the comma delimited args from
+   * --assert-pubkey_algo.  */
+  char *assert_pubkey_algos;
+
   struct
   {
     /* If set, require an 0x19 backsig to be present on signatures
@@ -414,12 +418,13 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
 #define EXPORT_ATTRIBUTES                (1<<1)
 #define EXPORT_SENSITIVE_REVKEYS         (1<<2)
 #define EXPORT_RESET_SUBKEY_PASSWD       (1<<3)
-#define EXPORT_MINIMAL                   (1<<4)
+#define EXPORT_MINIMAL                   (1<<5)
-#define EXPORT_CLEAN                     (1<<5)
+#define EXPORT_CLEAN                     (1<<6)
 #define EXPORT_DANE_FORMAT               (1<<7)
 #define EXPORT_BACKUP                    (1<<10)
 #define EXPORT_REVOCS                    (1<<11)
 #define EXPORT_MODE1003                  (1<<12)
+#define EXPORT_REALCLEAN                 (1<<13)
 
 #define LIST_SHOW_PHOTOS                 (1<<0)
 #define LIST_SHOW_POLICY_URLS            (1<<1)

g10/t-keydb-get-keyblock.c

@@ -67,12 +67,3 @@ do_test (int argc, char *argv[])
   release_kbnode (kb1);
   xfree (ctrl);
 }
-
-int assert_signer_true = 0;
-
-void
-check_assert_signer_list (const char *mainpkhex, const char *pkhex)
-{
-  (void)mainpkhex;
-  (void)pkhex;
-}

g10/t-keydb.c

@@ -105,13 +105,3 @@ do_test (int argc, char *argv[])
   keydb_release (hd2);
   xfree (ctrl);
 }
-
-
-int assert_signer_true = 0;
-
-void
-check_assert_signer_list (const char *mainpkhex, const char *pkhex)
-{
-  (void)mainpkhex;
-  (void)pkhex;
-}

g10/t-keyid.c

@@ -0,0 +1,129 @@
+/* t-keyid.c - Tests for keyid.c.
+ * Copyright (C) 2024 g10 Code GmbH
+ *
+ * This file is part of GnuPG.
+ *
+ * GnuPG is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuPG is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ */
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#define LEAN_T_SUPPORT 1
+
+#define PGM "t-keyid"
+
+#include "gpg.h"
+#include "keydb.h"
+#include "../common/t-support.h"
+
+
+
+static int verbose;
+
+
+static void
+test_compare_pubkey_string (void)
+{
+  static struct { const char *astr; const char *bstr; int expected; } t[] =
+  {
+    { "rsa2048"  , "rsa2048"             ,  1 },
+    { "rsa2048"  , ">=rsa2048"           ,  1 },
+    { "rsa2048"  , ">rsa2048"            ,  0 },
+    { "ed25519"  , ">rsa1024"            ,  0 },
+    { "ed25519"  , "ed25519"             ,  1 },
+    { "ed25519"  , ",,,=ed25519"         ,  1 },
+    { "nistp384" , ">nistp256"           ,  1 },
+    { "nistp521" , ">=rsa3072, >nistp384",  1 },
+    { " nistp521" , ">=rsa3072, >nistp384   ",  1 },
+    { "  nistp521  " , "  >=rsa3072, >nistp384   ",  1 },
+    { "  =nistp521  " , "  >=rsa3072, >nistp384,,",  1 },
+    { "nistp384" , ">nistp384"           ,  0 },
+    { "nistp384" , ">=nistp384"          ,  1 },
+    { "brainpoolP384" , ">=brainpoolp256", 1 },
+    { "brainpoolP384" , ">brainpoolp384" , 0 },
+    { "brainpoolP384" , ">=brainpoolp384", 1 },
+    { "brainpoolP256r1", ">brainpoolp256r1", 0 },
+    { "brainpoolP384r1", ">brainpoolp384r1" , 0 },
+    { "brainpoolP384r1", ">=brainpoolp384r1", 1 },
+    { "brainpoolP384r1", ">=brainpoolp384"  , 1 },
+    { "",  "", 0}
+  };
+  int idx;
+  int result;
+
+  for (idx=0; idx < DIM(t); idx++)
+    {
+      result = compare_pubkey_string (t[idx].astr, t[idx].bstr);
+      if (result != t[idx].expected)
+        {
+          fail (idx);
+          if (verbose)
+            log_debug ("\"%s\", \"%s\" want %d got %d\n",
+                       t[idx].astr, t[idx].bstr, t[idx].expected, result);
+        }
+    }
+
+}
+
+
+int
+main (int argc, char **argv)
+{
+  int last_argc = -1;
+
+  no_exit_on_fail = 1;
+
+  if (argc)
+    { argc--; argv++; }
+  while (argc && last_argc != argc )
+    {
+      last_argc = argc;
+      if (!strcmp (*argv, "--"))
+        {
+          argc--; argv++;
+          break;
+        }
+      else if (!strcmp (*argv, "--help"))
+        {
+          fputs ("usage: " PGM " [FILE]\n"
+                 "Options:\n"
+                 "  --verbose         Print timings etc.\n"
+                 "  --debug           Flyswatter\n"
+                 , stdout);
+          exit (0);
+        }
+      else if (!strcmp (*argv, "--verbose"))
+        {
+          verbose++;
+          argc--; argv++;
+        }
+      else if (!strcmp (*argv, "--debug"))
+        {
+          verbose += 2;
+          argc--; argv++;
+        }
+      else if (!strncmp (*argv, "--", 2))
+        {
+          fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
+          exit (1);
+        }
+    }
+
+  test_compare_pubkey_string ();
+
+  return !!errcount;
+}

g10/t-stutter.c

@@ -611,12 +611,3 @@ do_test (int argc, char *argv[])
 
   xfree (filename);
 }
-
-int assert_signer_true = 0;
-
-void
-check_assert_signer_list (const char *mainpkhex, const char *pkhex)
-{
-  (void)mainpkhex;
-  (void)pkhex;
-}

g10/tdbdump.c

@@ -190,7 +190,11 @@ import_ownertrust (ctrl_t ctrl, const char *fname )
 	while (fprlen < MAX_FINGERPRINT_LEN)
 	    fpr[fprlen++] = 0;
 
-	rc = tdbio_search_trust_byfpr (ctrl, fpr, &rec);
+        /* FIXME: The intention is to save the special fpr20 as used
+         * in the trustdb here.  However, the above conversions seems
+         * not to be aware of this.  Or why does it allow up to
+         * MAX_FINGERPRINT_LEN ?  */
+	rc = tdbio_search_trust_byfpr (ctrl, fpr, 20, &rec);
 	if( !rc ) { /* found: update */
 	    if (rec.r.trust.ownertrust != otrust)
               {

g10/tdbio.c

@@ -1864,13 +1864,21 @@ cmp_trec_fpr ( const void *fpr, const TRUSTREC *rec )
  * Return: 0 if found, GPG_ERR_NOT_FOUND, or another error code.
  */
 gpg_error_t
-tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fingerprint, TRUSTREC *rec)
+tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fpr, unsigned int fprlen,
+                          TRUSTREC *rec)
 {
   int rc;
+  byte fingerprint[20];
+
+  if (fprlen != 20)
+    {
+      fpr20_from_fpr (fpr, fprlen, fingerprint);
+      fpr = fingerprint;
+    }
 
   /* Locate the trust record using the hash table */
-  rc = lookup_hashtable (get_trusthashrec (ctrl), fingerprint, 20,
+  rc = lookup_hashtable (get_trusthashrec (ctrl), fpr, 20,
-                         cmp_trec_fpr, fingerprint, rec );
+                         cmp_trec_fpr, fpr, rec);
   return rc;
 }
 
@@ -1887,7 +1895,7 @@ tdbio_search_trust_bypk (ctrl_t ctrl, PKT_public_key *pk, TRUSTREC *rec)
   byte fingerprint[20];
 
   fpr20_from_pk (pk, fingerprint);
-  return tdbio_search_trust_byfpr (ctrl, fingerprint, rec);
+  return tdbio_search_trust_byfpr (ctrl, fingerprint, 20, rec);
 }
 
 

g10/tdbio.h

@@ -111,7 +111,8 @@ int tdbio_end_transaction(void);
 int tdbio_cancel_transaction(void);
 int tdbio_delete_record (ctrl_t ctrl, ulong recnum);
 ulong tdbio_new_recnum (ctrl_t ctrl);
-gpg_error_t tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fingerprint,
+gpg_error_t tdbio_search_trust_byfpr (ctrl_t ctrl,
+                                      const byte *fpr, unsigned int fprlen,
                                       TRUSTREC *rec);
 gpg_error_t tdbio_search_trust_bypk (ctrl_t ctrl, PKT_public_key *pk,
                                      TRUSTREC *rec);

g10/test-stubs.c

@@ -43,6 +43,9 @@
 #include "call-agent.h"
 
 int g10_errors_seen;
+int assert_signer_true = 0;
+int assert_pubkey_algo_false = 0;
+
 
 
 void
@@ -580,3 +583,18 @@ impex_filter_getval (void *cookie, const char *propname)
   (void)propname;
   return NULL;
 }
+
+
+void
+check_assert_signer_list (const char *mainpkhex, const char *pkhex)
+{
+  (void)mainpkhex;
+  (void)pkhex;
+}
+
+void
+check_assert_pubkey_algo (const char *algostr, const char *pkhex)
+{
+  (void)algostr;
+  (void)pkhex;
+}

g10/test.c

@@ -15,6 +15,7 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ * SPDX-License-Identifier: GPL-3.0-or-later
  */
 
 #include <config.h>

g10/trustdb.c

@@ -39,8 +39,52 @@
 #include "tofu.h"
 #include "key-clean.h"
 
+
+
+typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
+
+/*
+ * Structure to keep track of keys, this is used as an array where the
+ * item right after the last one has a keyblock set to NULL.  Maybe we
+ * can drop this thing and replace it by key_item
+ */
+struct key_array
+{
+  KBNODE keyblock;
+};
+
+
+/* Control information for the trust DB.  */
+static struct
+{
+  int init;
+  int level;
+  char *dbname;
+  int no_trustdb;
+} trustdb_args;
+
+
+/* Some globals.  */
+static struct key_item *utk_list;      /* all ultimately trusted keys */
+
+/* A list used to temporary store trusted keys and a flag indicated
+ * whether any --trusted-key option has been seen. */
+static struct key_item *trusted_key_list;
+static int any_trusted_key_seen;
+
+/* Flag whether a trustdb check is pending.  */
+static int pending_check_trustdb;
+
+
+
 static void write_record (ctrl_t ctrl, TRUSTREC *rec);
-static void do_sync(void);
+static void do_sync (void);
+static int validate_keys (ctrl_t ctrl, int interactive);
+
+
+/**********************************************
+ ************* some helpers *******************
+ **********************************************/
 
 
 
@@ -54,7 +98,7 @@ keyid_from_fpr20 (ctrl_t ctrl, const byte *fpr, u32 *keyid)
     keyid = dummy_keyid;
 
   /* Problem: We do only use fingerprints in the trustdb but
-   * we need the keyID here to indetify the key; we can only
+   * we need the keyID here to identify the key; we can only
    * use that ugly hack to distinguish between 16 and 20
    * bytes fpr - it does not work always so we better change
    * the whole validation code to only work with
@@ -88,40 +132,6 @@ keyid_from_fpr20 (ctrl_t ctrl, const byte *fpr, u32 *keyid)
   return keyid[1];
 }
 
-typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
-
-/*
- * Structure to keep track of keys, this is used as an array wherre
- * the item right after the last one has a keyblock set to NULL.
- * Maybe we can drop this thing and replace it by key_item
- */
-struct key_array
-{
-  KBNODE keyblock;
-};
-
-
-/* Control information for the trust DB.  */
-static struct
-{
-  int init;
-  int level;
-  char *dbname;
-  int no_trustdb;
-} trustdb_args;
-
-/* Some globals.  */
-static struct key_item *user_utk_list; /* temp. used to store --trusted-keys */
-static struct key_item *utk_list;      /* all ultimately trusted keys */
-
-static int pending_check_trustdb;
-
-static int validate_keys (ctrl_t ctrl, int interactive);
-
-
-/**********************************************
- ************* some helpers *******************
- **********************************************/
 
 static struct key_item *
 new_key_item (void)
@@ -245,11 +255,19 @@ tdb_register_trusted_keyid (u32 *keyid)
   k = new_key_item ();
   k->kid[0] = keyid[0];
   k->kid[1] = keyid[1];
-  k->next = user_utk_list;
+  k->next = trusted_key_list;
-  user_utk_list = k;
+  trusted_key_list = k;
 }
 
 
+/* This is called for the option --trusted-key to register these keys
+ * for later syncing them into the trustdb.  The special value "none"
+ * may be used to indicate that there is a trusted-key option but no
+ * key shall be inserted for it.  This "none" value is helpful to
+ * distinguish between changing the gpg.conf from a trusted-key to no
+ * trusted-key options at all.  Simply not specify the option would
+ * not allow to distinguish this case from the --no-options case as
+ * used for certain calls of gpg for example by gpg-wks-client.  */
 void
 tdb_register_trusted_key (const char *string)
 {
@@ -257,6 +275,9 @@ tdb_register_trusted_key (const char *string)
   KEYDB_SEARCH_DESC desc;
   u32 kid[2];
 
+  any_trusted_key_seen = 1;
+  if (!strcmp (string, "none"))
+    return;
   err = classify_user_id (string, &desc, 1);
   if (!err)
     {
@@ -378,11 +399,12 @@ verify_own_keys (ctrl_t ctrl)
           if (!add_utk (kid))
             log_info (_("key %s occurs more than once in the trustdb\n"),
                       keystr(kid));
-          else if ((rec.r.trust.flags & 1))
+          else if ((rec.r.trust.flags & 1)
+                   && any_trusted_key_seen)
             {
               /* Record marked as inserted via --trusted-key.  Is this
                * still the case?  */
-              for (k2 = user_utk_list; k2; k2 = k2->next)
+              for (k2 = trusted_key_list; k2; k2 = k2->next)
                 if (k2->kid[0] == kid[0] && k2->kid[1] == kid[1])
                   break;
               if (!k2) /* No - clear the flag.  */
@@ -406,7 +428,7 @@ verify_own_keys (ctrl_t ctrl)
     }
 
