No OneTemporary
Actions

Size

555 KB

Subscribers

None

View Options

This file is larger than 256 KB, so syntax highlighting was skipped.

	diff --git a/agent/learncard.c b/agent/learncard.c
	index e0f23400d..e9304fb8b 100644
	--- a/agent/learncard.c
	+++ b/agent/learncard.c
	@@ -1,470 +1,470 @@
	/* learncard.c - Handle the LEARN command
	* Copyright (C) 2002, 2003, 2004, 2009 Free Software Foundation, Inc.
	*
	* This file is part of GnuPG.
	*
	* GnuPG is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License as published by
	* the Free Software Foundation; either version 3 of the License, or
	* (at your option) any later version.
	*
	* GnuPG is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with this program; if not, see <http://www.gnu.org/licenses/>.
	*/

	#include <config.h>
	#include <errno.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <ctype.h>
	#include <assert.h>
	#include <unistd.h>
	#include <sys/stat.h>

	#include "agent.h"
	#include <assuan.h>

	/* Structures used by the callback mechanism to convey information
	pertaining to key pairs. */
	struct keypair_info_s
	{
	struct keypair_info_s *next;
	int no_cert;
	char id; / points into grip */
	char hexgrip[1]; /* The keygrip (i.e. a hash over the public key
	parameters) formatted as a hex string.
	Allocated somewhat large to also act as
	memeory for the above ID field. */
	};
	typedef struct keypair_info_s *KEYPAIR_INFO;

	struct kpinfo_cb_parm_s
	{
	ctrl_t ctrl;
	int error;
	KEYPAIR_INFO info;
	};


	/* Structures used by the callback mechanism to convey information
	pertaining to certificates. */
	struct certinfo_s {
	struct certinfo_s *next;
	int type;
	int done;
	char id[1];
	};
	typedef struct certinfo_s *CERTINFO;

	struct certinfo_cb_parm_s
	{
	ctrl_t ctrl;
	int error;
	CERTINFO info;
	};


	/* Structures used by the callback mechanism to convey assuan status
	lines. */
	struct sinfo_s {
	struct sinfo_s *next;
	char data; / Points into keyword. */
	char keyword[1];
	};
	typedef struct sinfo_s *SINFO;

	struct sinfo_cb_parm_s {
	int error;
	SINFO info;
	};


	/* Destructor for key information objects. */
	static void
	release_keypair_info (KEYPAIR_INFO info)
	{
	while (info)
	{
	KEYPAIR_INFO tmp = info->next;
	xfree (info);
	info = tmp;
	}
	}

	/* Destructor for certificate information objects. */
	static void
	release_certinfo (CERTINFO info)
	{
	while (info)
	{
	CERTINFO tmp = info->next;
	xfree (info);
	info = tmp;
	}
	}

	/* Destructor for status information objects. */
	static void
	release_sinfo (SINFO info)
	{
	while (info)
	{
	SINFO tmp = info->next;
	xfree (info);
	info = tmp;
	}
	}



	/* This callback is used by agent_card_learn and passed the content of
	all KEYPAIRINFO lines. It merely stores this data away */
	static void
	kpinfo_cb (void opaque, const char line)
	{
	struct kpinfo_cb_parm_s *parm = opaque;
	KEYPAIR_INFO item;
	char *p;

	if (parm->error)
	- return; /* no need to gather data after an error coccured */
	+ return; /* no need to gather data after an error occurred */

	if ((parm->error = agent_write_status (parm->ctrl, "PROGRESS",
	"learncard", "k", "0", "0", NULL)))
	return;

	item = xtrycalloc (1, sizeof *item + strlen (line));
	if (!item)
	{
	parm->error = out_of_core ();
	return;
	}
	strcpy (item->hexgrip, line);
	for (p = item->hexgrip; hexdigitp (p); p++)
	;
	if (p == item->hexgrip && *p == 'X' && spacep (p+1))
	{
	item->no_cert = 1;
	p++;
	}
	else if ((p - item->hexgrip) != 40 \|\| !spacep (p))
	{ /* not a 20 byte hex keygrip or not followed by a space */
	parm->error = gpg_error (GPG_ERR_INV_RESPONSE);
	xfree (item);
	return;
	}
	*p++ = 0;
	while (spacep (p))
	p++;
	item->id = p;
	while (*p && !spacep (p))
	p++;
	if (p == item->id)
	{ /* invalid ID string */
	parm->error = gpg_error (GPG_ERR_INV_RESPONSE);
	xfree (item);
	return;
	}
	p = 0; / ignore trailing stuff */

