Exporting secret keys via gpg-agent is now basically supported.

A couple of forward ported changes.
Doc updates.

doc/ChangeLog

@@ -1,3 +1,7 @@
+2010-09-28  Werner Koch  <wk@g10code.com>
+
+	* Makefile.am (AM_MAKEINFOFLAGS): Add define gpgtwoone.
+
 2010-09-28  David Shaw  <dshaw@jabberwocky.com>
 
 	* gpg.texi (OpenPGP Options): Clarify that --force-v3-sigs

doc/DETAILS

@@ -586,7 +586,8 @@ more arguments in future versions.
           8 := "Policy mismatch"
           9 := "Not a secret key"
 	 10 := "Key not trusted"
-         11 := "Missing certificate"  (e.g. intermediate or root cert.)
+         11 := "Missing certificate" 
+         12 := "Missing issuer certificate"
 
         Note that for historical reasons the INV_RECP status is also
         used for gpgsm's SIGNER command where it relates to signer's

doc/Makefile.am

@@ -57,9 +57,9 @@ gnupg_TEXINFOS = \
 
 DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips
 
-AM_MAKEINFOFLAGS = -I $(srcdir) --css-include=$(srcdir)/texi.css
+AM_MAKEINFOFLAGS = -I $(srcdir) --css-include=$(srcdir)/texi.css -D gpgtwoone
 
-YAT2M_OPTIONS = -I $(srcdir) \
+YAT2M_OPTIONS = -I $(srcdir) -D gpgtwoone \
         --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard"
 
 myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \

doc/debugging.texi

@@ -194,7 +194,7 @@ or other purposes and don't have a corresponding certificate.
 @item A root certificate does not verify
 
 A common problem is that the root certificate misses the required
-basicConstrains attribute and thus @command{gpgsm} rejects this
+basicConstraints attribute and thus @command{gpgsm} rejects this
 certificate.  An error message indicating ``no value'' is a sign for
 such a certificate.  You may use the @code{relax} flag in
 @file{trustlist.txt} to accept the certificate anyway.  Note that the

doc/gpg-agent.texi

@@ -317,8 +317,12 @@ should in general not be used to avoid X-sniffing attacks.
 
 @item --log-file @var{file}
 @opindex log-file
-Append all logging output to @var{file}.  This is very helpful in
-seeing what the agent actually does.
+Append all logging output to @var{file}.  This is very helpful in seeing
+what the agent actually does.  If neither a log file nor a log file
+descriptor has been set on a Windows platform, the Registry entry
+@var{HKCU\Software\GNU\GnuPG:DefaultLogFile}, if set, is used to specify
+the logging output.
+
 
 @anchor{option --allow-mark-trusted}
 @item --allow-mark-trusted
@@ -1148,11 +1152,13 @@ This can be used to see whether a secret key is available.  It does
 not return any information on whether the key is somehow protected.
 
 @example
-  HAVEKEY @var{keygrip}
+  HAVEKEY @var{keygrips}
 @end example
 
-The Agent answers either with OK or @code{No_Secret_Key} (208).  The
-caller may want to check for other error codes as well.
+The agent answers either with OK or @code{No_Secret_Key} (208).  The
+caller may want to check for other error codes as well.  More than one
+keygrip may be given.  In this case the command returns success if at
+least one of the keygrips corresponds to an available secret key.
 
 
 @node Agent LEARN

doc/gpg.texi

@@ -3,6 +3,11 @@
 @c This is part of the GnuPG manual.
 @c For copying conditions, see the file gnupg.texi.
 
+@c Note that we use this texinfo file for all versions of GnuPG: 1.4.x,
+@c 2.0 and 2.1.  The macro "gpgone" controls parts which are only valid
+@c for GnuPG 1.4, the macro "gpgtwoone" controls parts which are only
+@c valid for GnupG 2.1 and later.
+
 @node Invoking GPG
 @chapter Invoking GPG
 @cindex GPG command options
@@ -68,18 +73,19 @@ implementation.
 