   /* Put any --trusted-key keys into the trustdb */
-  for (k = user_utk_list; k; k = k->next)
+  for (k = trusted_key_list; k; k = k->next)
     {
       if ( add_utk (k->kid) )
         { /* not yet in trustDB as ultimately trusted */
@@ -431,9 +453,9 @@ verify_own_keys (ctrl_t ctrl)
         }
     }
 
-  /* release the helper table table */
+  /* Release the helper table.  */
-  release_key_items (user_utk_list);
+  release_key_items (trusted_key_list);
-  user_utk_list = NULL;
+  trusted_key_list = NULL;
   return;
 }
 

g10/verify.c

@@ -335,7 +335,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
               assert_signer_true = 1;
               write_status_text (STATUS_ASSERT_SIGNER, item->d);
               if (!opt.quiet)
-                log_info ("signer '%s' matched\n", item->d);
+                log_info ("asserted signer '%s'\n", item->d);
               goto leave;
             }
         }
@@ -390,7 +390,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
                   assert_signer_true = 1;
                   write_status_text (STATUS_ASSERT_SIGNER, p);
                   if (!opt.quiet)
-                    log_info ("signer '%s' matched '%s', line %d\n",
+                    log_info ("asserted signer '%s' (%s:%d)\n",
                               p, fname, lnr);
                   goto leave;
                 }
@@ -407,3 +407,32 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
  leave:
   es_fclose (fp);
 }
+
+
+/* This function shall be called with the signer's public key
+ * algorithm ALGOSTR iff a signature is fully valid.  If the option
+ * --assert-pubkey-algo is active the functions checks whether the
+ * signing key's algo is valid according to that list; in this case a
+ * global flag is set.  */
+void
+check_assert_pubkey_algo (const char *algostr, const char *pkhex)
+{
+  if (!opt.assert_pubkey_algos)
+    return;  /* Nothing to do.  */
+
+  if (compare_pubkey_string (algostr, opt.assert_pubkey_algos))
+    {
+      write_status_strings (STATUS_ASSERT_PUBKEY_ALGO,
+                            pkhex, " 1 ", algostr, NULL);
+      if (!opt.quiet)
+        log_info ("asserted signer '%s' with algo %s\n", pkhex, algostr);
+    }
+  else
+    {
+      if (!opt.quiet)
+        log_info ("denied signer '%s' with algo %s\n", pkhex, algostr);
+      assert_pubkey_algo_false = 1;
+      write_status_strings (STATUS_ASSERT_PUBKEY_ALGO,
+                            pkhex, " 0 ", algostr, NULL);
+    }
+}

g13/g13.c

@@ -455,6 +455,9 @@ main (int argc, char **argv)
   pargs.argv  = &argv;
   pargs.flags |=  (ARGPARSE_FLAG_RESET
                    | ARGPARSE_FLAG_KEEP
+#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */
+                   | ARGPARSE_FLAG_COMMAND
+#endif
                    | ARGPARSE_FLAG_SYS
                    | ARGPARSE_FLAG_USER);
 

po/ca.po

@@ -2303,9 +2303,6 @@ msgstr "crea eixida amb armadura ascii"
 msgid "|FILE|write output to FILE"
 msgstr "|FITXER|carrega el mòdul d'extensió especificat"
 
-msgid "use canonical text mode"
-msgstr "usa el mode de text canònic"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|nivell de compressió N (0 no comprimeix)"
@@ -7132,7 +7129,7 @@ msgid "||Please enter the PIN"
 msgstr "canvia la contrasenya"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Seleccioneu la raó de la revocació:\n"
 
 #, c-format
@@ -9505,6 +9502,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "usa el mode de text canònic"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/cs.po

@@ -2132,9 +2132,6 @@ msgstr "vytvořit výstup zapsaný v ASCII"
 msgid "|FILE|write output to FILE"
 msgstr "|SOUBOR|zapsat výstup do SOUBORU"
 
-msgid "use canonical text mode"
-msgstr "použít kanonický textový režim"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|nastavit úroveň komprese na N (0 – žádná)"
 
@@ -6707,7 +6704,9 @@ msgstr "přístup k příkazům správce není nakonfigurován\n"
 msgid "||Please enter the PIN"
 msgstr "||Prosím, zadejte PIN"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Prosím, zadejte resetační kód karty"
 
 #, c-format
@@ -8983,6 +8982,9 @@ msgstr "Příkazy pro správu Yubikey"
 msgid "manage the command history"
 msgstr "spravuje historii příkazů"
 
+#~ msgid "use canonical text mode"
+#~ msgstr "použít kanonický textový režim"
+
 #~ msgid "selected AEAD algorithm is invalid\n"
 #~ msgstr "vybraný algoritmus AEAD je neplatný\n"
 

po/da.po

@@ -2334,9 +2334,6 @@ msgstr "opret ascii-pansrede uddata"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|skriv resultat til FIL"
 
-msgid "use canonical text mode"
-msgstr "brug kanonisk teksttilstand"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|sæt komprimeringsniveauet til N (0 deaktiverer)"
 
@@ -7175,7 +7172,9 @@ msgstr "adgang til administratorkommandoer er ikke konfigureret\n"
 msgid "||Please enter the PIN"
 msgstr "||Indtast venligst PIN'en"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Indtast venligst nulstillingskoden for kortet"
 
 #, c-format
@@ -9720,6 +9719,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "brug kanonisk teksttilstand"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/de.po

@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg-2.4.1\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2024-01-24 14:05+0100\n"
+"PO-Revision-Date: 2024-03-07 13:56+0100\n"
 "Last-Translator: Werner Koch <wk@gnupg.org>\n"
 "Language-Team: German\n"
 "Language: de\n"
@@ -2142,9 +2142,6 @@ msgstr "Ausgabe mit ASCII-Hülle versehen"
 msgid "|FILE|write output to FILE"
 msgstr "|DATEI|Ausgabe auf DATEI schreiben"
 
-msgid "use canonical text mode"
-msgstr "Textmodus benutzen"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|Kompressionsstufe auf N setzen (0=keine)"
 
@@ -6801,8 +6798,8 @@ msgstr "Zugriff auf Admin-Befehle ist nicht eingerichtet\n"
 msgid "||Please enter the PIN"
 msgstr "||Bitte die PIN eingeben"
 
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
-msgstr "Bitte geben Sie den Rückstellcode für diese Karte ein"
+msgstr "|R|Bitte geben Sie den Rückstellcode für diese Karte ein"
 
 #, c-format
 msgid "Reset Code is too short; minimum length is %d\n"
@@ -9116,6 +9113,9 @@ msgstr "Verwaltungskommandos für Yubikeys"
 msgid "manage the command history"
 msgstr "Verwaltung der Kommandohistorie"
 
+#~ msgid "use canonical text mode"
+#~ msgstr "Textmodus benutzen"
+
 #~ msgid "continuing verification anyway due to option %s\n"
 #~ msgstr "Die Prüfung wird aufgrund der Option %s weiter durchgeführt\n"
 
@@ -9298,7 +9298,6 @@ msgstr "Verwaltung der Kommandohistorie"
 #~ msgid "ldapserver missing"
 #~ msgstr "LDAP Server fehlt"
 
-#, fuzzy
 #~ msgid "Suggest a random passphrase."
 #~ msgstr "Ein zufälliges Passwort vorschlagen"
 

po/el.po

@@ -2232,9 +2232,6 @@ msgstr "δημιουργία ascii θωρακισμένης εξόδου"
 msgid "|FILE|write output to FILE"
 msgstr "|ΑΡΧΕΙΟ|φόρτωμα του αρθρώματος επέκτασης ΑΡΧΕΙΟ"
 
-msgid "use canonical text mode"
-msgstr "χρήση κανονικής κατάστασης κειμένου"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|καθορισμός επιπέδου συμπίεσης N (0 απενεργοποιεί)"
@@ -6997,7 +6994,7 @@ msgid "||Please enter the PIN"
 msgstr "αλλαγή της φράσης κλειδί"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Παρακαλώ επιλέξτε την αιτία για την ανάκληση:\n"
 
 #, c-format
@@ -9329,6 +9326,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "χρήση κανονικής κατάστασης κειμένου"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/eo.po

@@ -2215,9 +2215,6 @@ msgstr "krei eligon en askia kiraso"
 msgid "|FILE|write output to FILE"
 msgstr "|DOSIERO|legi aldonan bibliotekon DOSIERO"
 
-msgid "use canonical text mode"
-msgstr "uzi tekstan reĝimon"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|difini densig-nivelon N (0=nenia)"
@@ -6906,7 +6903,7 @@ msgid "||Please enter the PIN"
 msgstr "ŝanĝi la pasfrazon"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Kialo por revoko: "
 
 #, c-format
@@ -9240,6 +9237,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "uzi tekstan reĝimon"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/es.po

@@ -2201,9 +2201,6 @@ msgstr "crea una salida ascii con armadura"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|volcar salida en FICHERO"
 
-msgid "use canonical text mode"
-msgstr "usa modo de texto canónico"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|nivel de compresión N (0 desactiva)"
 
@@ -6848,7 +6845,9 @@ msgstr "el acceso a órdenes de administrador no está configurado\n"
 msgid "||Please enter the PIN"
 msgstr "||Por favor introduzca PIN"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Por favor introduzca Código de Reinicio de la tarjeta"
 
 #, c-format
@@ -9166,6 +9165,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "usa modo de texto canónico"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/et.po

@@ -2223,9 +2223,6 @@ msgstr "loo ascii pakendis väljund"
 msgid "|FILE|write output to FILE"
 msgstr "|FAIL|lae laiendusmoodul FAIL"
 
-msgid "use canonical text mode"
-msgstr "kasuta kanoonilist tekstimoodi"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|määra pakkimise tase N (0 blokeerib)"
@@ -6917,7 +6914,7 @@ msgid "||Please enter the PIN"
 msgstr "muuda parooli"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Palun valige tühistamise põhjus:\n"
 
 #, c-format
@@ -9244,6 +9241,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "kasuta kanoonilist tekstimoodi"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/fi.po

@@ -2240,9 +2240,6 @@ msgstr "tuota ascii-koodattu tuloste"
 msgid "|FILE|write output to FILE"
 msgstr "|TIEDOSTO|lataa laajennusmoduuli TIEDOSTO"
 
-msgid "use canonical text mode"
-msgstr "käytä tekstimuotoa"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|aseta pakkausaste N (0 poistaa käytöstä)"
@@ -6980,7 +6977,7 @@ msgid "||Please enter the PIN"
 msgstr "muuta salasanaa"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Valitse mitätöinnin syy:\n"
 
 #, c-format
@@ -9312,6 +9309,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "käytä tekstimuotoa"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/fr.po

@@ -2260,9 +2260,6 @@ msgstr "créer une sortie ASCII avec armure"
 msgid "|FILE|write output to FILE"
 msgstr "|FICHIER|écrire la sortie dans le FICHIER"
 
-msgid "use canonical text mode"
-msgstr "utiliser le mode texte canonique"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|niveau de compression N (0 désactive)"
 
@@ -7116,7 +7113,9 @@ msgstr "l'accès aux commandes d'administration n'est pas configuré\n"
 msgid "||Please enter the PIN"
 msgstr "||Veuillez entrer le code personnel"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Veuillez entrer le code de réinitialisation pour la carte"
 
 #, c-format
@@ -9523,6 +9522,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "utiliser le mode texte canonique"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/gl.po

@@ -2231,9 +2231,6 @@ msgstr "crear saída con armadura en ascii"
 msgid "|FILE|write output to FILE"
 msgstr "|FICHEIRO|carga-lo módulo de extensión FICHEIRO"
 
-msgid "use canonical text mode"
-msgstr "usar modo de texto canónico"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|axusta-lo nivel de compresión a N (0 desactiva)"
@@ -6981,7 +6978,7 @@ msgid "||Please enter the PIN"
 msgstr "cambia-lo contrasinal"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Por favor, escolla o motivo da revocación:\n"
 
 #, c-format
@@ -9324,6 +9321,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "usar modo de texto canónico"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/hu.po

@@ -2223,9 +2223,6 @@ msgstr "ascii páncélozott kimenet létrehozása"
 msgid "|FILE|write output to FILE"
 msgstr "|fájl|bővítő modul betöltése"
 
-msgid "use canonical text mode"
-msgstr "kanonikus szöveges mód használata"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|tömörítési szint beállítása N-re (0: tiltás)"
@@ -6943,7 +6940,7 @@ msgid "||Please enter the PIN"
 msgstr "jelszóváltoztatás"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Kérem, válassza ki a visszavonás okát:\n"
 
 #, c-format
@@ -9271,6 +9268,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "kanonikus szöveges mód használata"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/id.po

@@ -2227,9 +2227,6 @@ msgstr "ciptakan output ascii"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|muat modul ekstensi FILE"
 
-msgid "use canonical text mode"
-msgstr "gunakan mode teks kanonikal"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|set tingkat kompresi N (0 tidak ada)"
@@ -6942,7 +6939,7 @@ msgid "||Please enter the PIN"
 msgstr "ubah passphrase"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Silakan pilih alasan untuk pembatalan:\n"
 
 #, c-format
@@ -9270,6 +9267,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "gunakan mode teks kanonikal"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/it.po

@@ -2135,9 +2135,6 @@ msgstr "crea un output ascii con armatura"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|scrittura dell'output in FILE"
 
-msgid "use canonical text mode"
-msgstr "usa il modo testo canonico"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|Impostare il livello di compressione su N (0 disabilita)"
 
@@ -6762,7 +6759,9 @@ msgstr "l'accesso ai comandi di amministrazione non è configurato\n"
 msgid "||Please enter the PIN"
 msgstr "||Inserisci il PIN"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Inserisci il Codice reset per la carta"
 
 #, c-format
@@ -9078,6 +9077,9 @@ msgstr "Comandi di gestione Yubikey"
 msgid "manage the command history"
 msgstr "gestire la cronologia dei comandi"
 
+#~ msgid "use canonical text mode"
+#~ msgstr "usa il modo testo canonico"
+
 #~ msgid "selected AEAD algorithm is invalid\n"
 #~ msgstr "l'algoritmo AEAD selezionato non è valido\n"
 

po/ja.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gnupg 2.4.3\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2024-01-25 09:06+0900\n"
+"PO-Revision-Date: 2024-03-07 13:59+0100\n"
 "Last-Translator: NIIBE Yutaka <gniibe@fsij.org>\n"
 "Language-Team: none\n"
 "Language: ja\n"
@@ -2086,9 +2086,6 @@ msgstr "ASCII形式の外装を作成"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|出力をFILEに書き出す"
 