	/* store it */
	item->next = parm->info;
	parm->info = item;
	}


	/* This callback is used by agent_card_learn and passed the content of
	all CERTINFO lines. It merely stores this data away */
	static void
	certinfo_cb (void opaque, const char line)
	{
	struct certinfo_cb_parm_s *parm = opaque;
	CERTINFO item;
	int type;
	char p, pend;

	if (parm->error)
	- return; /* no need to gather data after an error coccured */
	+ return; /* no need to gather data after an error occurred */

	if ((parm->error = agent_write_status (parm->ctrl, "PROGRESS",
	"learncard", "c", "0", "0", NULL)))
	return;

	type = strtol (line, &p, 10);
	while (spacep (p))
	p++;
	for (pend = p; *pend && !spacep (pend); pend++)
	;
	if (p == pend \|\| !*p)
	{
	parm->error = gpg_error (GPG_ERR_INV_RESPONSE);
	return;
	}
	pend = 0; / ignore trailing stuff */

	item = xtrycalloc (1, sizeof *item + strlen (p));
	if (!item)
	{
	parm->error = out_of_core ();
	return;
	}
	item->type = type;
	strcpy (item->id, p);
	/* store it */
	item->next = parm->info;
	parm->info = item;
	}


	/* This callback is used by agent_card_learn and passed the content of
	all SINFO lines. It merely stores this data away */
	static void
	sinfo_cb (void opaque, const char keyword, size_t keywordlen,
	const char *data)
	{
	struct sinfo_cb_parm_s *sparm = opaque;
	SINFO item;

	if (sparm->error)
	- return; /* no need to gather data after an error coccured */
	+ return; /* no need to gather data after an error occurred */

	item = xtrycalloc (1, sizeof *item + keywordlen + 1 + strlen (data));
	if (!item)
	{
	sparm->error = out_of_core ();
	return;
	}
	memcpy (item->keyword, keyword, keywordlen);
	item->data = item->keyword + keywordlen;
	*item->data = 0;
	item->data++;
	strcpy (item->data, data);
	/* store it */
	item->next = sparm->info;
	sparm->info = item;
	}



	static int
	send_cert_back (ctrl_t ctrl, const char id, void assuan_context)
	{
	int rc;
	char *derbuf;
	size_t derbuflen;

	rc = agent_card_readcert (ctrl, id, &derbuf, &derbuflen);
	if (rc)
	{
	const char *action;

	switch (gpg_err_code (rc))
	{
	case GPG_ERR_INV_ID:
	case GPG_ERR_NOT_FOUND:
	action = " - ignored";
	break;
	default:
	action = "";
	break;
	}
	if (opt.verbose \|\| !*action)
	log_info ("error reading certificate '%s': %s%s\n",
	id? id:"?", gpg_strerror (rc), action);

	return *action? 0 : rc;
	}

	rc = assuan_send_data (assuan_context, derbuf, derbuflen);
	xfree (derbuf);
	if (!rc)
	rc = assuan_send_data (assuan_context, NULL, 0);
	if (!rc)
	rc = assuan_write_line (assuan_context, "END");
	if (rc)
	{
	log_error ("sending certificate failed: %s\n",
	gpg_strerror (rc));
	return rc;
	}
	return 0;
	}