 @ifset gpgone
 This is the standalone version of @command{gpg}.  For desktop use you
-should consider using @command{gpg2}.
+should consider using @command{gpg2} @footnote{On some platforms gpg2 is
+installed under the name @command{gpg}}.
 @end ifset
 
 @ifclear gpgone
 In contrast to the standalone version @command{gpg}, which is more
-suited for server and embedded platforms, this version is installed
-under the name @command{gpg2} and more targeted to the desktop as it
-requires several other modules to be installed.  The standalone version
-will be kept maintained and it is possible to install both versions on
-the same system.  If you need to use different configuration files, you
-should make use of something like @file{gpg.conf-2} instead of just
-@file{gpg.conf}.
+suited for server and embedded platforms, this version is commonly
+installed under the name @command{gpg2} and more targeted to the desktop
+as it requires several other modules to be installed.  The standalone
+version will be kept maintained and it is possible to install both
+versions on the same system.  If you need to use different configuration
+files, you should make use of something like @file{gpg.conf-2} instead
+of just @file{gpg.conf}.
 @end ifclear
 
 @manpause
@@ -415,8 +421,10 @@ normally not very useful and a security risk.  The second form of the
 command has the special property to render the secret part of the
 primary key useless; this is a GNU extension to OpenPGP and other
 implementations can not be expected to successfully import such a key.
+@ifclear gpgtwoone
 See the option @option{--simple-sk-checksum} if you want to import such
 an exported key with an older OpenPGP implementation.
+@end ifclear
 
 @item --import
 @itemx --fast-import
@@ -1550,6 +1558,7 @@ key signer (defaults to 3)
 @item --max-cert-depth @code{n}
 Maximum depth of a certification chain (default is 5).
 
+@ifclear gpgtwoone
 @item --simple-sk-checksum
 Secret keys are integrity protected by using a SHA-1 checksum. This
 method is part of the upcoming enhanced OpenPGP specification but
@@ -1560,6 +1569,7 @@ a security risk. Note that using this option only takes effect when
 the secret key is encrypted - the simplest way to make this happen is
 to change the passphrase on the key (even changing it to the same
 value is acceptable).
+@end ifclear
 
 @item --no-sig-cache
 Do not cache the verification status of key signatures.
@@ -1884,11 +1894,17 @@ program that does not accept attribute user IDs. Defaults to yes.
 Include designated revoker information that was marked as
 "sensitive". Defaults to no.
 
+@c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
+@c export-reset-subkey-passwd hack is not anymore justified.  Such use
+@c cases need to be implemented using a specialized secret key export
+@c tool.
+@ifclear gpgtwoone
 @item export-reset-subkey-passwd
 When using the @option{--export-secret-subkeys} command, this option resets
 the passphrases for all exported subkeys to empty. This is useful
 when the exported subkey is to be used on an unattended machine where
 a passphrase doesn't necessarily make sense. Defaults to no.
+@end ifclear
 
 @item export-clean
 Compact (remove all signatures from) user IDs on the key being

doc/gpgsm.texi

@@ -31,7 +31,7 @@
 @command{gpgsm} is a tool similar to @command{gpg} to provide digital
 encryption and signing services on X.509 certificates and the CMS
 protocol.  It is mainly used as a backend for S/MIME mail processing.
-@command{gpgsm} includes a full features certificate management and
+@command{gpgsm} includes a full featured certificate management and
 complies with all rules defined for the German Sphinx project.
 
 @manpause
@@ -286,7 +286,7 @@ smartcard is not yet supported.
 @node GPGSM Options
 @section Option Summary
 
-@command{GPGSM} comes features a bunch of options to control the exact behaviour
+@command{GPGSM} features a bunch of options to control the exact behaviour
 and to change the default configuration.
 
 @menu 
@@ -566,10 +566,9 @@ certificate.
 @item --include-certs @var{n}
 @opindex include-certs
 Using @var{n} of -2 includes all certificate except for the root cert,
--1 includes all certs, 0 does not include any certs, 1 includes only
-the signers cert (this is the default) and all other positive
-values include up to @var{n} certificates starting with the signer cert.
-The default is -2.
+-1 includes all certs, 0 does not include any certs, 1 includes only the
+signers cert and all other positive values include up to @var{n}
+certificates starting with the signer cert.  The default is -2.
 
 @item --cipher-algo @var{oid}
 @opindex cipher-algo