gpg: Provide better diagnostic for replaced card keys.

* agent/divert-scd.c (divert_pksign): Add arg 'grip'.  Replace OPENPGP
key reference to keygrips.
(divert_pkdecrypt): Ditto.
* agent/protect.c (parse_shadow_info): Trim spaces.
* agent/pkdecrypt.c (agent_pkdecrypt): Pass the keygrip.
* agent/pksign.c (agent_pksign_do): Ditto.

* g10/mainproc.c (print_pkenc_list): Print extra info for an invalid
id error.
* g10/sign.c (do_sign): Ditto.
--

Using the keygrip instead of the identifier works on OpenPGP cards and
thus we use that to make sure that we are working on the right card.
For other cards we better don't do that to avoid regressions.  Those
other cards are also usually provided and do not allow to
self-generate the keys.

Note that old versions of the code (gpg 1.4) used the fingerprint as
additional check but that was eventually removed and now that we use
the keygrip all over the place, it is best to use this to identify a
key.

Signed-off-by: Werner Koch <wk@gnupg.org>

g10/mainproc.c

@@ -618,6 +618,9 @@ print_pkenc_list (ctrl_t ctrl, struct kidlist_item *list, int failed)
         {
           log_info (_("public key decryption failed: %s\n"),
                     gpg_strerror (list->reason));
+          if (gpg_err_source (list->reason) == GPG_ERR_SOURCE_SCD
+              && gpg_err_code (list->reason) == GPG_ERR_INV_ID)
+            print_further_info ("a reason might be a card with replaced keys");
           write_status_error ("pkdecrypt_failed", list->reason);
         }
     }

g10/sign.c

@@ -462,7 +462,12 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
 
  leave:
   if (err)
-    log_error (_("signing failed: %s\n"), gpg_strerror (err));
+    {
+      log_error (_("signing failed: %s\n"), gpg_strerror (err));
+      if (gpg_err_source (err) == GPG_ERR_SOURCE_SCD
+          && gpg_err_code (err) == GPG_ERR_INV_ID)
+        print_further_info ("a reason might be a card with replaced keys");
+    }
   else
     {
       if (opt.verbose)