	/* Perform the learn operation. If ASSUAN_CONTEXT is not NULL and
	SEND is true all new certificates are send back via Assuan. */
	int
	agent_handle_learn (ctrl_t ctrl, int send, void *assuan_context, int force)
	{
	int rc;

	struct kpinfo_cb_parm_s parm;
	struct certinfo_cb_parm_s cparm;
	struct sinfo_cb_parm_s sparm;
	char *serialno = NULL;
	KEYPAIR_INFO item;
	SINFO sitem;
	unsigned char grip[20];
	char *p;
	int i;
	static int certtype_list[] = {
	111, /* Root CA */
	101, /* trusted */
	102, /* useful */
	100, /* regular */
	/* We don't include 110 here because gpgsm can't handle that
	special root CA format. */
	-1 /* end of list */
	};


	memset (&parm, 0, sizeof parm);
	memset (&cparm, 0, sizeof cparm);
	memset (&sparm, 0, sizeof sparm);
	parm.ctrl = ctrl;
	cparm.ctrl = ctrl;

	/* Check whether a card is present and get the serial number */
	rc = agent_card_serialno (ctrl, &serialno);
	if (rc)
	goto leave;

	/* Now gather all the available info. */
	rc = agent_card_learn (ctrl, kpinfo_cb, &parm, certinfo_cb, &cparm,
	sinfo_cb, &sparm);
	if (!rc && (parm.error \|\| cparm.error \|\| sparm.error))
	rc = parm.error? parm.error : cparm.error? cparm.error : sparm.error;
	if (rc)
	{
	log_debug ("agent_card_learn failed: %s\n", gpg_strerror (rc));
	goto leave;
	}

	log_info ("card has S/N: %s\n", serialno);

	/* Pass on all the collected status information. */
	if (assuan_context)
	{
	for (sitem = sparm.info; sitem; sitem = sitem->next)
	{
	assuan_write_status (assuan_context, sitem->keyword, sitem->data);
	}
	}

	/* Write out the certificates in a standard order. */
	for (i=0; certtype_list[i] != -1; i++)
	{
	CERTINFO citem;
	for (citem = cparm.info; citem; citem = citem->next)
	{
	if (certtype_list[i] != citem->type)
	continue;

	if (opt.verbose)
	log_info (" id: %s (type=%d)\n",
	citem->id, citem->type);

	if (assuan_context && send)
	{
	rc = send_cert_back (ctrl, citem->id, assuan_context);
	if (rc)
	goto leave;
	citem->done = 1;
	}
	}
	}

	for (item = parm.info; item; item = item->next)
	{
	unsigned char pubkey, shdkey;
	size_t n;

	if (opt.verbose)
	log_info (" id: %s (grip=%s)\n", item->id, item->hexgrip);

	if (item->no_cert)
	continue; /* No public key yet available. */

	if (assuan_context)
	{
	agent_write_status (ctrl, "KEYPAIRINFO",
	item->hexgrip, item->id, NULL);
	}

	for (p=item->hexgrip, i=0; i < 20; p += 2, i++)
	grip[i] = xtoi_2 (p);

	if (!force && !agent_key_available (grip))
	continue; /* The key is already available. */

	/* Unknown key - store it. */
	rc = agent_card_readkey (ctrl, item->id, &pubkey);
	if (rc)
	{
	log_debug ("agent_card_readkey failed: %s\n", gpg_strerror (rc));
	goto leave;
	}

	{
	unsigned char *shadow_info = make_shadow_info (serialno, item->id);
	if (!shadow_info)
	{
	rc = gpg_error (GPG_ERR_ENOMEM);
	xfree (pubkey);
	goto leave;
	}
	rc = agent_shadow_key (pubkey, shadow_info, &shdkey);
	xfree (shadow_info);
	}
	xfree (pubkey);
	if (rc)
	{
	log_error ("shadowing the key failed: %s\n", gpg_strerror (rc));
	goto leave;
	}
	n = gcry_sexp_canon_len (shdkey, 0, NULL, NULL);
	assert (n);

	rc = agent_write_private_key (grip, shdkey, n, force);
	xfree (shdkey);
	if (rc)
	{
	log_error ("error writing key: %s\n", gpg_strerror (rc));
	goto leave;
	}

	if (opt.verbose)
	log_info (" id: %s - shadow key created\n", item->id);

	if (assuan_context && send)
	{
	CERTINFO citem;