-msgid "use canonical text mode"
-msgstr "正準テキスト・モードを使用"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|圧縮レベルをNに設定 (0は非圧縮)"
 
@@ -6484,8 +6481,8 @@ msgstr "管理コマンドへのアクセスが設定されていません\n"
 msgid "||Please enter the PIN"
 msgstr "||PINを入力してください"
 
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
-msgstr "||カードのリセット・コードを入力してください"
+msgstr "|R|カードのリセット・コードを入力してください"
 
 #, c-format
 msgid "Reset Code is too short; minimum length is %d\n"
@@ -8738,6 +8735,9 @@ msgstr "Yubikey管理コマンド"
 msgid "manage the command history"
 msgstr "コマンド履歴を管理する"
 
+#~ msgid "use canonical text mode"
+#~ msgstr "正準テキスト・モードを使用"
+
 #~ msgid "continuing verification anyway due to option %s\n"
 #~ msgstr "オプション %sのため、検証を続けます\n"
 

po/nb.po

@@ -2171,9 +2171,6 @@ msgstr "lag ASCII-beskyttet utdata"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|skriv utdata til valgt FIL"
 
-msgid "use canonical text mode"
-msgstr "bruk kanonisk tekstmodus"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|endre komprimeringsnivå til N (0 for å slå av)"
 
@@ -6770,7 +6767,9 @@ msgstr "tilgang til admin-kommandoer er ikke konfigurert\n"
 msgid "||Please enter the PIN"
 msgstr "||Skriv inn PIN-kode"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Skriv inn tilbakestillingskode for kortet"
 
 #, c-format
@@ -9055,6 +9054,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "bruk kanonisk tekstmodus"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/pl.po

@@ -2,13 +2,13 @@
 # Copyright (C) 1998, 1999, 2000, 2001, 2002,
 #               2007 Free Software Foundation, Inc.
 # Janusz A. Urbanowicz <alex@bofh.net.pl>, 1999, 2000, 2001, 2002, 2003-2004
-# Jakub Bogusz <qboosh@pld-linux.org>, 2003-2023.
+# Jakub Bogusz <qboosh@pld-linux.org>, 2003-2024.
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: gnupg-2.4.3\n"
+"Project-Id-Version: gnupg-2.4.4\n"
 "Report-Msgid-Bugs-To: translations@gnupg.org\n"
-"PO-Revision-Date: 2023-10-20 21:29+0200\n"
+"PO-Revision-Date: 2024-03-07 14:00+0100\n"
 "Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
 "Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
 "Language: pl\n"
@@ -923,43 +923,35 @@ msgstr "OSTRZEŻENIE: „%s%s” jest przestarzałą opcją - nie ma efektu\n"
 msgid "unknown debug flag '%s' ignored\n"
 msgstr "nieznana flaga diagnostyczna „%s” zignorowana\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "waiting for the %s to come up ... (%ds)\n"
 msgid "waiting for the dirmngr to come up ... (%ds)\n"
-msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n"
+msgstr "oczekiwanie na uruchomienie procesu dirmngr... (%ds)\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "waiting for the %s to come up ... (%ds)\n"
 msgid "waiting for the keyboxd to come up ... (%ds)\n"
-msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n"
+msgstr "oczekiwanie na uruchomienie procesu keyboxd... (%ds)\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "waiting for the %s to come up ... (%ds)\n"
 msgid "waiting for the agent to come up ... (%ds)\n"
-msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n"
+msgstr "oczekiwanie na uruchomienie procesu agenta... (%ds)\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "connection to %s established\n"
 msgid "connection to the dirmngr established\n"
-msgstr "ustanowiono połączenie z procesem %s\n"
+msgstr "ustanowiono połączenie z procesem dirmngr\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "connection to %s established\n"
 msgid "connection to the keyboxd established\n"
-msgstr "ustanowiono połączenie z procesem %s\n"
+msgstr "ustanowiono połączenie z procesem keyboxd\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "connection to %s established\n"
 msgid "connection to the agent established\n"
-msgstr "ustanowiono połączenie z procesem %s\n"
+msgstr "ustanowiono połączenie z procesem agenta\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "no running Dirmngr - starting '%s'\n"
 msgid "no running %s - starting '%s'\n"
-msgstr "Dirmngr nie działa - uruchamianie „%s”\n"
+msgstr "brak działającego %s - uruchamianie „%s”\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "connection to agent is in restricted mode\n"
 msgid "connection to the agent is in restricted mode\n"
 msgstr "połączenie z agentem jest w trybie ograniczonym\n"
 
@@ -1332,10 +1324,11 @@ msgstr "problem z agentem: %s\n"
 msgid "no dirmngr running in this session\n"
 msgstr "brak działającego dirmngr w tej sesji\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "keyserver option \"%s\" may not be used in %s mode\n"
 msgid "keyserver option \"honor-keyserver-url\" may not be used in Tor mode\n"
-msgstr "opcja serwera kluczy „%s” nie może być używana w trybie %s\n"
+msgstr ""
+"opcja serwera kluczy „honor-keyserver-url” nie może być używana w trybie "
+"Tor\n"
 
 msgid "WKD uses a cached result"
 msgstr "WKD używa zapamiętanego wyniku"
@@ -1402,7 +1395,7 @@ msgstr "wymuszono"
 
 #, c-format
 msgid "Please try command \"%s\" if the listing does not look correct\n"
-msgstr "Proszę spróbować polecenia ,,%s'', jeśli lista nie wygląda poprawnie\n"
+msgstr "Proszę spróbować polecenia „%s”, jeśli lista nie wygląda poprawnie\n"
 
 msgid "Error: Only plain ASCII is currently allowed.\n"
 msgstr "Błąd: aktualnie dopuszczalne jest tylko czyste ASCII.\n"
@@ -1768,14 +1761,13 @@ msgstr ""
 "OSTRZEŻENIE: wymuszone użycie szyfru %s (%d) kłóci się z ustawieniami "
 "adresata\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "cipher algorithm '%s' may not be used in %s mode\n"
 msgid "cipher algorithm '%s' may not be used for encryption\n"
-msgstr "szyfr „%s” nie może być używany w trybie %s\n"
+msgstr "algorytm szyfru „%s” nie może być używany do szyfrowania\n"
 
 #, c-format
 msgid "(use option \"%s\" to override)\n"
-msgstr ""
+msgstr "(opcją „%s” można to obejść)\n"
 
 #, c-format
 msgid "cipher algorithm '%s' may not be used in %s mode\n"
@@ -1821,17 +1813,15 @@ msgstr ""
 "OSTRZEŻENIE: wymuszone użycie kompresji %s (%d) kłóci się z ustawieniami "
 "adresata\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s/%s encrypted for: \"%s\"\n"
 msgid "%s/%s.%s encrypted for: \"%s\"\n"
-msgstr "%s/%s zaszyfrowany dla: „%s”\n"
+msgstr "%s/%s.%s zaszyfrowany dla: „%s”\n"
 
 #, c-format
 msgid "option '%s' may not be used in %s mode\n"
 msgstr "opcja „%s” nie może być używana w trybie %s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "%s encrypted data\n"
 msgid "%s encrypted data\n"
 msgstr "dane zaszyfrowano za pomocą %s\n"
 
@@ -2101,9 +2091,6 @@ msgstr "opakowanie ASCII pliku wynikowego"
 msgid "|FILE|write output to FILE"
 msgstr "|PLIK|zapis wyjścia do PLIKU"
 
-msgid "use canonical text mode"
-msgstr "kanoniczny format tekstowy"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|ustawienie poziomu kompresji N (0 - bez)"
 
@@ -2798,12 +2785,11 @@ msgstr ""
 
 #, c-format
 msgid "         \"%s\": preference for cipher algorithm %s\n"
-msgstr "         „%s”: preferowany szyfr %s\n"
+msgstr "         „%s”: preferowany algorytm szyfru %s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "         \"%s\": preference for cipher algorithm %s\n"
 msgid "         \"%s\": preference for AEAD algorithm %s\n"
-msgstr "         „%s”: preferowany szyfr %s\n"
+msgstr "         „%s”: preferowany algorytm AEAD %s\n"
 
 #, c-format
 msgid "         \"%s\": preference for digest algorithm %s\n"
@@ -3905,7 +3891,7 @@ msgstr "Czy podano odcisk podklucza?\n"
 
 #, c-format
 msgid "key \"%s\" is already on this keyblock\n"
-msgstr "klucz ,,%s'' jest już w tym bloku kluczy\n"
+msgstr "klucz „%s” jest już w tym bloku kluczy\n"
 
 msgid ""
 "Are you sure you want to change the expiration time for multiple subkeys? (y/"
@@ -4154,77 +4140,64 @@ msgstr "   (%c) Przełączenie możliwości uwierzytelniania\n"
 msgid "   (%c) Finished\n"
 msgstr "   (%c) Zakończenie\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) RSA and RSA (default)\n"
 msgid "   (%d) RSA and RSA%s\n"
-msgstr "   (%d) RSA i RSA (domyślne)\n"
+msgstr "   (%d) RSA i RSA%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) DSA and Elgamal\n"
 msgid "   (%d) DSA and Elgamal%s\n"
-msgstr "   (%d) DSA i Elgamala\n"
+msgstr "   (%d) DSA i Elgamala%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) DSA (sign only)\n"
 msgid "   (%d) DSA (sign only)%s\n"
-msgstr "   (%d) DSA (tylko do podpisywania)\n"
+msgstr "   (%d) DSA (tylko do podpisywania)%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) RSA (sign only)\n"
 msgid "   (%d) RSA (sign only)%s\n"
-msgstr "   (%d) RSA (tylko do podpisywania)\n"
+msgstr "   (%d) RSA (tylko do podpisywania)%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) Elgamal (encrypt only)\n"
 msgid "   (%d) Elgamal (encrypt only)%s\n"
-msgstr "   (%d) Elgamala (tylko do szyfrowania)\n"
+msgstr "   (%d) Elgamala (tylko do szyfrowania)%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) RSA (encrypt only)\n"
 msgid "   (%d) RSA (encrypt only)%s\n"
-msgstr "   (%d) RSA (tylko do szyfrowania)\n"
+msgstr "   (%d) RSA (tylko do szyfrowania)%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) DSA (set your own capabilities)\n"
 msgid "   (%d) DSA (set your own capabilities)%s\n"
-msgstr "   (%d) DSA (możliwości do ustawienia)\n"
+msgstr "   (%d) DSA (możliwości do ustawienia)%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) RSA (set your own capabilities)\n"
 msgid "   (%d) RSA (set your own capabilities)%s\n"
-msgstr "   (%d) RSA (możliwości do ustawienia)\n"
+msgstr "   (%d) RSA (możliwości do ustawienia)%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "   (%d) sign, encrypt\n"
 msgid "   (%d) ECC (sign and encrypt)%s\n"
-msgstr "   (%d) podpisywanie, szyfrowanie\n"
+msgstr "   (%d) ECC (podpisywanie i szyfrowanie)%s\n"
 
 msgid " *default*"
-msgstr ""
+msgstr " *domyślne*"
 
 #, c-format
 msgid "  (%d) ECC (sign only)\n"
 msgstr "  (%d) ECC (tylko do podpisywania)\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "  (%d) ECC (set your own capabilities)\n"
 msgid "  (%d) ECC (set your own capabilities)%s\n"
-msgstr "  (%d) ECC (możliwości do ustawienia)\n"
+msgstr "  (%d) ECC (możliwości do ustawienia)%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "  (%d) ECC (encrypt only)\n"
 msgid "  (%d) ECC (encrypt only)%s\n"
-msgstr "  (%d) ECC (tylko do szyfrowania)\n"
+msgstr "  (%d) ECC (tylko do szyfrowania)%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "  (%d) Existing key\n"
 msgid "  (%d) Existing key%s\n"
-msgstr "  (%d) Istniejący klucz\n"
+msgstr "  (%d) Istniejący klucz%s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "  (%d) Existing key from card\n"
 msgid "  (%d) Existing key from card%s\n"
-msgstr "  (%d) Istniejący klucz z karty\n"
+msgstr "  (%d) Istniejący klucz z karty%s\n"
 
 msgid "Enter the keygrip: "
 msgstr "Uchwyt klucza: "
@@ -5336,25 +5309,22 @@ msgstr ""
 "OSTRZEŻENIE: ten klucz mógł zostać unieważniony\n"
 "             (brak klucza unieważniającego aby to sprawdzić)\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "user ID: \"%s\"\n"
 msgid "checking User ID \"%s\"\n"
-msgstr "identyfikator użytkownika: „%s”\n"
+msgstr "sprawdzanie identyfikatora użytkownika: „%s”\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "option '%s' given, but option '%s' not given\n"
 msgid "option %s given but issuer \"%s\" does not match\n"
-msgstr "podano opcję „%s”, ale nie podano opcji „%s”\n"
+msgstr "podano opcję %s, ale wystawca „%s” nie pasuje\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "key %s: doesn't match our copy\n"
 msgid "issuer \"%s\" does not match any User ID\n"
-msgstr "klucz %s: nie zgadza się z lokalną kopią\n"
+msgstr "klucz „%s” nie pasuje do żadnego identyfikatora użytkownika\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "option '%s' given, but option '%s' not given\n"
 msgid "option %s given but no matching User ID found\n"
-msgstr "podano opcję „%s”, ale nie podano opcji „%s”\n"
+msgstr ""
+"podano opcję %s, ale nie znaleziono pasującego identyfikatora użytkownika\n"
 
 #, c-format
 msgid "WARNING: This key has been revoked by its designated revoker!\n"
@@ -6524,15 +6494,14 @@ msgstr "linia wejścia %u zbyt długa lub brak znaku LF\n"
 msgid "can't open fd %d: %s\n"
 msgstr "nie można otworzyć fd %d: %s\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "WARNING: message was not integrity protected\n"
 msgid "WARNING: encrypting without integrity protection is dangerous\n"
-msgstr "OSTRZEŻENIE: wiadomość nie była zabezpieczona przed manipulacją\n"
+msgstr ""
+"OSTRZEŻENIE: szyfrowanie bez ochrony przed manipulacją jest niebezpieczne\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "ambiguous option '%s'\n"
 msgid "Hint: Do not use option %s\n"
-msgstr "niejednoznaczna opcja „%s”\n"
+msgstr "Podpowiedź: nie używać opcji %s\n"
 
 msgid "set debugging flags"
 msgstr "ustawienie flag diagnostycznych"
@@ -6774,8 +6743,8 @@ msgstr "dostęp do poleceń administratora nie został skonfigurowany\n"
 msgid "||Please enter the PIN"
 msgstr "||Proszę wpisać PIN"
 
