sm/

* server.c (skip_options): Skip leading spaces.
(has_option): Honor "--".
(cmd_export): Add option --data to do an inline export.  Skip all
options.

* certdump.c (gpgsm_fpr_and_name_for_status): New.
* verify.c (gpgsm_verify): Use it to print correct status messages.

doc/
* gpgsm.texi (GPGSM EXPORT): Document changes.

doc/ChangeLog

@@ -1,3 +1,7 @@
+2006-11-14  Werner Koch  <wk@g10code.com>
+
+	* gpgsm.texi (GPGSM EXPORT): Document changes.
+
 2006-11-11  Werner Koch  <wk@g10code.com>
 
 	* gnupg.texi (Top): Move gpg-agent part before gpg.

doc/DETAILS

@@ -199,48 +199,62 @@ more arguments in future versions.
         is useful to define a context for parsing ERROR status
         messages.  No arguments are currently defined.
 
-    GOODSIG	<long keyid>  <username>
+    GOODSIG  <long_keyid_or_fpr>  <username>
 	The signature with the keyid is good.  For each signature only
         one of the three codes GOODSIG, BADSIG or ERRSIG will be
         emitted and they may be used as a marker for a new signature.
         The username is the primary one encoded in UTF-8 and %XX
-        escaped.
+        escaped. The fingerprint may be used instead of the long keyid
+        if it is available.  This is the case with CMS and might
+        eventually also be available for OpenPGP.
 
-    EXPSIG	<long keyid>  <username>
+    EXPSIG  <long_keyid_or_fpr>  <username>
 	The signature with the keyid is good, but the signature is
 	expired. The username is the primary one encoded in UTF-8 and
-	%XX escaped.
+	%XX escaped. The fingerprint may be used instead of the long
+	keyid if it is available.  This is the case with CMS and might
+	eventually also be available for OpenPGP.
 
-    EXPKEYSIG	<long keyid>  <username>
-	The signature with the keyid is good, but the signature was
+    EXPKEYSIG  <long_keyid_or_fpr> <username> 
+        The signature with the keyid is good, but the signature was
 	made by an expired key. The username is the primary one
-	encoded in UTF-8 and %XX escaped.
+	encoded in UTF-8 and %XX escaped.  The fingerprint may be used
+	instead of the long keyid if it is available.  This is the
+	case with CMS and might eventually also be available for
+	OpenPGP.
 
-    REVKEYSIG	<long keyid>  <username>
+    REVKEYSIG  <long_keyid_or_fpr>  <username>
 	The signature with the keyid is good, but the signature was
-	made by a revoked key. The username is the primary one
-	encoded in UTF-8 and %XX escaped.
+	made by a revoked key. The username is the primary one encoded
+	in UTF-8 and %XX escaped. The fingerprint may be used instead
+	of the long keyid if it is available.  This is the case with
+	CMS and might eventually also be available for OpenPGP.
 
-    BADSIG	<long keyid>  <username>
-	The signature with the keyid has not been verified okay.
-        The username is the primary one encoded in UTF-8 and %XX
-        escaped.
+    BADSIG  <long_keyid_or_fpr>  <username>
+	The signature with the keyid has not been verified okay.  The
+        username is the primary one encoded in UTF-8 and %XX
+        escaped. The fingerprint may be used instead of the long keyid
+        if it is available.  This is the case with CMS and might
+        eventually also be available for OpenPGP.
 
-    ERRSIG  <long keyid>  <pubkey_algo> <hash_algo> \
+    ERRSIG  <long_keyid_or_fpr>  <pubkey_algo> <hash_algo> \
 	    <sig_class> <timestamp> <rc>
 	It was not possible to check the signature.  This may be
-	caused by a missing public key or an unsupported algorithm.
-	A RC of 4 indicates unknown algorithm, a 9 indicates a missing
-	public key. The other fields give more information about
-	this signature.  sig_class is a 2 byte hex-value.
+	caused by a missing public key or an unsupported algorithm.  A
+	RC of 4 indicates unknown algorithm, a 9 indicates a missing
+	public key. The other fields give more information about this
+	signature.  sig_class is a 2 byte hex-value.  The fingerprint
+	may be used instead of the long keyid if it is available.
+	This is the case with CMS and might eventually also be
+	available for OpenPGP.
 
         Note, that TIMESTAMP may either be a number with seconds since
         epoch or an ISO 8601 string which can be detected by the
         presence of the letter 'T' inside.
 