	/* only send the certificate if we have not done so before */
	for (citem = cparm.info; citem; citem = citem->next)
	{
	if (!strcmp (citem->id, item->id))
	break;
	}
	if (!citem)
	{
	rc = send_cert_back (ctrl, item->id, assuan_context);
	if (rc)
	goto leave;
	}
	}
	}


	leave:
	xfree (serialno);
	release_keypair_info (parm.info);
	release_certinfo (cparm.info);
	release_sinfo (sparm.info);
	return rc;
	}
	diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
	index e87442fe8..033b5d3ff 100644
	--- a/doc/dirmngr.texi
	+++ b/doc/dirmngr.texi
	@@ -1,1120 +1,1120 @@
	@c Copyright (C) 2002 Klar"alvdalens Datakonsult AB
	@c Copyright (C) 2004, 2005, 2006, 2007 g10 Code GmbH
	@c This is part of the GnuPG manual.
	@c For copying conditions, see the file gnupg.texi.

	@include defs.inc

	@node Invoking DIRMNGR
	@chapter Invoking DIRMNGR
	@cindex DIRMNGR command options
	@cindex command options
	@cindex options, DIRMNGR command

	@manpage dirmngr.8
	@ifset manverb
	.B dirmngr
	\- CRL and OCSP daemon
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B dirmngr
	.RI [ options ]
	.I command
	.RI [ args ]
	@end ifset

	@mansect description
	Since version 2.1 of GnuPG, @command{dirmngr} takes care of accessing
	the OpenPGP keyservers. As with previous versions it is also used as
	a server for managing and downloading certificate revocation lists
	(CRLs) for X.509 certificates, downloading X.509 certificates, and
	providing access to OCSP providers. Dirmngr is invoked internally by
	@command{gpg}, @command{gpgsm}, or via the @command{gpg-connect-agent}
	tool.

	For historical reasons it is also possible to start @command{dirmngr}
	in a system daemon mode which uses a different directory layout.
	However, this mode is deprecated and may eventually be removed.


	@manpause
	@noindent
	@xref{Option Index},for an index to @command{DIRMNGR}'s commands and
	options.
	@mancont

	@menu
	* Dirmngr Commands:: List of all commands.
	* Dirmngr Options:: List of all options.
	* Dirmngr Configuration:: Configuration files.
	* Dirmngr Signals:: Use of signals.
	* Dirmngr Examples:: Some usage examples.
	* Dirmngr Protocol:: The protocol dirmngr uses.
	@end menu


	@node Dirmngr Commands
	@section Commands
	@mansect commands

	Commands are not distinguished from options except for the fact that
	only one command is allowed.

	@table @gnupgtabopt
	@item --version
	@opindex version
	Print the program version and licensing information. Note that you cannot
	abbreviate this command.

	@item --help, -h
	@opindex help
	Print a usage message summarizing the most useful command-line options.
	Not that you cannot abbreviate this command.

	@item --dump-options
	@opindex dump-options
	Print a list of all available options and commands. Note that you cannot
	abbreviate this command.

	@item --server
	@opindex server
	Run in server mode and wait for commands on the @code{stdin}. The
	default mode is to create a socket and listen for commands there.
	This is only used for testing.

	@item --daemon
	@opindex daemon
	Run in background daemon mode and listen for commands on a socket.
	Note that this also changes the default home directory and enables the
	internal certificate validation code. This mode is deprecated.

	@item --list-crls
	@opindex list-crls
	List the contents of the CRL cache on @code{stdout}. This is probably
	only useful for debugging purposes.