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
-msgstr "||Proszę wprowadzić kod resetujący dla karty"
+msgstr "|R|Proszę wprowadzić kod resetujący dla karty"
 
 #, c-format
 msgid "Reset Code is too short; minimum length is %d\n"
@@ -8553,7 +8522,7 @@ msgstr "%s:%u: podano hasło bez użytkownika\n"
 
 #, c-format
 msgid "%s:%u: ignoring unknown flag '%s'\n"
-msgstr "%s:%u: zignorowano nieznaną flagę ,,%s''\n"
+msgstr "%s:%u: zignorowano nieznaną flagę „%s”\n"
 
 #, c-format
 msgid "%s:%u: skipping this line\n"
@@ -8986,489 +8955,69 @@ msgstr ""
 "Składnia: gpg-check-pattern [opcje] plik-wzorców\n"
 "Sprawdzanie hasła ze standardowego wejścia względem pliku wzorców\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "Note: keys are already stored on the card!\n"
 msgid "Note: key %s is already stored on the card!\n"
-msgstr "Uwaga: klucze są już zapisane na karcie!\n"
+msgstr "Uwaga: klucz %s jest już zapisany na karcie!\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "Note: keys are already stored on the card!\n"
 msgid "Note: Keys are already stored on the card!\n"
 msgstr "Uwaga: klucze są już zapisane na karcie!\n"
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "Replace existing keys? (y/N) "
 msgid "Replace existing key %s ? (y/N) "
-msgstr "Zastąpić istniejące klucze? (t/N) "
+msgstr "Zastąpić istniejące klucz %s? (t/N) "
 
-#, fuzzy, c-format
+#, c-format
-#| msgid "OpenPGP card no. %s detected\n"
 msgid "%s card no. %s detected\n"
-msgstr "Wykryto kartę OpenPGP nr %s\n"
+msgstr "Wykryto kartę %s nr %s\n"
 
 #, c-format
 msgid "User Interaction Flag is set to \"%s\" - can't change\n"
 msgstr ""
+"Flaga interakcji użytkownika (UIF) jest ustawiona na „%s” - nie można "
+"zmienić\n"
 
 #, c-format
 msgid ""
 "Warning: Setting the User Interaction Flag to \"%s\"\n"
 "         can only be reverted using a factory reset!\n"
 msgstr ""
+"Uwaga: ustawienie flagi interakcji użytkownika (UIF) na „%s”\n"
+"       może być odwrócone tylko przez reset do ustawień fabrycznych!\n"
 
 #, c-format
 msgid "Please use \"uif --yes %d %s\"\n"
-msgstr ""
+msgstr "Proszę użyć „uif --yes %d %s”\n"
 
-#, fuzzy
-#| msgid "add a certificate to the cache"
 msgid "authenticate to the card"
-msgstr "dodanie certyfikatu do pamięci podręcznej"
+msgstr "uwierzytelnienie względem karty"
 
 msgid "send a reset to the card daemon"
-msgstr ""
+msgstr "wysłanie resetu do demona kart"
 
 msgid "setup KDF for PIN authentication"
 msgstr "ustawienie KDF do uwierzytelniania PIN-em"
 
 msgid "change a private data object"
-msgstr ""
+msgstr "zmiana obiektu danych prywatnych"
 
-#, fuzzy
-#| msgid "add a certificate to the cache"
 msgid "read a certificate from a data object"
-msgstr "dodanie certyfikatu do pamięci podręcznej"
+msgstr "odczyt certyfikatu z obiektu danych"
 
-#, fuzzy
-#| msgid "add a certificate to the cache"
 msgid "store a certificate to a data object"
-msgstr "dodanie certyfikatu do pamięci podręcznej"
+msgstr "zapis certyfikatu w obiekcie danych"
 
 msgid "store a private key to a data object"
-msgstr ""
+msgstr "zapis klucza prywatnego w obiekcie danych"
 
 msgid "run various checks on the keys"
-msgstr ""
+msgstr "wykonanie różnych sprawdzeń kluczy"
 
 msgid "Yubikey management commands"
-msgstr ""
+msgstr "polecenia zarządzające kluczami Yubikey"
 
 msgid "manage the command history"
-msgstr ""
+msgstr "zarządzanie historią poleceń"
 
-#, fuzzy
+#~ msgid "use canonical text mode"
-#~| msgid "selected digest algorithm is invalid\n"
+#~ msgstr "kanoniczny format tekstowy"
-#~ msgid "selected AEAD algorithm is invalid\n"
-#~ msgstr "wybrany algorytm skrótów wiadomości jest niepoprawny\n"
-
-#, fuzzy
-#~| msgid "invalid personal cipher preferences\n"
-#~ msgid "invalid personal AEAD preferences\n"
-#~ msgstr "niewłaściwe ustawienia szyfrów\n"
-
-#, fuzzy
-#~| msgid "cipher algorithm '%s' may not be used in %s mode\n"
-#~ msgid "AEAD algorithm '%s' may not be used in %s mode\n"
-#~ msgstr "szyfr „%s” nie może być używany w trybie %s\n"
-
-#~ msgid "forcing symmetric cipher %s (%d) violates recipient preferences\n"
-#~ msgstr "wymuszone użycie szyfru %s (%d) kłóci się z ustawieniami adresata\n"
-
-#~ msgid "error writing to temporary file: %s\n"
-#~ msgstr "błąd zapisu do pliku tymczasowego: %s\n"
-
-#~ msgid "run in supervised mode"
-#~ msgstr "uruchomienie w trybie dozorowanym"
-
-#~ msgid "Name may not start with a digit\n"
-#~ msgstr "Imię lub nazwisko nie może zaczynać się od cyfry\n"
-
-#~ msgid "Name must be at least 5 characters long\n"
-#~ msgstr "Imię i nazwisko muszą mieć co najmniej 5 znaków długości.\n"
-
-#~ msgid "Configuration for Keyservers"
-#~ msgstr "Konfiguracja dla serwerów kluczy"
-
-#~ msgid "Configuration of LDAP servers to use"
-#~ msgstr "Konfiguracja używanych serwerów LDAP"
-
-#~ msgid "selfsigned certificate has a BAD signature"
-#~ msgstr "certyfikat z własnym podpisem ma BŁĘDNY podpis"
-
-#~ msgid "requesting key %s from %s server %s\n"
-#~ msgstr "zapytanie o klucz %s z serwera %s %s\n"
-
-#~ msgid "%s:%u: no hostname given\n"
-#~ msgstr "%s:%u: nie podano nazwy hosta\n"
-
-#~ msgid "could not parse keyserver\n"
-#~ msgstr "niezrozumiały adres serwera kluczy\n"
-
-#~ msgid "return all values in a record oriented format"
-#~ msgstr "zwrócenie wszystkich wartości w formacie rekordu"
-
-#~ msgid "|NAME|ignore host part and connect through NAME"
-#~ msgstr "|NAZWA|zignorowanie części z hostem i połączenie poprzez NAZWĘ"
-
-#~ msgid "|NAME|connect to host NAME"
-#~ msgstr "|NAZWA|połączenie z hostem NAZWA"
-
-#~ msgid "|N|connect to port N"
-#~ msgstr "|N|połączenie z portem N"
-
-#~ msgid "|NAME|use user NAME for authentication"
-#~ msgstr "|NAZWA|użycie NAZWY użytkownika do uwierzytelnienia"
-
-#~ msgid "|PASS|use password PASS for authentication"
-#~ msgstr "|HASŁO|użycie HASŁA do uwierzytelnienia"
-
-#~ msgid "take password from $DIRMNGR_LDAP_PASS"
-#~ msgstr "pobranie hasła z $DIRMNGR_LDAP_PASS"
-
-#~ msgid "|STRING|query DN STRING"
-#~ msgstr "|ŁAŃCUCH|ŁAŃCUCH zapytania DN"
-
-#~ msgid "|STRING|use STRING as filter expression"
-#~ msgstr "|ŁAŃCUCH|użycie ŁAŃCUCHA jako wyrażenia filtra"
-
-#~ msgid "|STRING|return the attribute STRING"
-#~ msgstr "|ŁAŃCUCH|zwrócenie atrybutu ŁAŃCUCH"
-
-#~ msgid "Usage: dirmngr_ldap [options] [URL] (-h for help)\n"
-#~ msgstr "Składnia: dirmngr_ldap [opcje] [URL] (-h wyświetla pomoc)\n"
-
-#~ msgid ""
-#~ "Syntax: dirmngr_ldap [options] [URL]\n"
-#~ "Internal LDAP helper for Dirmngr\n"
-#~ "Interface and options may change without notice\n"
-#~ msgstr ""
-#~ "Składnia: dirmngr_ldap [opcje] [URL]\n"
-#~ "Wewnętrzny program pomocniczy LDAP dla Dirmngr\n"
-#~ "Interfejs i opcje mogą się zmienić bez uprzedzenia\n"
-
-#~ msgid "invalid port number %d\n"
-#~ msgstr "błędny numer portu %d\n"
-
-#~ msgid "scanning result for attribute '%s'\n"
-#~ msgstr "przeszukiwanie wyniku pod kątem atrybutu „%s”\n"
-
-#~ msgid "error writing to stdout: %s\n"
-#~ msgstr "błąd zapisu na standardowe wyjście: %s\n"
-
-#~ msgid "          available attribute '%s'\n"
-#~ msgstr "          dostępny atrybut „%s”\n"
-
-#~ msgid "attribute '%s' not found\n"
-#~ msgstr "nie znaleziono atrybutu „%s”\n"
-
-#~ msgid "found attribute '%s'\n"
-#~ msgstr "znaleziono atrybut „%s”\n"
-
-#~ msgid "processing url '%s'\n"
-#~ msgstr "przetwarzanie URL-a „%s”\n"
-
-#~ msgid "          user '%s'\n"
-#~ msgstr "          użytkownik „%s”\n"
-
-#~ msgid "          pass '%s'\n"
-#~ msgstr "          hasło „%s”\n"
-
-#~ msgid "          host '%s'\n"
-#~ msgstr "          host „%s”\n"
-
-#~ msgid "          port %d\n"
-#~ msgstr "          port %d\n"
-
-#~ msgid "            DN '%s'\n"
-#~ msgstr "            DN „%s”\n"
-
-#~ msgid "        filter '%s'\n"
-#~ msgstr "        filtr „%s”\n"
-
-#~ msgid "          attr '%s'\n"
-#~ msgstr "          atrybut „%s”\n"
-
-#~ msgid "no host name in '%s'\n"
-#~ msgstr "brak nazwy hosta w „%s”\n"
-
-#~ msgid "no attribute given for query '%s'\n"
-#~ msgstr "nie podano atrybutu dla zapytania „%s”\n"
-
-#~ msgid "WARNING: using first attribute only\n"
-#~ msgstr "OSTRZEŻENIE: użyto tylko pierwszego atrybutu\n"
-
-#~ msgid "LDAP init to '%s:%d' failed: %s\n"
-#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n"
-
-#, fuzzy
-#~| msgid "LDAP init to '%s:%d' failed: %s\n"
-#~ msgid "LDAP init to '%s' failed: %s\n"
-#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n"
-
-#, fuzzy
-#~| msgid "LDAP init to '%s:%d' failed: %s\n"
-#~ msgid "LDAP init to '%s' done\n"
-#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n"
-
-#~ msgid "binding to '%s:%d' failed: %s\n"
-#~ msgstr "dowiązanie do „%s:%d” nie powiodło się: %s\n"
-
-#~ msgid "searching '%s' failed: %s\n"
-#~ msgstr "szukanie „%s” nie powiodło się: %s\n"
-
-#~ msgid "start_cert_fetch: invalid pattern '%s'\n"
-#~ msgstr "start_cert_fetch: błędny wzorzec „%s”\n"
-
-#~ msgid "ldapserver missing"
-#~ msgstr "brak pola ldapserver"
-
-#, fuzzy
-#~| msgid "change a passphrase"
-#~ msgid "Suggest a random passphrase."
-#~ msgstr "zmiana hasła"
-
-#~ msgid "detected card with S/N: %s\n"
-#~ msgstr "wykryto kartę o numerze seryjnym: %s\n"
-
-#~ msgid "no authentication key for ssh on card: %s\n"
-#~ msgstr "nie znaleziono klucza uwierzytelniającego dla ssh na karcie: %s\n"
-
-#~ msgid "Please remove the current card and insert the one with serial number"
-#~ msgstr "Proszę wyjąć obecną kartę i włożyć kartę z numerem seryjnym"
-
-#~ msgid "use a log file for the server"
-#~ msgstr "użycie pliku loga dla serwera"
-
-#~ msgid "no running gpg-agent - starting '%s'\n"
-#~ msgstr "gpg-agent nie działa - uruchamianie „%s”\n"
-
-#~ msgid "argument not expected"
-#~ msgstr "nieoczekiwany argument"
-
-#~ msgid "read error"
-#~ msgstr "błąd odczytu"
-
-#~ msgid "keyword too long"
-#~ msgstr "słowo kluczowe zbyt długie"
-
-#~ msgid "missing argument"
-#~ msgstr "brak argumentu"
-
-#~ msgid "invalid argument"
-#~ msgstr "niepoprawny argument"
-
-#~ msgid "invalid command"
-#~ msgstr "błędne polecenie"
-
-#~ msgid "invalid alias definition"
-#~ msgstr "błędna definicja aliasu"
-
-#~ msgid "out of core"
-#~ msgstr "brak pamięci"
-
-#, fuzzy
-#~| msgid "invalid command"
-#~ msgid "invalid meta command"
-#~ msgstr "błędne polecenie"
-
-#, fuzzy
-#~| msgid "unknown command '%s'\n"
-#~ msgid "unknown meta command"
-#~ msgstr "nieznane polecenie „%s”\n"
-
-#, fuzzy
-#~| msgid "unexpected armor: "
-#~ msgid "unexpected meta command"
-#~ msgstr "nieoczekiwane opakowanie: "
-
-#~ msgid "invalid option"
-#~ msgstr "błędna opcja"
-
-#~ msgid "missing argument for option \"%.50s\"\n"
-#~ msgstr "brak argumentu dla opcji „%.50s”\n"
-
-#~ msgid "option \"%.50s\" does not expect an argument\n"
-#~ msgstr "opcja „%.50s” nie może mieć argumentów\n"
-
-#~ msgid "invalid command \"%.50s\"\n"
-#~ msgstr "błędne polecenie „%.50s”\n"
-
-#~ msgid "option \"%.50s\" is ambiguous\n"
-#~ msgstr "opcja „%.50s” jest niejednoznaczna\n"
-
-#~ msgid "command \"%.50s\" is ambiguous\n"
-#~ msgstr "polecenie „%.50s” jest niejednoznaczne\n"
-
-#~ msgid "invalid option \"%.50s\"\n"
-#~ msgstr "błędna opcja „%.50s”\n"
-
-#~ msgid "Note: no default option file '%s'\n"
-#~ msgstr "Uwaga: brak domyślnego pliku opcji „%s”\n"
-
-#~ msgid "option file '%s': %s\n"
-#~ msgstr "plik opcji „%s”: %s\n"
-
-#~ msgid "unable to execute program '%s': %s\n"
-#~ msgstr "nie można uruchomić programu „%s”: %s\n"
-
-#~ msgid "unable to execute external program\n"
-#~ msgstr "nie można uruchomić zewnętrznego programu\n"
-
-#~ msgid "unable to read external program response: %s\n"
-#~ msgstr "nie można odczytać odpowiedzi programu zewnętrznego: %s\n"
-
-#~ msgid "validate signatures with PKA data"
-#~ msgstr "sprawdzanie podpisów z danymi PKA"
-
-#~ msgid "elevate the trust of signatures with valid PKA data"
-#~ msgstr "zwiększenie zaufania podpisów z poprawnymi danymi PKA"
-
-#~ msgid "   (%d) ECC and ECC\n"
-#~ msgstr "   (%d) ECC i ECC\n"
-
-#~ msgid "honor the PKA record set on a key when retrieving keys"
-#~ msgstr "honorowanie rekordu PKA ustawionego w kluczu przy pobieraniu kluczy"
-
-#~ msgid "Note: Verified signer's address is '%s'\n"
-#~ msgstr "Uwaga: Sprawdzony adres pospisującego to „%s”\n"
-
-#~ msgid "Note: Signer's address '%s' does not match DNS entry\n"
-#~ msgstr "Uwaga: Adres podpisującego „%s” nie pasuje do wpisu DNS\n"
-
-#~ msgid "trustlevel adjusted to FULL due to valid PKA info\n"
-#~ msgstr ""
-#~ "poziom zaufania poprawiony na PEŁNY ze względu na poprawne informacje "
-#~ "PKA\n"
-
-#~ msgid "trustlevel adjusted to NEVER due to bad PKA info\n"
-#~ msgstr ""
-#~ "poziom zaufania poprawiony na ŻADEN ze względu na błędne informacje PKA\n"
-
-#~ msgid "|FILE|write a server mode log to FILE"
-#~ msgstr "|PLIK|zapisanie logów trybu serwerowego do PLIKU"
-
-#~ msgid "run without asking a user"
-#~ msgstr "działanie bez pytania użytkownika"
-
-#~ msgid "allow PKA lookups (DNS requests)"
-#~ msgstr "zezwolenie na wyszukiwania PKA (żądania DNS)"
-
-#~ msgid "Options controlling the format of the output"
-#~ msgstr "Opcje sterujące formatem wyjścia"
-
-#~ msgid "Options controlling the use of Tor"
-#~ msgstr "Opcje sterujące użyciem Tora"
-
-#~ msgid "LDAP server list"
-#~ msgstr "lista serwerów LDAP"
-
-#~ msgid "Note: old default options file '%s' ignored\n"
-#~ msgstr "Uwaga: stary domyślny plik opcji „%s” został zignorowany\n"
-
-#~ msgid ""
-#~ "@\n"
-#~ "Commands:\n"
-#~ " "
-#~ msgstr ""
-#~ "@\n"
-#~ "Polecenia:\n"
-#~ " "
-
-#~ msgid "decryption modus"
-#~ msgstr "tryb rozszyfrowywania"
-
-#~ msgid "encryption modus"
-#~ msgstr "tryb szyfrowania"
-
-#~ msgid "tool class (confucius)"
-#~ msgstr "klasa narzędzia (confucius)"
-
-#~ msgid "program filename"
-#~ msgstr "nazwa programu"
-
-#~ msgid "secret key file (required)"
-#~ msgstr "plik klucza tajnego (wymagany)"
-
-#~ msgid "input file name (default stdin)"
-#~ msgstr "nazwa pliku wejściowego (domyślnie standardowe wejście)"
-
-#~ msgid "Usage: symcryptrun [options] (-h for help)"
-#~ msgstr "Składnia: symcryptrun [opcje] (-h wyświetla pomoc)"
-
-#~ msgid ""
-#~ "Syntax: symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE "
-#~ "[options...] COMMAND [inputfile]\n"
-#~ "Call a simple symmetric encryption tool\n"
-#~ msgstr ""
-#~ "Składnia: symcryptrun --class KLASA --program PROGRAM --keyfile "
-#~ "PLIK_KLUCZA [opcje...] POLECENIE [plik-weściowy]\n"
-#~ "Wywołanie prostego narzędzia do szyfrowania symetrycznego\n"
-
-#~ msgid "%s on %s aborted with status %i\n"
-#~ msgstr "%s na %s przerwany ze stanem %i\n"
-
-#~ msgid "%s on %s failed with status %i\n"
-#~ msgstr "%s na %s nie powiódł się ze stanem %i\n"
-
-#~ msgid "can't create temporary directory '%s': %s\n"
-#~ msgstr "nie można utworzyć katalogu tymczasowego „%s”: %s\n"
-
-#~ msgid "could not open %s for writing: %s\n"
-#~ msgstr "nie udało się otworzyć %s do zapisu: %s\n"
-
-#~ msgid "error closing %s: %s\n"
-#~ msgstr "błąd zamykania %s: %s\n"
-
-#~ msgid "no --program option provided\n"
-#~ msgstr "nie podano opcji --program\n"
-
-#~ msgid "only --decrypt and --encrypt are supported\n"
-#~ msgstr "obsługiwane są tylko --decrypt i --encrypt\n"
-
-#~ msgid "no --keyfile option provided\n"
-#~ msgstr "nie podano opcji --keyfile\n"
-
-#~ msgid "cannot allocate args vector\n"
-#~ msgstr "nie można przydzielić wektora args\n"
-
-#~ msgid "could not create pipe: %s\n"
-#~ msgstr "nie udało się utworzyć potoku: %s\n"
-
-#~ msgid "could not create pty: %s\n"
-#~ msgstr "nie udało się utworzyć pty: %s\n"
-
-#~ msgid "could not fork: %s\n"
-#~ msgstr "nie udało się wykonać fork: %s\n"
-
-#~ msgid "execv failed: %s\n"
-#~ msgstr "execv nie powiodło się: %s\n"
-
-#~ msgid "select failed: %s\n"
-#~ msgstr "select nie powiodło się: %s\n"
-
-#~ msgid "read failed: %s\n"
-#~ msgstr "odczyt nie powiódł się: %s\n"
-
-#~ msgid "pty read failed: %s\n"
-#~ msgstr "odczyt pty nie powiódł się: %s\n"
-
-#~ msgid "waitpid failed: %s\n"
-#~ msgstr "waitpid nie powiodło się: %s\n"
-
-#~ msgid "child aborted with status %i\n"
-#~ msgstr "potomek został przerwany ze stanem %i\n"
-
-#~ msgid "cannot allocate infile string: %s\n"
-#~ msgstr "nie można przydzielić łańcucha pliku wejściowego: %s\n"
-
-#~ msgid "cannot allocate outfile string: %s\n"
-#~ msgstr "nie można przydzielić łańcucha pliku wyjściowego: %s\n"
-
-#~ msgid "either %s or %s must be given\n"
-#~ msgstr "musi być podane %s lub %s\n"
-
-#~ msgid "no class provided\n"
-#~ msgstr "nie podano klasy\n"
-
-#~ msgid "class %s is not supported\n"
-#~ msgstr "klasa %s nie jest obsługiwana\n"

