tryu harder to ignore duplicate specified keyrings and -boxes.

Documentation updates.

doc/ChangeLog

@@ -1,3 +1,8 @@
+2007-08-24  Werner Koch  <wk@g10code.com>
+
+	* debugging.texi (Common Problems): Add "A root certifciate does
+	not validate."
+
 2007-08-14  Werner Koch  <wk@g10code.com>
 
 	* glossary.texi (Glossary): Add a more items.

doc/debugging.texi

@@ -77,6 +77,13 @@ are flagges as ephemeral, meaning that they are only temporary stored
 provided by @command{gpgsm} or @command{gpg}. 81 certifcates are stored
 in a standard way and directly available from @command{gpgsm}.
 
+@noindent
+To find duplicated certificates and keyblocks in a keybox file (this
+should not occur but sometimes things go wrong), run it using
+
+@samp{kbxutil --find-dups ~/.gnupg/pubring.kbx}
+
+
 
 
 
@@ -165,6 +172,18 @@ stored private keys because some private keys are used for Secure Shell
 or other purposes and don't have a corresponding certificate.
 
 
+@item A root certificate does not verify
+
+A common problem is that the root certificate misses the required
+basicConstrains attribute and thus @command{gpgsm} rejects this
+certificate.  An error message indicating ``no value'' is a sign for
+such a certificate.  You may use the @code{relax} flag in
+@file{trustlist.txt} to accept the certificate anyway.  Note that the
+fingerprint and this flag may only be added manually to
+@file{trustlist.txt}.
+
+
+
 @end itemize
 
 

doc/gpg-agent.texi

@@ -502,7 +502,9 @@ caller:
 
 @table @code
 @item relax
-Relax checking of some root certificate requirements.
+Relax checking of some root certificate requirements.  This is for
+example required if the certificate is missing the basicConstraints
+attribute (despite that it is a MUST for CA certificates).
 
 @item cm
 If validation of a certificate finally issued by a CA with this flag set