Document --auto-issuer-key-retrieve.

TODO

@@ -129,3 +129,12 @@
   This may happen and lead to an Ambiguous Name error.  Solution is to
   check the certs for identity before throwing this error.
 
+* Gpg-Agent Locale
+  Although we pass LC_MESSAGE from gpgsm et al. to Pinentry, this has
+  only an effect on the stock GTK strings (e.g. "OK") and not on any
+  strings gpg-agent generates and passes to Pinentry.  This defeats
+  our design goal to allow changing the locale without changing
+  gpg-agent's default locale (e.g. by the command updatestartuptty).
+
+
+

doc/ChangeLog

@@ -1,3 +1,8 @@
+2007-11-19  Werner Koch  <wk@g10code.com>
+
+	* gpgsm.texi (Certificate Options): Document
+	--auto-issuer-key-retrieve.
+
 2007-11-15  Werner Koch  <wk@g10code.com>
 
 	* gpg.texi (GPG Configuration): Add PINENTRY_USER_DATA.

doc/DETAILS

@@ -554,6 +554,7 @@ more arguments in future versions.
           8 := "Policy mismatch"
           9 := "Not a secret key"
 	 10 := "Key not trusted"
+         11 := "Missing certifciate"  (e.g. intermediate or root cert.)
 
         Note that this status is also used for gpgsm's SIGNER command
         where it relates to signer's of course.

doc/gpgsm.texi

@@ -405,7 +405,7 @@ command.  This option should not be used in a configuration file.
 @itemx --disable-ocsp
 @opindex enable-ocsp
 @opindex disable-ocsp
-Be default @acronym{OCSP} checks are disabled.  The enable opton may
+Be default @acronym{OCSP} checks are disabled.  The enable option may
 be used to enable OCSP checks via Dirmngr.  If @acronym{CRL} checks
 are also enabled, CRLs will be used as a fallback if for some reason an
 OCSP request won't succeed.  Note, that you have to allow OCSP
@@ -413,6 +413,17 @@ requests in Dirmngr's configuration too (option
 @option{--allow-ocsp} and configure dirmngr properly.  If you don't do
 so you will get the error code @samp{Not supported}.
 
+@item --auto-issuer-key-retrieve
+@opindex auto-issuer-key-retrieve
+If a required certificate is missing while validating the chain of
+certificates, try to load that certificate from an external location.
+This usually means that Dirmngr is employed t search for the
+certificate.  Note that this option makes a "web bug" like behavior
+possible.  LDAP server operators can see which keys you request, so by
+sending you a message signed by a brand new key (which you naturally
+will not have on your local keybox), the operator can tell both your IP
+address and the time when you verified the signature.
+
 
 @item --validation-model @var{name}
 @opindex validation-model

sm/ChangeLog

@@ -1,5 +1,7 @@
 2007-11-19  Werner Koch  <wk@g10code.com>
 
+	* server.c (cmd_recipient, cmd_signer): Add error reason 11.
+
 	* gpgsm.c (main): Print a warning if --audit-log is used.
 
 2007-11-15  Werner Koch  <wk@g10code.com>

sm/certlist.c

@@ -359,7 +359,7 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
                 {
                   ksba_cert_t cert2 = NULL;
                   
-                  /* If this is the first possible duplicate, add thye orginal 
+                  /* If this is the first possible duplicate, add the original 
                      certificate to our list of duplicates.  */
                   if (!dup_certs)
                     gpgsm_add_cert_to_certlist (ctrl, cert, &dup_certs, 0);

sm/server.c

@@ -380,6 +380,7 @@ cmd_recipient (assuan_context_t ctx, char *line)
                    r == GPG_ERR_NO_CRL_KNOWN?    "6":
                    r == GPG_ERR_CRL_TOO_OLD?     "7":
                    r == GPG_ERR_NO_POLICY_MATCH? "8":
+                   r == GPG_ERR_MISSING_CERT?   "11":
                    "0",
                    line, NULL);
     }
@@ -425,6 +426,7 @@ cmd_signer (assuan_context_t ctx, char *line)
                    r == GPG_ERR_CRL_TOO_OLD?         "7":
                    r == GPG_ERR_NO_POLICY_MATCH?     "8":
                    r == GPG_ERR_NO_SECKEY?           "9":
+                   r == GPG_ERR_MISSING_CERT?       "11":
                    "0",
                   line, NULL);
     }