po/pt.po

@@ -2157,9 +2157,6 @@ msgstr "criar saída blindada ASCII"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|escrever saída em FILE"
 
-msgid "use canonical text mode"
-msgstr "usar modo de texto canónico"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|definir nível de compressão para N (0 desabilita)"
 
@@ -6726,7 +6723,9 @@ msgstr "o acesso aos comandos admin não está configurado\n"
 msgid "||Please enter the PIN"
 msgstr "||Introduza o PIN"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Introduza o Código de Reset do cartão"
 
 #, c-format
@@ -8997,6 +8996,9 @@ msgstr "comandos de gerir uma Yubikey"
 msgid "manage the command history"
 msgstr "gerir o histórico de comandos"
 
+#~ msgid "use canonical text mode"
+#~ msgstr "usar modo de texto canónico"
+
 #, c-format
 #~ msgid "waiting for process to terminate failed: ec=%d\n"
 #~ msgstr "falha ao esperar que o processo terminasse: ec=%d\n"

po/ro.po

@@ -2248,9 +2248,6 @@ msgstr "crează ieşire în armură ascii"
 msgid "|FILE|write output to FILE"
 msgstr "|FIŞIER|încarcă modulul extensie FIŞIER"
 
-msgid "use canonical text mode"
-msgstr "foloseşte modul text canonic"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|setează nivel de compresie N (0 deactivează)"
@@ -7056,7 +7053,7 @@ msgid "||Please enter the PIN"
 msgstr "||Vă rugăm introduceţi PIN%%0A[semnături făcute: %lu]"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Vă rugăm introduceţi PIN%%0A[semnături făcute: %lu]"
 
 #, fuzzy, c-format
@@ -9415,6 +9412,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "foloseşte modul text canonic"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/ru.po

@@ -2158,9 +2158,6 @@ msgstr "вывод в текстовом формате"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|выводить данные в файл FILE"
 
-msgid "use canonical text mode"
-msgstr "использовать канонический текстовый режим"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|установить уровень сжатия N (0 - без сжатия)"
 
@@ -6836,7 +6833,9 @@ msgstr "доступ к командам управления не настро
 msgid "||Please enter the PIN"
 msgstr "||Введите PIN"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Введите код сброса для карты"
 
 #, c-format
@@ -9156,6 +9155,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "использовать канонический текстовый режим"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/sk.po

@@ -2231,9 +2231,6 @@ msgstr "vytvor výstup zakódovaný pomocou ASCII"
 msgid "|FILE|write output to FILE"
 msgstr "|SÚBOR|nahrať rozširujúci modul SÚBOR"
 
-msgid "use canonical text mode"
-msgstr "použiť kánonický textový mód"
-
 #, fuzzy
 msgid "|N|set compress level to N (0 disables)"
 msgstr ""
@@ -6969,7 +6966,7 @@ msgid "||Please enter the PIN"
 msgstr "zmeniť heslo"
 
 #, fuzzy
-msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "Prosím výberte dôvod na revokáciu:\n"
 
 #, c-format
@@ -9304,6 +9301,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "použiť kánonický textový mód"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/sv.po

@@ -2369,9 +2369,6 @@ msgstr "skapa utdata med ett ascii-skal"
 msgid "|FILE|write output to FILE"
 msgstr "|FIL|skriv utdata till FIL"
 
-msgid "use canonical text mode"
-msgstr "använd \"ursprunglig text\"-läget"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|ställ in komprimeringsnivån till N (0 för att inaktivera)"
 
@@ -7294,7 +7291,9 @@ msgstr "åtkomst till administrationskommandon är inte konfigurerat\n"
 msgid "||Please enter the PIN"
 msgstr "||Ange PIN-koden"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Ange nollställningskoden för kortet"
 
 #, c-format
@@ -9860,6 +9859,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "använd \"ursprunglig text\"-läget"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/tr.po

@@ -2101,9 +2101,6 @@ msgstr "ascii zırhlı çıktı oluştur"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|çıktıyı FILE'a yaz"
 
-msgid "use canonical text mode"
-msgstr "kurallı metin kipini kullan"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|sıkıştırma düzeyini N olarak ayarla (0 devre dışı bırakır)"
 
@@ -6666,7 +6663,9 @@ msgstr "yönetici komutlarına erişim yapılandırılmamış\n"
 msgid "||Please enter the PIN"
 msgstr "||Lütfen PIN'i giriniz"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Lütfen kart için Sıfırlama Kodunu giriniz"
 
 #, c-format
@@ -8918,3 +8917,6 @@ msgstr "Yubikey yönetim konsolu"
 
 msgid "manage the command history"
 msgstr "komut geçmişini yönet"
+
+#~ msgid "use canonical text mode"
+#~ msgstr "kurallı metin kipini kullan"

po/uk.po

@@ -2179,9 +2179,6 @@ msgstr "створити дані у форматі ASCII"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|записати дані до вказаного файла"
 
-msgid "use canonical text mode"
-msgstr "використовувати канонічний текстовий режим"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|встановити рівень стиснення (0 — вимкнути)"
 
@@ -6937,7 +6934,9 @@ msgstr "доступ до адміністративних команд не н
 msgid "||Please enter the PIN"
 msgstr "||Вкажіть пінкод"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||Вкажіть код скидання коду картки"
 
 #, c-format
@@ -9249,6 +9248,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "використовувати канонічний текстовий режим"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

po/zh_CN.po

@@ -2075,9 +2075,6 @@ msgstr "创建 ASCII 字符封装的输出"
 msgid "|FILE|write output to FILE"
 msgstr "|FILE|写输出到 FILE"
 
-msgid "use canonical text mode"
-msgstr "使用规范的文本模式"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|设置压缩等级为 N （0 为禁用）"
 
@@ -6435,7 +6432,9 @@ msgstr "未配置到管理员命令的访问\n"
 msgid "||Please enter the PIN"
 msgstr "||请输入 PIN"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||请输入卡片的重置码"
 
 #, c-format
@@ -8675,6 +8674,9 @@ msgstr "Yubikey 管理命令"
 msgid "manage the command history"
 msgstr "管理命令历史记录"
 