	@item --load-crl @var{file}
	@opindex load-crl
	This command requires a filename as additional argument, and it will
	make Dirmngr try to import the CRL in @var{file} into it's cache.
	Note, that this is only possible if Dirmngr is able to retrieve the
	CA's certificate directly by its own means. In general it is better
	to use @code{gpgsm}'s @code{--call-dirmngr loadcrl filename} command
	so that @code{gpgsm} can help dirmngr.

	@item --fetch-crl @var{url}
	@opindex fetch-crl
	This command requires an URL as additional argument, and it will make
	dirmngr try to retrieve an import the CRL from that @var{url} into
	it's cache. This is mainly useful for debugging purposes. The
	@command{dirmngr-client} provides the same feature for a running dirmngr.

	@item --shutdown
	@opindex shutdown
	This commands shuts down an running instance of Dirmngr. This command
	has currently no effect.

	@item --flush
	@opindex flush
	This command removes all CRLs from Dirmngr's cache. Client requests
	will thus trigger reading of fresh CRLs.

	@end table


	@mansect options
	@node Dirmngr Options
	@section Option Summary

	@table @gnupgtabopt

	@item --options @var{file}
	@opindex options
	Reads configuration from @var{file} instead of from the default
	per-user configuration file. The default configuration file is named
	@file{dirmngr.conf} and expected in the home directory.

	@item --homedir @var{dir}
	@opindex options
	Set the name of the home directory to @var{dir}. This option is only
	effective when used on the command line. The default depends on the
	running mode:

	@table @asis

	@item With @code{--daemon} given on the commandline
	the directory named @file{@value{SYSCONFDIR}} is used for configuration files
	and @file{@value{LOCALCACHEDIR}} for cached CRLs.

	@item Without @code{--daemon} given on the commandline
	the directory named @file{.gnupg} directly below the home directory
	of the user unless the environment variable @code{GNUPGHOME} has been set
	in which case its value will be used. All kind of data is stored below
	this directory.
	@end table


	@item -v
	@item --verbose
	@opindex v
	@opindex verbose
	Outputs additional information while running.
	You can increase the verbosity by giving several
	verbose commands to @sc{dirmngr}, such as @option{-vv}.


	@item --log-file @var{file}
	@opindex log-file
	Append all logging output to @var{file}. This is very helpful in
	seeing what the agent actually does.

	@item --debug-level @var{level}
	@opindex debug-level
	Select the debug level for investigating problems. @var{level} may be a
	numeric value or by a keyword:

	@table @code
	@item none
	No debugging at all. A value of less than 1 may be used instead of
	the keyword.
	@item basic
	Some basic debug messages. A value between 1 and 2 may be used
	instead of the keyword.
	@item advanced
	More verbose debug messages. A value between 3 and 5 may be used
	instead of the keyword.
	@item expert
	Even more detailed messages. A value between 6 and 8 may be used
	instead of the keyword.
	@item guru
	All of the debug messages you can get. A value greater than 8 may be
	used instead of the keyword. The creation of hash tracing files is
	only enabled if the keyword is used.
	@end table

	How these messages are mapped to the actual debugging flags is not
	specified and may change with newer releases of this program. They are
	however carefully selected to best aid in debugging.

	@item --debug @var{flags}
	@opindex debug
	This option is only useful for debugging and the behaviour may change at
	any time without notice. FLAGS are bit encoded and may be given in
	usual C-Syntax.

	@item --debug-all
	@opindex debug-all
	Same as @code{--debug=0xffffffff}

	@item --gnutls-debug @var{level}
	@opindex gnutls-debug
	Enable debugging of GNUTLS at @var{level}.

	@item --debug-wait @var{n}
	@opindex debug-wait
	When running in server mode, wait @var{n} seconds before entering the
	actual processing loop and print the pid. This gives time to attach a
	debugger.

	@item -s
	@itemx --sh
	@itemx -c
	@itemx --csh
	@opindex s
	@opindex sh
	@opindex c
	@opindex csh
	Format the info output in daemon mode for use with the standard Bourne
	shell respective the C-shell . The default ist to guess it based on the
	environment variable @code{SHELL} which is in almost all cases
	sufficient.