     VALIDSIG	<fingerprint in hex> <sig_creation_date> <sig-timestamp>
-		<expire-timestamp> <sig-version> <reserved> <pubkey-algo>
-		<hash-algo> <sig-class> <primary-key-fpr>
+		<expire-timestamp> [ <sig-version> <reserved> <pubkey-algo>
+		<hash-algo> <sig-class> <primary-key-fpr> ]
 
 	The signature with the keyid is good. This is the same as
 	GOODSIG but has the fingerprint as the argument. Both status
@@ -255,6 +269,9 @@ more arguments in future versions.
 	useful to get back to the primary key without running gpg
 	again for this purpose.
 
+        The optional parameters are used for OpenPGP and are not
+        available for CMS signatures.
+
         Note, that *-TIMESTAMP may either be a number with seconds
         since epoch or an ISO 8601 string which can be detected by the
         presence of the letter 'T' inside.

doc/announce-2.0.txt

@@ -0,0 +1,188 @@
+Hello!
+    
+The GNU project is pleased to announce the availability of a new
+stable GnuPG release: Version 2.0.0.
+
+The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication
+and data storage.  It can be used to encrypt data, create digital
+signatures, help authenticating using Secure Shell and to provide a
+framework for public key cryptography.  It includes an advanced key
+management facility and is compliant with the OpenPGP and S/MIME
+standards.
+
+GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.5) in that
+it splits up functionality into several modules.  However, both
+versions may be installed alongside without any conflict.  In fact,
+the gpg version from GnuPG-1 is able to make use of the gpg-agent as
+included in GnuPG-2 and allows for seamless passphrase caching.  The
+advantage of GnuPG-1 is its smaller size and the lack of dependency on
+other modules at run and build time.  We will keep maintaining GnuPG-1
+versions because they are very useful for small systems and for server
+based applications requiring only OpenPGP support.
+
+GnuPG is distributed under the terms of the GNU General Public License
+(GPL).  GnuPG-2 works best on GNU/Linux or *BSD systems.  Other POSIX
+compliant systems are also supported but have not yet been tested very
+well.
+
+
+What's New in GnuPG-2
+=====================
+
+ * The *gpg-agent* is the central place to maintain private keys and
+   to cache passphrases.  It is implemented as a daemon to be started
+   with a user session.
+
+ * *gpgsm* is an implementation of the X.509 and CMS standards and
+   provides the cryptographic core to implement the S/MIME protocol.
+   The command line interface is very similar to the one of gpg.  This
+   helps adding S/MIME to application currently providing OpenPGP
+   support.
+
+ * *scdaemon* is a daemon run by gpg-agent to access different types
+   of smart cards using a unified interface.
+
+ * *gpg-connect-agent* is a tool to help scripts directly accessing
+   services of gpg-agent and scdaemon.
+
+ * *gpgconf* is a tool to maintain the configuration files of all
+   modules using a well defined API.
+
+ * Support for Dirmngr, a separate package to maintain certificate
+   revocation lists, do OCSP requests and to run LDAP queries.
+
+ * Support for the Secure Shell Agent protocol.  In fact, gpg-agent
+   may be used as full replacement of the commonly used ssh-agent
+   daemon.
+
+ * Smart card support for the Secure Shell.
+
+ * Documentation is now done in Texinfo. Thus besides Info, HTML and
+   PDF versions may easily be generated.
+
+ * Man pages for all tools.
+
+
+Getting the Software
+====================
+
+Please follow the instructions found at http://www.gnupg.org/download/
+or read on:
+
+GnuPG 2.0.0 may be downloaded from one of the GnuPG mirror sites or
+direct from ftp://ftp.gnupg.org/gcrypt/ .  The list of mirrors can be
+found at http://www.gnupg.org/mirrors.html .  Note, that GnuPG is not
+available at ftp.gnu.org.
+
+On the mirrors you should find the following files in the *gnupg*
+directory:
+
+  gnupg-2.0.0.tar.bz2 (3.8M)
+  gnupg-2.0.0.tar.bz2.sig
+
+      GnuPG source compressed using BZIP2 and OpenPGP signature.
+
+Please try another mirror if exceptional your mirror is not yet up to
+date.  GnuPG-2 requires a couple of libraries to be installed; see the
+README file or the output of the configure run for details.
+
+
+Checking the Integrity
+======================
+
+In order to check that the version of GnuPG which you are going to
+install is an original and unmodified one, you can do it in one of
+the following ways:
+