+#~ msgid "use canonical text mode"
+#~ msgstr "使用规范的文本模式"
+
 #~ msgid "continuing verification anyway due to option %s\n"
 #~ msgstr "由于 %s 选项，验证仍在继续中\n"
 

po/zh_TW.po

@@ -2189,9 +2189,6 @@ msgstr "建立以 ASCII 封裝過的輸出"
 msgid "|FILE|write output to FILE"
 msgstr "|檔案|將輸出寫入至指定檔案"
 
-msgid "use canonical text mode"
-msgstr "使用標準的文字模式"
-
 msgid "|N|set compress level to N (0 disables)"
 msgstr "|N|設定壓縮等級為 N (0 表示不壓縮)"
 
@@ -6778,7 +6775,9 @@ msgstr "管理者指令存取權限尚未組態\n"
 msgid "||Please enter the PIN"
 msgstr "||請輸入個人識別碼 (PIN)"
 
-msgid "||Please enter the Reset Code for the card"
+#, fuzzy
+#| msgid "||Please enter the Reset Code for the card"
+msgid "|R|Please enter the Reset Code for the card"
 msgstr "||請輸入卡片的重設碼"
 
 #, c-format
@@ -9057,6 +9056,9 @@ msgstr ""
 msgid "manage the command history"
 msgstr ""
 
+#~ msgid "use canonical text mode"
+#~ msgstr "使用標準的文字模式"
+
 #, fuzzy
 #~| msgid "selected digest algorithm is invalid\n"
 #~ msgid "selected AEAD algorithm is invalid\n"

scd/app-nks.c

@@ -1613,7 +1613,7 @@ verify_pin (app_t app, int pwid, const char *desc,
   memset (&pininfo, 0, sizeof pininfo);
   pininfo.fixedlen = -1;
 
-  /* FIXME: TCOS allows to read the min. and max. values - do this.  */
+  /* FIXME: TCOS allows one to read the min. and max. values - do this.  */
   if (app->appversion == 15)
     {
       if (app->app_local->active_nks_app == NKS_APP_NKS && pwid == 0x03)

scd/app-openpgp.c

@@ -3306,6 +3306,7 @@ do_change_pin (app_t app, ctrl_t ctrl,  const char *chvnostr,
   char *pinvalue = NULL;
   int reset_mode = !!(flags & APP_CHANGE_FLAG_RESET);
   int set_resetcode = 0;
+  int use_resetcode = 0;
   pininfo_t pininfo;
   int use_pinpad = 0;
   int minlen = 6;
@@ -3458,7 +3459,7 @@ do_change_pin (app_t app, ctrl_t ctrl,  const char *chvnostr,
             }
 
           rc = pincb (pincb_arg,
-                      _("||Please enter the Reset Code for the card"),
+                      _("|R|Please enter the Reset Code for the card"),
                       &resetcode);
           if (rc)
             {
@@ -3473,13 +3474,14 @@ do_change_pin (app_t app, ctrl_t ctrl,  const char *chvnostr,
               rc = gpg_error (GPG_ERR_BAD_RESET_CODE);
               goto leave;
             }
+          use_resetcode = 1;
         }
       else
         {
           rc = gpg_error (GPG_ERR_INV_ID);
           goto leave;
         }
-    }
+    } /* End version 2 cards.  */
 
   if (chvno == 3)
     app->did_chv3 = 0;
@@ -3511,6 +3513,17 @@ do_change_pin (app_t app, ctrl_t ctrl,  const char *chvnostr,
               goto leave;
             }
         }
+      else if (use_resetcode)
+        {
+          minlen = 6; /* Reset from the RC value to the PIN value.  */
+          if (strlen (pinvalue) < minlen)
+            {
+              log_info (_("PIN for CHV%d is too short;"
+                          " minimum length is %d\n"), 1, minlen);
+              rc = gpg_error (GPG_ERR_BAD_PIN);
+              goto leave;
+            }
+        }
       else
         {
           if (chvno == 3)

scd/app-p15.c

@@ -305,7 +305,7 @@ struct prkdf_object_s
   keyaccess_flags_t accessflags;
 
   /* Extended key usage flags.  Only used if .valid is set.  This
-   * information is computed from an associated certificate15.  */
+   * information is computed from an associated certificate.  */
   struct {
     unsigned int valid:1;
     unsigned int sign:1;
@@ -520,6 +520,9 @@ struct app_local_s
   /* Information on all useful certificates. */
   cdf_object_t useful_certificate_info;
 
+  /* Counter to make object ids of certificates unique.  */
+  unsigned int cdf_dup_counter;
+
   /* Information on all public keys. */
   prkdf_object_t public_key_info;
 
@@ -2419,6 +2422,22 @@ read_ef_pukdf (app_t app, unsigned short fid, pukdf_object_t *result)
 }
 
 
+/* Return true id CDFLIST has the given object id.  */
+static int
+objid_in_cdflist_p (cdf_object_t cdflist,
+                    const unsigned char *objid, size_t objidlen)
+{
+  cdf_object_t cdf;
+
+  if (!objid || !objidlen)
+    return 0;
+  for (cdf = cdflist; cdf; cdf = cdf->next)
+    if (cdf->objidlen == objidlen && !memcmp (cdf->objid, objid, objidlen))
+      return 1;
+  return 0;
+}
+
+
 /* Read and parse the Certificate Directory Files identified by FID.
    On success a newlist of CDF object gets stored at RESULT and the
    caller is then responsible of releasing this list.  On error a
@@ -2464,6 +2483,7 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result)
       unsigned long ul;
       const unsigned char *objid;
       size_t objidlen;
+      int objidextralen;
 
       err = parse_ber_header (&p, &n, &class, &tag, &constructed,
                               &ndef, &objlen, &hdrlen);
@@ -2588,8 +2608,19 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result)
           label = NULL;
         }
 
-      cdf->objidlen = objidlen;
+      /* Card's have been found in the wild which do not have unique
-      cdf->objid = xtrymalloc (objidlen);
+       * IDs for their certificate objects.  If we detect this we
+       * append a counter to the ID.  */
+      objidextralen =
+        (objid_in_cdflist_p (cdflist, objid, objidlen)
+         || objid_in_cdflist_p (app->app_local->certificate_info,
+                                objid, objidlen)
+         || objid_in_cdflist_p (app->app_local->trusted_certificate_info,
+                                objid, objidlen)
+         || objid_in_cdflist_p (app->app_local->useful_certificate_info,
+                                objid, objidlen));
+      cdf->objidlen = objidlen + objidextralen;
+      cdf->objid = xtrymalloc (objidlen + objidextralen);
       if (!cdf->objid)
         {
           err = gpg_error_from_syserror ();
@@ -2597,6 +2628,16 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result)
           goto leave;
         }
       memcpy (cdf->objid, objid, objidlen);
+      if (objidextralen)
+        {
+          if (app->app_local->cdf_dup_counter == 255)
+            {
+              log_error ("p15: too many duplicate certificate ids\n");
+              err = gpg_error (GPG_ERR_TOO_MANY);
+              goto parse_error;
+            }
+          cdf->objid[objidlen] = ++app->app_local->cdf_dup_counter;
+        }
 
       cdf->pathlen = objlen/2;
       for (i=0; i < cdf->pathlen; i++, pp += 2, nn -= 2)
@@ -3664,6 +3705,7 @@ read_p15_info (app_t app)
   log_assert (!app->app_local->certificate_info);
   log_assert (!app->app_local->trusted_certificate_info);
   log_assert (!app->app_local->useful_certificate_info);
+  app->app_local->cdf_dup_counter = 0;
   err = read_ef_cdf (app, app->app_local->odf.certificates, 'c',
                      &app->app_local->certificate_info);
   if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA)
@@ -4214,7 +4256,8 @@ set_usage_string (char usage[5], prkdf_object_t prkdf)
           && (!prkdf->extusage.valid || prkdf->extusage.sign))
         usage[usagelen++] = 'c';
       if ((prkdf->usageflags.decrypt
-           || prkdf->usageflags.unwrap)
+           || prkdf->usageflags.unwrap
+           || prkdf->usageflags.derive)
           && (!prkdf->extusage.valid || prkdf->extusage.encr))
         usage[usagelen++] = 'e';
       if ((prkdf->usageflags.sign
@@ -4661,7 +4704,7 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name)
 
       /* We return the ID of the first private key capable of the
        * requested action.  If any gpgusage flag has been set for the
-       * card we consult the gpgusage flags and not the regualr usage
+       * card we consult the gpgusage flags and not the regular usage
        * flags.
        */
       /* FIXME: This changed: Note that we do not yet return
@@ -4683,7 +4726,8 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name)
               if ((name[1] == 'A' && (prkdf->usageflags.sign
                                       || prkdf->usageflags.sign_recover))
                   || (name[1] == 'E' && (prkdf->usageflags.decrypt
-                                         || prkdf->usageflags.unwrap))
+                                         || prkdf->usageflags.unwrap
+                                         || prkdf->usageflags.derive))
                   || (name[1] == 'S' && (prkdf->usageflags.sign
                                          || prkdf->usageflags.sign_recover)))
                 break;
@@ -4892,7 +4936,8 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name)
             }
           else
             {
-              if (prkdf->usageflags.decrypt || prkdf->usageflags.unwrap)
+              if (prkdf->usageflags.decrypt || prkdf->usageflags.unwrap
+                  || prkdf->usageflags.derive)
                 break;
             }
         }
@@ -5784,9 +5829,8 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
     {
       if (prkdf->is_ecc)
         {
-          /* Not implemented due to lacking test hardware. */
+          err = iso7816_manage_security_env (app_get_slot (app),
-          log_info ("Note: ECC is not yet implemented for DTRUST 4 cards\n");
+                                             0xf3, 0x21, NULL, 0);
-          err = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
         }
       else
         {
@@ -5927,7 +5971,8 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr,
   err = prkdf_object_from_keyidstr (app, keyidstr, &prkdf);
   if (err)
     return err;
-  if (!(prkdf->usageflags.sign || prkdf->gpgusage.auth))
+  if (!(prkdf->usageflags.sign || prkdf->usageflags.sign_recover
+        || prkdf->gpgusage.auth))
     {
       log_error ("p15: key %s may not be used for authentication\n", keyidstr);
       return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
@@ -5970,6 +6015,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
     return err;
   if (!(prkdf->usageflags.decrypt
         || prkdf->usageflags.unwrap
+        || prkdf->usageflags.derive
         || prkdf->gpgusage.encr     ))
     {
       log_error ("p15: key %s may not be used for decryption\n", keyidstr);
@@ -5979,17 +6025,18 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
   /* Find the authentication object to this private key object. */
   if (!prkdf->authid)
     {
-      log_error ("p15: no authentication object defined for %s\n", keyidstr);
+      log_info ("p15: no authentication object defined for %s\n", keyidstr);
-      /* fixme: we might want to go ahead and do without PIN
+      aodf = NULL;
-         verification. */
+    }
-      return gpg_error (GPG_ERR_UNSUPPORTED_OPERATION);
+  else
+    {
+      for (aodf = app->app_local->auth_object_info; aodf; aodf = aodf->next)
+        if (aodf->objidlen == prkdf->authidlen
+            && !memcmp (aodf->objid, prkdf->authid, prkdf->authidlen))
+          break;
+      if (!aodf)
+        log_info ("p15: no authentication for %s needed\n", keyidstr);
     }
-  for (aodf = app->app_local->auth_object_info; aodf; aodf = aodf->next)
-    if (aodf->objidlen == prkdf->authidlen
-        && !memcmp (aodf->objid, prkdf->authid, prkdf->authidlen))
-      break;
-  if (!aodf)
-    log_info ("p15: no authentication for %s needed\n", keyidstr);
 
   /* We need some more info about the key - get the keygrip to
    * populate these fields.  */
@@ -6042,9 +6089,8 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
     {
       if (prkdf->is_ecc)
         {
-          /* Not implemented due to lacking test hardware. */
+          err = iso7816_manage_security_env (app_get_slot (app),
-          log_info ("Note: ECC is not yet implemented for DTRUST 4 cards\n");
+                                             0xF3, 0x39, NULL, 0);
-          err = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
         }
       else
         {
@@ -6274,7 +6320,8 @@ do_with_keygrip (app_t app, ctrl_t ctrl, int action,
             }
           else if (capability == GCRY_PK_USAGE_ENCR)
             {
-              if (!(prkdf->usageflags.decrypt || prkdf->usageflags.unwrap))
+              if (!(prkdf->usageflags.decrypt || prkdf->usageflags.unwrap
+                    || prkdf->usageflags.derive))
                 continue;
             }
           else if (capability == GCRY_PK_USAGE_AUTH)

scd/ccid-driver.c

@@ -298,6 +298,23 @@ static int send_escape_cmd (ccid_driver_t handle, const unsigned char *data,
                             size_t resultmax, size_t *resultlen);
 
 
+static void
+my_npth_unprotect (void)
+{
+#ifdef USE_NPTH
+  npth_unprotect ();
+#endif
+}
+
+static void
+my_npth_protect (void)
+{
+#ifdef USE_NPTH
+  npth_protect ();
+#endif
+}
+
+
 static int
 map_libusb_error (int usberr)
 {
@@ -984,31 +1001,23 @@ get_escaped_usb_string (libusb_device_handle *idev, int idx,
   /* First get the list of supported languages and use the first one.
      If we do don't find it we try to use English.  Note that this is
      all in a 2 bute Unicode encoding using little endian. */
-#ifdef USE_NPTH
+  my_npth_unprotect ();
-  npth_unprotect ();
-#endif
   rc = libusb_control_transfer (idev, LIBUSB_ENDPOINT_IN,
                                 LIBUSB_REQUEST_GET_DESCRIPTOR,
                                 (LIBUSB_DT_STRING << 8), 0,
                                 buf, sizeof buf, 1000 /* ms timeout */);
-#ifdef USE_NPTH
+  my_npth_protect ();
-  npth_protect ();
-#endif
   if (rc < 4)
     langid = 0x0409; /* English.  */
   else
     langid = (buf[3] << 8) | buf[2];
 
