diff --git a/sm/ChangeLog b/sm/ChangeLog
index a33416118..8e11e0ddf 100644
--- a/sm/ChangeLog
+++ b/sm/ChangeLog
@@ -1,3 +1,10 @@
+2002-09-19  Werner Koch  <wk@gnupg.org>
+
+	* certcheck.c (gpgsm_check_cert_sig): Add cert hash debugging.
+
+	* certchain.c (find_up): Print info when the cert was not found 
+	by the autorithyKeyIdentifier.
+
 2002-09-03  Werner Koch  <wk@gnupg.org>
 
 	* gpgsm.c (main): Disable the internal libgcrypt locking.
diff --git a/sm/certchain.c b/sm/certchain.c
index 8ebd8c023..b01398f18 100644
--- a/sm/certchain.c
+++ b/sm/certchain.c
@@ -237,6 +237,19 @@ find_up (KEYDB_HANDLE kh, KsbaCert cert, const char *issuer)
               keydb_set_ephemeral (kh, old);
             }
         }
+      /* print a note so that the user does not feel too helpless when
+         an issuer certificate was found and gpgsm prints BAD
+         signature becuase it is not the correct one. */
+      if (rc == -1)
+        {
+          log_info ("issuer certificate (#");
+          gpgsm_dump_serial (authidno);
+          log_printf ("/");
+          gpgsm_dump_string (s);
+          log_printf (") not found\n");
+        }
+      else if (rc)
+        log_error ("failed to find authorityKeyIdentifier: rc=%d\n", rc);
       ksba_name_release (authid);
       xfree (authidno);
       /* Fixme: don't know how to do dirmngr lookup with serial+issuer. */
@@ -267,7 +280,7 @@ find_up (KEYDB_HANDLE kh, KsbaCert cert, const char *issuer)
         log_info (_("looking up issuer at external location\n"));
       /* dirmngr is confused about unknown attributes so has a quick
          and ugly hack we locate the CN and use this and the
-         following.  Fixme: we should have far ebtter parsing in the
+         following.  Fixme: we should have far better parsing in the
          dirmngr. */
       s = strstr (issuer, "CN=");
       if (!s || s == issuer || s[-1] != ',')
@@ -588,7 +601,7 @@ gpgsm_validate_chain (CTRL ctrl, KsbaCert cert, time_t *r_exptime)
         {
           if (rc == -1)
             {
-              log_info ("issuer certificate (");
+              log_info ("issuer certificate (#/");
               gpgsm_dump_string (issuer);
               log_printf (") not found\n");
             }
@@ -735,7 +748,7 @@ gpgsm_basic_cert_check (KsbaCert cert)
         {
           if (rc == -1)
             {
-              log_info ("issuer certificate (");
+              log_info ("issuer certificate (#/");
               gpgsm_dump_string (issuer);
               log_printf (") not found\n");
             }
diff --git a/sm/certcheck.c b/sm/certcheck.c
index 4700fe723..37d2b00df 100644
--- a/sm/certcheck.c
+++ b/sm/certcheck.c
@@ -123,6 +123,8 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert)
       log_error ("md_open failed: %s\n", gcry_strerror (-1));
       return GNUPG_General_Error;
     }
+  if (DBG_HASHING)
+    gcry_md_start_debug (md, "hash.cert");
 
   rc = ksba_cert_hash (cert, 1, HASH_FNC, md);
   if (rc)
@@ -142,6 +144,15 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert)
       ksba_free (p);
       return GNUPG_Bug;
     }
+  if (DBG_X509)
+    {
+      int j;
+      log_debug ("signature value:");
+      for (j=0; j < n; j++)
+        log_printf (" %02X", p[j]);
+      log_printf ("\n");
+    }
+
   rc = gcry_sexp_sscan ( &s_sig, NULL, p, n);
   ksba_free (p);
   if (rc)
@@ -184,6 +195,7 @@ gpgsm_check_cert_sig (KsbaCert issuer_cert, KsbaCert cert)
   if ( gcry_sexp_build (&s_hash, NULL, "%m", frame) )
     BUG ();
   gcry_mpi_release (frame);
+
   
   rc = gcry_pk_verify (s_sig, s_hash, s_pkey);
   if (DBG_CRYPTO)