Many thanks for your answers.

In addition all Omnikey based readers (e.g. the Cherry keyboard) can't cope with
2048 bit keys. The Omnikey windows driver has a workaround. I reversed
engineered parts of that protocol, so that 2.0.13 works a little bit with these
readers if use with the internal ccid driver (i.e. w/o pcscd).

This version does not support the v2 smartcard.

Enabling CMX_DEBUG should also give some insights.

What I noticed is that the driver uses a write timeout of (3*hz) for the CCID
ESCAPE command but (150*hz) for XFRBLOCK. My hack now uses the ESCAPE command
to send extended length APDU data blocks and they resemble what XFRBLOCK does.
My next test would be to change the timeout for the ESCAPE command in
cmx_timeout_by_cmd - I don't know whether this helps.

Werner Koch via BTS wrote:

I guess I should look at the freebsd driver. Any hint where to find
it in the freebsd svn?

I guess I should look at the freebsd driver. Any hint where to find it in the
freebsd svn?

Werner Koch via BTS wrote:

Pth bug? Please try again after putting debug-disable-ticker
into scdaemon.conf.

Pth bug? Please try again after putting

<snip>

indicates that you are using a real USB device. abort_cmd should
terminate with an error if used on a non-USB device.

Are you still using the 4040?

Werner Koch via BTS wrote:

If that all does not help, a log file from gpg-agent would be useful.
Required options gpg-agent.conf are the log-file and "debug 1024".

Okay, okay, I remove the "pub/".

Then why is it referenced in multiple locations in the GnuPG website?!

Werner Koch via BTS wrote:

Are you sure that you are using the latest gpg-agent;

Are you sure that you are using the latest gpg-agent; i./e. that which comes
with the SVN version of GnuPG? The easiest way to use a nwer gpg-agent trhan
one that is already running is by using

Werner Koch via BTS wrote:

However, I reverse engineered the protocol used by the Windows driver
and figured out how that driver does it. The SVN version has a hack
which basically works. I tested the 4040 and it works in most cases.
The hack is not 100% reliable but I was able to generate and use keys.

Well, I have no more excuses at hand to actually look at the problem ;-).

well. I tried.

See the INSTALL file for another way to share defaults (section "Sharing Defaults").

No. CFLAGS is used to override default flags. It might be that in a BSD system
CFLAGS can be used in the way you describe it; with the GNU system this is not
the case.

However, if CFLAGS is set in the environment previously, configure will fail.
This is especially inconveniently for those who set CFLAGS in bashrc etc and
those who uses source-based package manager doing this.
Setting CFLAGS as an environment variable should be universally correct,
shouldn't it?

No, that is not a typo. --daemon used to be required to avoid starting several
gpg-agents - which happened quite often while in lets-see-what-happens testing
mode. Later the code was change so that running gpg-agent without any args
tested whether a gpg-agent is already running. Thus we can simplify the paragraph.

It is basically the same code as used in gpg2. On a GNU system tty_get_ttyname
always returns "/dev/tty". This is used as a fallback solution so that we can
tell gpg-agent at least one tty which may work.

Use

gpa --version

on the command line. We have the rework of the help menu on our todo list, thus
I close this bug.

I know, however the checks do only basic checking and reject more exotic
addresses. Actually the specs don't say anything about the format of a user ID;
it is just a convention that they resemble a mail address.

GnuPG Shell is, and always has been, released under the GNU General Public
License.

I understand. Such a diagnostic is of course possible.

If we use "--multifile --sign", we got an error message:
gpg: --sign does not yet work with --multifile

I searched for '-'s and they are only on the BEGIN and END message lines. The
encrypted file is over 350K, this is the tail of the file:

There is some garbage at the end of the file. I can't tell you more without
seeing the encrypted file. ctb=2dmeans that a '-' has been detected. A possible
reason for this is a broken MIME parser.

Thank you for the information, with it I will be able to alter behaviour on the
fly (via system variable) but anyway, it would be really great gpg could pass
an argument -- I think it is a bit more elegant way to control the behaviour.

We can't do that because gpg2 requires gpg-agent (not to a 100% right now but
eventually there will be no way without gpg-agent). Pinentry is a property of
gpg-agent and you can control which pinentry to use by using a symlink or
gpg-agent's option --pinentry-program.

See the previous comments. This is not a bug.

You are wrong. My system operates correctly. Think chroot() (so no /dev) +
ligcrypt then. But if it was discussed then EOT.

The current svn trunk features a user provided trust anchors. Thus if a CRL
could not be validated just because the trust anchor is not available in
trusted-certs/, dirmnngr will casche the CRL anyway and ask back whether the
user trusts the trust anchor. The latest GnuPG implements the counterparts
which uses the /.gnupg/trustlist.txt to answer this.

No, we don't want to do that. If you do not like this use the option:
--allow-freeform-uid

Right, email addresses are unique, but the key-email association is not unique.

Email addresses on the Internet *are* unique. The option is too easy to misuse,
especially for a security program where selecting the correct recipient is
crucial. But, whatever. GNU.

Thanks. I have added it to the website
http://www.gnupg.org/documentation/guides.html#other . It will show up by
tomorrow.