-#ifdef USE_NPTH
+  my_npth_unprotect ();
-  npth_unprotect ();
-#endif
   rc = libusb_control_transfer (idev, LIBUSB_ENDPOINT_IN,
                                 LIBUSB_REQUEST_GET_DESCRIPTOR,
                                 (LIBUSB_DT_STRING << 8) + idx, langid,
                                 buf, sizeof buf, 1000 /* ms timeout */);
-#ifdef USE_NPTH
+  my_npth_protect ();
-  npth_protect ();
-#endif
   if (rc < 2 || buf[1] != LIBUSB_DT_STRING)
     return NULL; /* Error or not a string. */
   len = buf[0];
@@ -1345,13 +1354,9 @@ ccid_vendor_specific_setup (ccid_driver_t handle)
 {
   if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532)
     {
-#ifdef USE_NPTH
+      my_npth_unprotect ();
-      npth_unprotect ();
-#endif
       libusb_clear_halt (handle->idev, handle->ep_intr);
-#ifdef USE_NPTH
+      my_npth_protect ();
-      npth_protect ();
-#endif
     }
   return 0;
 }
@@ -1660,13 +1665,9 @@ ccid_usb_thread (void *arg)
 
   while (ccid_usb_thread_is_alive)
     {
-#ifdef USE_NPTH
+      my_npth_unprotect ();
-      npth_unprotect ();
-#endif
       libusb_handle_events_completed (ctx, NULL);
-#ifdef USE_NPTH
+      my_npth_protect ();
-      npth_protect ();
-#endif
     }
 
   return NULL;
@@ -1776,36 +1777,42 @@ ccid_open_usb_reader (const char *spec_reader_name,
       goto leave;
     }
 
-#ifdef USE_NPTH
+  my_npth_unprotect ();
-  npth_unprotect ();
+  if (!(opt.compat_flags & COMPAT_CCID_NO_AUTO_DETACH))
-#endif
+    {
+      rc = libusb_set_auto_detach_kernel_driver (idev, 1);
+      if (rc)
+        {
+          my_npth_protect ();
+          DEBUGOUT_1 ("note: set_auto_detach_kernel_driver failed: %d\n", rc);
+          my_npth_unprotect ();
+        }
+    }
   rc = libusb_claim_interface (idev, ifc_no);
   if (rc)
     {
-#ifdef USE_NPTH
+      my_npth_protect ();
-      npth_protect ();
-#endif
       DEBUGOUT_1 ("usb_claim_interface failed: %d\n", rc);
       rc = map_libusb_error (rc);
       goto leave;
     }
 
   /* Submit SET_INTERFACE control transfer which can reset the device.  */
-  rc = libusb_set_interface_alt_setting (idev, ifc_no, set_no);
+  if ((*handle)->id_vendor == VENDOR_ACR && (*handle)->id_product == ACR_122U)
+    rc = 0;  /* Not supported by this reader.  */
+  else
+    rc = libusb_set_interface_alt_setting (idev, ifc_no, set_no);
   if (rc)
     {
-#ifdef USE_NPTH
+      my_npth_protect ();
-      npth_protect ();
-#endif
       DEBUGOUT_1 ("usb_set_interface_alt_setting failed: %d\n", rc);
       rc = map_libusb_error (rc);
       goto leave;
     }
 
-#ifdef USE_NPTH
+  my_npth_protect ();
-  npth_protect ();
-#endif
 
+  /* Perform any vendor specific intialization.  */
   rc = ccid_vendor_specific_init (*handle);
 
  leave:
@@ -1939,13 +1946,9 @@ do_close_reader (ccid_driver_t handle)
             while (!handle->powered_off)
               {
                 DEBUGOUT ("libusb_handle_events_completed\n");
-#ifdef USE_NPTH
+                my_npth_unprotect ();
-                npth_unprotect ();
-#endif
                 libusb_handle_events_completed (NULL, &handle->powered_off);
-#ifdef USE_NPTH
+                my_npth_protect ();
-                npth_protect ();
-#endif
               }
         }
 
@@ -2076,15 +2079,11 @@ bulk_out (ccid_driver_t handle, unsigned char *msg, size_t msglen,
         }
     }
 
-#ifdef USE_NPTH
+  my_npth_unprotect ();
-  npth_unprotect ();
-#endif
   rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_out,
                              msg, msglen, &transferred,
                              5000 /* ms timeout */);
-#ifdef USE_NPTH
+  my_npth_protect ();
-  npth_protect ();
-#endif
   if (rc == 0 && transferred == msglen)
     return 0;
 
@@ -2124,14 +2123,10 @@ bulk_in (ccid_driver_t handle, unsigned char *buffer, size_t length,
   memset (buffer, 0, length);
  retry:
 
-#ifdef USE_NPTH
+  my_npth_unprotect ();
-  npth_unprotect ();
-#endif
   rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_in,
                              buffer, length, &msglen, bwi*timeout);
-#ifdef USE_NPTH
+  my_npth_protect ();
-  npth_protect ();
-#endif
   if (rc)
     {
       DEBUGOUT_1 ("usb_bulk_read error: %s\n", libusb_error_name (rc));
@@ -2280,9 +2275,7 @@ abort_cmd (ccid_driver_t handle, int seqno, int init)
   /* Send the abort command to the control pipe.  Note that we don't
      need to keep track of sent abort commands because there should
      never be another thread using the same slot concurrently.  */
-#ifdef USE_NPTH
+  my_npth_unprotect ();
-  npth_unprotect ();
-#endif
   rc = libusb_control_transfer (handle->idev,
                                 0x21,/* bmRequestType: host-to-device,
                                         class specific, to interface.  */
@@ -2291,9 +2284,7 @@ abort_cmd (ccid_driver_t handle, int seqno, int init)
                                 handle->ifc_no,
                                 dummybuf, 0,
                                 1000 /* ms timeout */);
-#ifdef USE_NPTH
+  my_npth_protect ();
-  npth_protect ();
-#endif
   if (rc)
     {
       DEBUGOUT_1 ("usb_control_msg error: %s\n", libusb_error_name (rc));
@@ -2319,15 +2310,11 @@ abort_cmd (ccid_driver_t handle, int seqno, int init)
       msglen = 10;
       set_msg_len (msg, 0);
 
-#ifdef USE_NPTH
+      my_npth_unprotect ();
-      npth_unprotect ();
-#endif
       rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_out,
                                  msg, msglen, &transferred,
                                  init? 100: 5000 /* ms timeout */);
-#ifdef USE_NPTH
+      my_npth_protect ();
-      npth_protect ();
-#endif
       if (rc == 0 && transferred == msglen)
         rc = 0;
       else if (rc)
@@ -2337,15 +2324,11 @@ abort_cmd (ccid_driver_t handle, int seqno, int init)
       if (rc)
         return map_libusb_error (rc);
 
-#ifdef USE_NPTH
+      my_npth_unprotect ();
-      npth_unprotect ();
-#endif
       rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_in,
                                  msg, sizeof msg, &msglen,
                                  init? 100: 5000 /*ms timeout*/);
-#ifdef USE_NPTH
+      my_npth_protect ();
-      npth_protect ();
-#endif
       if (rc)
         {
           DEBUGOUT_1 ("usb_bulk_read error in abort_cmd: %s\n",
@@ -2559,14 +2542,10 @@ ccid_slot_status (ccid_driver_t handle, int *statusbits, int on_wire)
       if (!retries)
         {
           DEBUGOUT ("USB: CALLING USB_CLEAR_HALT\n");
-#ifdef USE_NPTH
+          my_npth_unprotect ();
-          npth_unprotect ();
-#endif
           libusb_clear_halt (handle->idev, handle->ep_bulk_in);
           libusb_clear_halt (handle->idev, handle->ep_bulk_out);
-#ifdef USE_NPTH
+          my_npth_protect ();
-          npth_protect ();
-#endif
         }
       else
         DEBUGOUT ("USB: RETRYING bulk_in AGAIN\n");
@@ -3335,13 +3314,9 @@ ccid_transceive (ccid_driver_t handle,
 
       if (tpdulen < 4)
         {
-#ifdef USE_NPTH
+          my_npth_unprotect ();
-          npth_unprotect ();
-#endif
           libusb_clear_halt (handle->idev, handle->ep_bulk_in);
-#ifdef USE_NPTH
+          my_npth_protect ();
-          npth_protect ();
-#endif
           return CCID_DRIVER_ERR_ABORTED;
         }
 
@@ -3793,13 +3768,9 @@ ccid_transceive_secure (ccid_driver_t handle,
 
   if (tpdulen < 4)
     {
-#ifdef USE_NPTH
+      my_npth_unprotect ();
-      npth_unprotect ();
-#endif
       libusb_clear_halt (handle->idev, handle->ep_bulk_in);
-#ifdef USE_NPTH
+      my_npth_protect ();
-      npth_protect ();
-#endif
       return CCID_DRIVER_ERR_ABORTED;
     }
   if (debug_level > 1)

scd/ccid-driver.h

@@ -70,6 +70,7 @@ enum {
   VENDOR_FSIJ   = 0x234b,
   VENDOR_VASCO  = 0x1a44,
   VENDOR_NXP    = 0x1fc9,
+  VENDOR_ACR    = 0x072f
 };
 
 
@@ -88,6 +89,7 @@ enum {
 #define VEGA_ALPHA      0x0008
 #define CYBERJACK_GO    0x0504
 #define CRYPTOUCAN      0x81e6
+#define ACR_122U        0x2200    /* NFC Reader */
 
 #endif /*CCID_DRIVER_INCLUDE_USB_IDS*/
 

scd/scdaemon.c

@@ -104,6 +104,7 @@ enum cmd_and_opt_values
   oDisableApplication,
   oApplicationPriority,
   oEnablePinpadVarlen,
+  oCompatibilityFlags,
   oListenBacklog
 };
 
@@ -172,6 +173,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oDisableApplication, "disable-application", "@"),
   ARGPARSE_s_s (oApplicationPriority, "application-priority",
                 N_("|LIST|change the application priority to LIST")),
+  ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"),
   ARGPARSE_s_i (oListenBacklog, "listen-backlog", "@"),
 
 
@@ -204,6 +206,14 @@ static struct debug_flags_s debug_flags [] =
   };
 
 
+/* The list of compatibility flags.  */
+static struct compatibility_flags_s compatibility_flags [] =
+  {
+    { COMPAT_CCID_NO_AUTO_DETACH, "ccid-no-auto-detach" },
+    { 0, NULL }
+  };
+
+
 /* The card driver we use by default for PC/SC.  */
 #if defined(HAVE_W32_SYSTEM) || defined(__CYGWIN__)
 #define DEFAULT_PCSC_DRIVER "winscard.dll"
@@ -628,6 +638,15 @@ main (int argc, char **argv )
 
         case oEnablePinpadVarlen: opt.enable_pinpad_varlen = 1; break;
 
+        case oCompatibilityFlags:
+          if (parse_compatibility_flags (pargs.r.ret_str, &opt.compat_flags,
+                                         compatibility_flags))
+            {
+              pargs.r_opt = ARGPARSE_INVALID_ARG;
+              pargs.err = ARGPARSE_PRINT_WARNING;
+            }
+          break;
+
         case oListenBacklog:
           listen_backlog = pargs.r.ret_int;
           break;

scd/scdaemon.h

@@ -67,6 +67,9 @@ struct
                                        want to use. */
   unsigned long card_timeout; /* Disconnect after N seconds of inactivity.  */
   int debug_allow_pin_logging; /* Allow PINs in debug output.  */
+
+  /* Compatibility flags (COMPAT_FLAG_xxxx).  */
+  unsigned int compat_flags;
 } opt;
 
 
@@ -92,6 +95,11 @@ struct
 #define DBG_CARD_IO (opt.debug & DBG_CARD_IO_VALUE)
 #define DBG_READER  (opt.debug & DBG_READER_VALUE)
 
+
+#define COMPAT_CCID_NO_AUTO_DETACH 1
+
+
+
 struct server_local_s;
 struct card_ctx_s;
 struct app_ctx_s;

sm/gpgsm.c

@@ -1330,8 +1330,19 @@ main ( int argc, char **argv)
 
         case oHomedir: gnupg_set_homedir (pargs.r.ret_str); break;
         case oChUid: break;  /* Command line only (see above).  */
-        case oAgentProgram: opt.agent_program = pargs.r.ret_str;  break;
+
-        case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str;  break;
+        case oAgentProgram:
+          xfree (opt.agent_program);
+          opt.agent_program = make_filename (pargs.r.ret_str, NULL);
+          break;
+        case oKeyboxdProgram:
+          xfree (opt.keyboxd_program);
+          opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL);
+          break;
+        case oDirmngrProgram:
+          xfree (opt.dirmngr_program);
+          opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL);
+          break;
 
         case oDisplay:
           set_opt_session_env ("DISPLAY", pargs.r.ret_str);
@@ -1349,7 +1360,6 @@ main ( int argc, char **argv)
         case oLCctype: opt.lc_ctype = xstrdup (pargs.r.ret_str); break;
         case oLCmessages: opt.lc_messages = xstrdup (pargs.r.ret_str); break;
 
-        case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str;  break;
         case oDisableDirmngr: opt.disable_dirmngr = 1;  break;
         case oPreferSystemDirmngr: /* Obsolete */; break;
         case oProtectToolProgram:

sm/gpgsm.h

@@ -60,16 +60,16 @@ struct
   int use_keyboxd;  /* Use the external keyboxd as storage backend.  */
 
   const char *config_filename; /* Name of the used config file. */
-  const char *agent_program;
+  char *agent_program;
 
-  const char *keyboxd_program;
+  char *keyboxd_program;
 
   session_env_t session_env;
   char *lc_ctype;
   char *lc_messages;
 
   int autostart;
-  const char *dirmngr_program;
+  char *dirmngr_program;
   int disable_dirmngr;        /* Do not do any dirmngr calls.  */
   const char *protect_tool_program;
   char *outfile;    /* name of output file */

sm/minip12.c

@@ -677,7 +677,7 @@ parse_bag_encrypted_data (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv)
   const unsigned char *data;
   size_t datalen;
   int intval;
-  char salt[20];
+  char salt[32];
   size_t saltlen;
   char iv[16];
   unsigned int iter;
@@ -1945,43 +1945,46 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
     }
 
   where = "pfx";
-  if (tlv_next (tlv))
+  if ((err = tlv_next (tlv)))
     goto bailout;
-  if (tlv_expect_sequence (tlv))
+  if ((err = tlv_expect_sequence (tlv)))
     goto bailout;
 
   where = "pfxVersion";
-  if (tlv_next (tlv))
+  if ((err = tlv_next (tlv)))
     goto bailout;
-  if (tlv_expect_integer (tlv, &intval) || intval != 3)
+  if ((err = tlv_expect_integer (tlv, &intval)) || intval != 3)
     goto bailout;
 
   where = "authSave";
-  if (tlv_next (tlv))
+  if ((err = tlv_next (tlv)))
     goto bailout;
-  if (tlv_expect_sequence (tlv))
+  if ((err = tlv_expect_sequence (tlv)))
     goto bailout;
 