	@item --force
	@opindex force
	Enabling this option forces loading of expired CRLs; this is only
	useful for debugging.

	@item --use-tor
	@opindex use-tor
	This option switches Dirmngr and thus GnuPG into ``Tor mode'' to route
	all network access via Tor (an anonymity network). WARNING: As of now
	this still leaks the DNS queries; e.g. to lookup the hosts in a
	keyserver pool. Certain other features are disabled if this mode is
	active.

	@item --keyserver @var{name}
	@opindex keyserver
	Use @var{name} as your keyserver. This is the server that @command{gpg}
	communicates with to receive keys, send keys, and search for
	keys. The format of the @var{name} is a URI:
	`scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
	"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP
	keyservers, or "mailto" for the Graff email keyserver. Note that your
	particular installation of GnuPG may have other keyserver types
	available as well. Keyserver schemes are case-insensitive. After the
	keyserver name, optional keyserver configuration options may be
	provided. These are the same as the @option{--keyserver-options} of
	@command{gpg}, but apply only to this particular keyserver.

	Most keyservers synchronize with each other, so there is generally no
	need to send keys to more than one server. The keyserver
	@code{hkp://keys.gnupg.net} uses round robin DNS to give a different
	keyserver each time you use it.

	If exactly two keyservers are configured and only one is a Tor hidden
	service (.onion), Dirmngr selects the keyserver to use depending on
	whether Tor is locally running or not. The check for a running Tor is
	done for each new connection.


	@item --nameserver @var{ipaddr}
	@opindex nameserver
	In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve DNS
	names. If the default public resolver, which is @code{8.8.8.8}, shall
	not be used a different one can be given using this option. Note that
	a numerical IP address must be given (IPv6 or IPv4) and that no error
	checking is done for @var{ipaddr}. DNS queries in Tor mode do only
	work if GnuPG as been build with ADNS support.

	@item --disable-ldap
	@opindex disable-ldap
	Entirely disables the use of LDAP.

	@item --disable-http
	@opindex disable-http
	Entirely disables the use of HTTP.

	@item --ignore-http-dp
	@opindex ignore-http-dp
	When looking for the location of a CRL, the to be tested certificate
	usually contains so called @dfn{CRL Distribution Point} (DP) entries
	which are URLs describing the way to access the CRL. The first found DP
	entry is used. With this option all entries using the @acronym{HTTP}
	scheme are ignored when looking for a suitable DP.

	@item --ignore-ldap-dp
	@opindex ignore-ldap-dp
	This is similar to @option{--ignore-http-dp} but ignores entries using
	the @acronym{LDAP} scheme. Both options may be combined resulting in
	ignoring DPs entirely.

	@item --ignore-ocsp-service-url
	@opindex ignore-ocsp-service-url
	Ignore all OCSP URLs contained in the certificate. The effect is to
	force the use of the default responder.

	@item --honor-http-proxy
	@opindex honor-http-proxy
	If the environment variable @env{http_proxy} has been set, use its
	value to access HTTP servers.

	@item --http-proxy @var{host}[:@var{port}]
	@opindex http-proxy
	@efindex http_proxy
	Use @var{host} and @var{port} to access HTTP servers. The use of this
	option overrides the environment variable @env{http_proxy} regardless
	whether @option{--honor-http-proxy} has been set.


	@item --ldap-proxy @var{host}[:@var{port}]
	@opindex ldap-proxy
	Use @var{host} and @var{port} to connect to LDAP servers. If @var{port}
	-is ommitted, port 389 (standard LDAP port) is used. This overrides any
	+is omitted, port 389 (standard LDAP port) is used. This overrides any
	specified host and port part in a LDAP URL and will also be used if host
	-and port have been ommitted from the URL.
	+and port have been omitted from the URL.

	@item --only-ldap-proxy
	@opindex only-ldap-proxy
	Never use anything else but the LDAP "proxy" as configured with
	@option{--ldap-proxy}. Usually @command{dirmngr} tries to use other
	configured LDAP server if the connection using the "proxy" failed.