+ * If you already have a trusted version of GnuPG installed, you
+   can simply check the supplied signature.  For example to check the
+   signature of the file gnupg-2.0.0.tar.bz2 you would use this command:
+
+     gpg --verify gnupg-2.0.0.tar.bz2.sig
+
+   This checks whether the signature file matches the source file.
+   You should see a message indicating that the signature is good and
+   made by that signing key.  Make sure that you have the right key,
+   either by checking the fingerprint of that key with other sources
+   or by checking that the key has been signed by a trustworthy other
+   key.  Note, that you can retrieve the signing key using the command
+
+     finger wk ,at' g10code.com
+
+   or using a key server like
+
+     gpg --recv-key 1CE0C630
+
+   The distribution key 1CE0C630 is signed by the well known key
+   5B0358A2.  If you get an key expired message, you should retrieve a
+   fresh copy as the expiration date might have been prolonged.
+
+   NEVER USE A GNUPG VERSION YOU JUST DOWNLOADED TO CHECK THE
+   INTEGRITY OF THE SOURCE - USE AN EXISTING GNUPG INSTALLATION!
+
+ * If you are not able to use an existing version of GnuPG, you have
+   to verify the SHA-1 checksum.  Assuming you downloaded the file
+   gnupg-2.0.0.tar.bz2, you would run the sha1sum command like this:
+
+     sha1sum gnupg-2.0.0.tar.bz2
+
+   and check that the output matches this:
+
+c335957368ea88bcb658922e7d3aae7e3ac6896d  gnupg-2.0.0.tar.bz2
+
+
+Internationalization
+====================
+
+GnuPG comes with support for 27 languages.  Due to a lot of new and
+changed strings most translations are not entirely complete. However
+the Turkish and German translators have been very fast in completing
+their translations.  The Russian one came in just a few hours too
+late.  Updates of the other translations are expected for the next
+releases.
+
+
+Documentation
+=============
+
+We are currently working on an installation guide to explain in more
+detail how to configure the new features.  As of now the chapters on
+gpg-agent and gpgsm include brief information on how to set up the
+whole thing.  Please watch the GnuPG website for updates of the
+documentation.  In the meantime you may search the GnuPG mailing list
+archives or ask on the gnupg-users mailing lists for advise on how to
+solve problems.  Many of the new features are around for several years
+and thus enough public knowledge is already available.
+
+
+Support
+=======
+
+Improving GnuPG is costly, but you can help!  We are looking for
+organizations that find GnuPG useful and wish to contribute back.  You
+can contribute by reporting bugs, improve the software, or by donating
+money.
+
+Commercial support contracts for GnuPG are available, and they help
+finance continued maintenance.  g10 Code GmbH, a Duesseldorf based
+company owned and headed by GnuPG's principal author, is currently
+funding GnuPG development.  We are always looking for interesting
+development projects.
+
+A service directory is available at:
+
+  http://www.gnupg.org/service.html
+
+
+Thanks
+======
+
+We have to thank all the people who helped with this release, be it
+testing, coding, translating, suggesting, auditing, administering the
+servers, spreading the word or answering questions on the mailing
+lists.  
+
+
+Happy Hacking,
+
+  The GnuPG Team (David, Werner and all other contributors)

doc/gpgsm.texi

@@ -1072,16 +1072,22 @@ Note that options are valid for the entire session.
 To export certificate from the internal key database the command:
 
 @example
-  EXPORT @var{pattern}
+  EXPORT [--data [--armor] [--base64]] [--] @var{pattern}
 @end example
 
 is used.  To allow multiple patterns (which are ORed) quoting is
 required: Spaces are to be translated into "+" or into "%20"; in turn
 this requires that the usual escape quoting rules are done.
 
-The format of the output depends on what was set with the OUTPUT
-command.  When using @acronym{PEM} encoding a few informational lines
-are prepended.
+If the @option{--data} option has not been given, the format of the
+output depends on what was set with the OUTPUT command.  When using
+@acronym{PEM} encoding a few informational lines are prepended.
+
+If the @option{--data} has been given, a target set via OUTPUT is
+ignored and the data is returned inline using standard
+@code{D}-lines. This avoids the need for an extra file descriptor.  In
+this case the options @option{--armor} and @option{--base64} may be used
+in the same way as with the OUTPUT command.
 
 
 @node GPGSM IMPORT