-  if (tlv_next (tlv))
+  if ((err = tlv_next (tlv)))
     goto bailout;
-  if (tlv_expect_object_id (tlv, &oid, &oidlen))
+  if ((err = tlv_expect_object_id (tlv, &oid, &oidlen)))
     goto bailout;
   if (oidlen != DIM(oid_data) || memcmp (oid, oid_data, DIM(oid_data)))
+    {
+      err = gpg_error (GPG_ERR_INV_OBJ);
+      goto bailout;
+    }
+
+  if ((err = tlv_next (tlv)))
+    goto bailout;
+  if ((err = tlv_expect_context_tag (tlv, &intval)) || intval != 0 )
     goto bailout;
 
-  if (tlv_next (tlv))
+  if ((err = tlv_next (tlv)))
     goto bailout;
-  if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
+  if ((err = tlv_expect_octet_string (tlv, 1, NULL, NULL)))
-    goto bailout;
-
-  if (tlv_next (tlv))
-    goto bailout;
-  if (tlv_expect_octet_string (tlv, 1, NULL, NULL))
     goto bailout;
 
   if (tlv_peek (tlv, CLASS_UNIVERSAL, TAG_OCTET_STRING))
     {
-      if (tlv_next (tlv))
+      if ((err = tlv_next (tlv)))
         goto bailout;
       err = tlv_expect_octet_string (tlv, 1, NULL, NULL);
       if (err)
@@ -1989,9 +1992,9 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
     }
 
   where = "bags";
-  if (tlv_next (tlv))
+  if ((err = tlv_next (tlv)))
     goto bailout;
-  if (tlv_expect_sequence (tlv))
+  if ((err = tlv_expect_sequence (tlv)))
     goto bailout;
 
   startlevel = tlv_parser_level (tlv);
@@ -2000,12 +2003,12 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
     {
       where = "bag-sequence";
       tlv_parser_dump_state (where, NULL, tlv);
-      if (tlv_expect_sequence (tlv))
+      if ((err = tlv_expect_sequence (tlv)))
         goto bailout;
 
-      if (tlv_next (tlv))
+      if ((err = tlv_next (tlv)))
         goto bailout;
-      if (tlv_expect_object_id (tlv, &oid, &oidlen))
+      if ((err = tlv_expect_object_id (tlv, &oid, &oidlen)))
         goto bailout;
 
       if (oidlen == DIM(oid_encryptedData)

tests/openpgp/README

@@ -99,7 +99,7 @@ suite.
 This envvar gives the root directory of the build tree.  See
 tests/gpgconf.ctl.in for the way we tell the GnuPG components this
 location.  Note that we can't use that envvar directly because this
-would allow user scripts and other software to accidently mess up the
+would allow user scripts and other software to accidentally mess up the
 used components.
 **** argv[0]
 run-tests.scm depends on being able to re-exec gpgscm.  It uses

tools/gpg-card.c

@@ -220,9 +220,15 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
             }
           break;
 
-        case oGpgProgram:   opt.gpg_program = pargs->r.ret_str; break;
+        case oGpgProgram:
-        case oGpgsmProgram: opt.gpgsm_program = pargs->r.ret_str; break;
+          opt.gpg_program = make_filename (pargs->r.ret_str, NULL);
-        case oAgentProgram: opt.agent_program = pargs->r.ret_str; break;
+          break;
+        case oGpgsmProgram:
+          opt.gpgsm_program = make_filename (pargs->r.ret_str, NULL);
+          break;
+        case oAgentProgram:
+          opt.agent_program = make_filename (pargs->r.ret_str, NULL);
+          break;
 
         case oStatusFD:
           gnupg_set_status_fd (translate_sys2libc_fd_int (pargs->r.ret_int, 1));
@@ -402,7 +408,7 @@ nullnone (const char *s)
  * success returns 0 and stores the number of bytes read at R_BUFLEN
  * and the address of a newly allocated buffer at R_BUFFER.  A
  * complementary nul byte is always appended to the data but not
- * counted; this allows to pass NULL for R-BUFFER and consider the
+ * counted; this allows one to pass NULL for R-BUFFER and consider the
  * returned data as a string. */
 static gpg_error_t
 get_data_from_file (const char *fname, char **r_buffer, size_t *r_buflen)

tools/gpg-card.h

@@ -34,9 +34,9 @@ struct
   unsigned int debug;
   int quiet;
   int with_colons;
-  const char *gpg_program;
+  char *gpg_program;
-  const char *gpgsm_program;
+  char *gpgsm_program;
-  const char *agent_program;
+  char *agent_program;
   int autostart;
 
   int no_key_lookup;  /* Assume --no-key-lookup for "list".  */

tools/gpg-connect-agent.c

@@ -126,9 +126,9 @@ struct
   int quiet;		/* Be extra quiet.  */
   int autostart;        /* Start the server if not running.  */
   const char *homedir;  /* Configuration directory name */
-  const char *agent_program;    /* Value of --agent-program.    */
+  char *agent_program;    /* Value of --agent-program.    */
-  const char *dirmngr_program;  /* Value of --dirmngr-program.  */
+  char *dirmngr_program;  /* Value of --dirmngr-program.  */
-  const char *keyboxd_program;  /* Value of --keyboxd-program.  */
+  char *keyboxd_program;  /* Value of --keyboxd-program.  */
   int hex;              /* Print data lines in hex format. */
   int decode;           /* Decode received data lines.  */
   int use_dirmngr;      /* Use the dirmngr and not gpg-agent.  */
@@ -1269,9 +1269,15 @@ main (int argc, char **argv)
         case oVerbose:   opt.verbose++; break;
         case oNoVerbose: opt.verbose = 0; break;
         case oHomedir:   gnupg_set_homedir (pargs.r.ret_str); break;
-        case oAgentProgram: opt.agent_program = pargs.r.ret_str;  break;
+        case oAgentProgram:
-        case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str;  break;
+          opt.agent_program = make_filename (pargs.r.ret_str, NULL);
-        case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str;  break;
+          break;
+        case oDirmngrProgram:
+          opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL);
+          break;
+        case oKeyboxdProgram:
+          opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL);
+          break;
         case oNoAutostart:    opt.autostart = 0; break;
         case oNoHistory: opt.no_history = 1; break;
         case oHex:       opt.hex = 1; break;

tools/gpg-wks-client.c

@@ -78,6 +78,7 @@ enum cmd_and_opt_values
     oNoAutostart,
     oAddRevocs,
     oNoAddRevocs,
+    oRealClean,
 
     oDummy
   };
@@ -121,8 +122,9 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_n (oWithColons, "with-colons", "@"),
   ARGPARSE_s_s (oBlacklist, "blacklist", "@"),
   ARGPARSE_s_s (oDirectory, "directory", "@"),
-  ARGPARSE_s_n (oAddRevocs, "add-revocs", "add revocation certificates"),
+  ARGPARSE_s_n (oAddRevocs, "add-revocs", "@"),
   ARGPARSE_s_n (oNoAddRevocs, "no-add-revocs", "do not add revocation certificates"),
+  ARGPARSE_s_n (oRealClean, "realclean", "remove most key signatures"),
 
   ARGPARSE_s_s (oFakeSubmissionAddr, "fake-submission-addr", "@"),
 
@@ -154,7 +156,7 @@ static char **blacklist_array;
 static size_t blacklist_array_len;
 
 
-static void wrong_args (const char *text) GPGRT_ATTR_NORETURN;
+static void wrong_args (const char *t1, const char *t2) GPGRT_ATTR_NORETURN;
 static void add_blacklist (const char *fname);
 static gpg_error_t proc_userid_from_stdin (gpg_error_t (*func)(const char *),
                                            const char *text);
@@ -204,10 +206,15 @@ my_strusage( int level )
 
 
 static void
-wrong_args (const char *text)
+wrong_args (const char *text, const char *text2)
 {
-  es_fprintf (es_stderr, _("usage: %s [options] %s\n"),
+#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */
-              gpgrt_strusage (11), text);
+  /* Skip the leading dashes if build with command support.  */
+  if (text[0] == '-' && text[1] == '-' && text[2])
+    text += 2;
+#endif
+  es_fprintf (es_stderr, _("usage: %s %s [options] %s\n"),
+              gpgrt_strusage (11), text, text2);
   exit (2);
 }
 
@@ -235,16 +242,16 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
           break;
 
         case oGpgProgram:
-          opt.gpg_program = pargs->r.ret_str;
+          opt.gpg_program = make_filename (pargs->r.ret_str, NULL);
           break;
         case oDirectory:
-          opt.directory = pargs->r.ret_str;
+          opt.directory = make_filename (pargs->r.ret_str, NULL);
           break;
         case oSend:
           opt.use_sendmail = 1;
           break;
         case oOutput:
-          opt.output = pargs->r.ret_str;
+          opt.output = make_filename (pargs->r.ret_str, NULL);
           break;
         case oFakeSubmissionAddr:
           fake_submission_addr = pargs->r.ret_str;
@@ -268,6 +275,10 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
           opt.add_revocs = 0;
           break;
 
+        case oRealClean:
+          opt.realclean = 1;
+          break;
+
 	case aSupported:
 	case aCreate:
 	case aReceive:
@@ -315,6 +326,9 @@ main (int argc, char **argv)
   pargs.argc  = &argc;
   pargs.argv  = &argv;
   pargs.flags = ARGPARSE_FLAG_KEEP;
+#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */
+  pargs.flags |= ARGPARSE_FLAG_COMMAND;
+#endif
   cmd = parse_arguments (&pargs, opts);
   gpgrt_argparse (NULL, &pargs, NULL);
 
@@ -350,7 +364,7 @@ main (int argc, char **argv)
 
   /* Set defaults for non given options.  */
   if (!opt.gpg_program)
-    opt.gpg_program = gnupg_module_name (GNUPG_MODULE_NAME_GPG);
+    opt.gpg_program = xstrdup (gnupg_module_name (GNUPG_MODULE_NAME_GPG));
 
   if (!opt.directory)
     opt.directory = "openpgpkey";
@@ -394,7 +408,7 @@ main (int argc, char **argv)
       else
         {
           if (argc != 1)
-            wrong_args ("--supported DOMAIN");
+            wrong_args ("--supported", "DOMAIN");
           err = command_supported (argv[0]);
           if (err && gpg_err_code (err) != GPG_ERR_FALSE)
             log_error ("checking support failed: %s\n", gpg_strerror (err));
@@ -403,7 +417,7 @@ main (int argc, char **argv)
 
     case aCreate:
       if (argc != 2)
-        wrong_args ("--create FINGERPRINT USER-ID");
+        wrong_args ("--create", "FINGERPRINT USER-ID");
       err = command_create (argv[0], argv[1]);
       if (err)
         log_error ("creating request failed: %s\n", gpg_strerror (err));
@@ -411,7 +425,7 @@ main (int argc, char **argv)
 
     case aReceive:
       if (argc)
-        wrong_args ("--receive < MIME-DATA");
+        wrong_args ("--receive", "< MIME-DATA");
       err = wks_receive (es_stdin, command_receive_cb, NULL);
       if (err)
         log_error ("processing mail failed: %s\n", gpg_strerror (err));
@@ -419,7 +433,7 @@ main (int argc, char **argv)
 
     case aRead:
       if (argc)
-        wrong_args ("--read < WKS-DATA");
+        wrong_args ("--read", "< WKS-DATA");
       err = read_confirmation_request (es_stdin);
       if (err)
         log_error ("processing mail failed: %s\n", gpg_strerror (err));
@@ -427,7 +441,7 @@ main (int argc, char **argv)
 
     case aCheck:
       if (argc != 1)
-        wrong_args ("--check USER-ID");
+        wrong_args ("--check", "USER-ID");
       err = command_check (argv[0]);
       break;
 
@@ -444,12 +458,12 @@ main (int argc, char **argv)
       else if (argc == 2)
         err = wks_cmd_install_key (*argv, argv[1]);
       else
-        wrong_args ("--install-key [FILE|FINGERPRINT USER-ID]");
+        wrong_args ("--install-key", "[FILE|FINGERPRINT USER-ID]");
       break;
 
     case aRemoveKey:
       if (argc != 1)
-        wrong_args ("--remove-key USER-ID");
+        wrong_args ("--remove-key", "USER-ID");
       err = wks_cmd_remove_key (*argv);
       break;
 
@@ -1779,6 +1793,8 @@ process_confirmation_request (estream_t msg, const char *mainfpr)
       log_info ("no encryption key found - sending response in the clear\n");
       err = send_confirmation_response (sender, address, nonce, 0, NULL);
     }
+  if (!err)
+    log_info ("response sent to '%s' for '%s'\n", sender, address);
 
  leave:
   nvc_release (nvc);
@@ -1903,7 +1919,7 @@ domain_matches_mbox (const char *domain, const char *mbox)
  * so that for a key with
  *    uid: Joe Someone <joe@example.org>
  *    uid: Joe <joe@example.org>
- * only the news user id (and thus its self-signature) is used.
+ * only the newest user id (and thus its self-signature) is used.
  * UIDLIST is nodified to set all MBOX fields to NULL for a processed
  * user id.  FPR is the fingerprint of the key.
  */
@@ -2010,7 +2026,7 @@ mirror_one_key (estream_t key)
         continue; /* No mail box or already processed.  */
       if (uid->expired)
         continue;
-      if (!domain_matches_mbox (domain, uid->mbox))
+      if (*domain && !domain_matches_mbox (domain, uid->mbox))
         continue; /* We don't want this one.  */
       if (is_in_blacklist (uid->mbox))
         continue;

tools/gpg-wks-server.c

@@ -308,7 +308,7 @@ main (int argc, char **argv)
 
   /* Set defaults for non given options.  */
   if (!opt.gpg_program)
-    opt.gpg_program = gnupg_module_name (GNUPG_MODULE_NAME_GPG);
+    opt.gpg_program = xstrdup (gnupg_module_name (GNUPG_MODULE_NAME_GPG));
 
   if (!opt.directory)
     opt.directory = "/var/lib/gnupg/wks";