	@item --ldapserverlist-file @var{file}
	@opindex ldapserverlist-file
	Read the list of LDAP servers to consult for CRLs and certificates from
	file instead of the default per-user ldap server list file. The default
	value for @var{file} is @file{dirmngr_ldapservers.conf} or
	@file{ldapservers.conf} when running in @option{--daemon} mode.

	This server list file contains one LDAP server per line in the format

	@sc{hostname:port:username:password:base_dn}

	Lines starting with a @samp{#} are comments.

	Note that as usual all strings entered are expected to be UTF-8 encoded.
	-Obviously this will lead to problems if the password has orginally been
	+Obviously this will lead to problems if the password has originally been
	encoded as Latin-1. There is no other solution here than to put such a
	password in the binary encoding into the file (i.e. non-ascii characters
	won't show up readable).@footnote{The @command{gpgconf} tool might be
	-helpful for frontends as it allows to edit this configuration file using
	-percent escaped strings.}
	+helpful for frontends as it enables editing this configuration file using
	+percent-escaped strings.}


	@item --ldaptimeout @var{secs}
	@opindex ldaptimeout
	Specify the number of seconds to wait for an LDAP query before timing
	out. The default is currently 100 seconds. 0 will never timeout.


	@item --add-servers
	@opindex add-servers
	This options makes dirmngr add any servers it discovers when validating
	certificates against CRLs to the internal list of servers to consult for
	certificates and CRLs.

	This options is useful when trying to validate a certificate that has
	a CRL distribution point that points to a server that is not already
	listed in the ldapserverlist. Dirmngr will always go to this server and
	try to download the CRL, but chances are high that the certificate used
	to sign the CRL is located on the same server. So if dirmngr doesn't add
	that new server to list, it will often not be able to verify the
	signature of the CRL unless the @code{--add-servers} option is used.

	Note: The current version of dirmngr has this option disabled by default.


	@item --allow-ocsp
	@opindex allow-ocsp
	This option enables OCSP support if requested by the client.

	OCSP requests are rejected by default because they may violate the
	privacy of the user; for example it is possible to track the time when
	a user is reading a mail.


	@item --ocsp-responder @var{url}
	@opindex ocsp-responder
	Use @var{url} as the default OCSP Responder if the certificate does
	not contain information about an assigned responder. Note, that
	@code{--ocsp-signer} must also be set to a valid certificate.

	@item --ocsp-signer @var{fpr}\|@var{file}
	@opindex ocsp-signer
	Use the certificate with the fingerprint @var{fpr} to check the
	responses of the default OCSP Responder. Alternativly a filename can be
	given in which case the respinse is expected to be signed by one of the
	certificates described in that file. Any argument which contains a
	slash, dot or tilde is considered a filename. Usual filename expansion
	takes place: A tilde at the start followed by a slash is replaced by the
	content of @env{HOME}, no slash at start describes a relative filename
	which will be searched at the home directory. To make sure that the
	@var{file} is searched in the home directory, either prepend the name
	with "./" or use a name which contains a dot.

	If a response has been signed by a certificate described by these
	fingerprints no further check upon the validity of this certificate is
	done.

	The format of the @var{FILE} is a list of SHA-1 fingerprint, one per
	line with optional colons between the bytes. Empty lines and lines
	prefix with a hash mark are ignored.


	@item --ocsp-max-clock-skew @var{n}
	@opindex ocsp-max-clock-skew
	The number of seconds a skew between the OCSP responder and them local
	clock is accepted. Default is 600 (20 minutes).

	@item --ocsp-max-period @var{n}
	@opindex ocsp-max-period
	Seconds a response is at maximum considered valid after the time given
	in the thisUpdate field. Default is 7776000 (90 days).

	@item --ocsp-current-period @var{n}
	@opindex ocsp-current-period
	The number of seconds an OCSP response is considered valid after the
	time given in the NEXT_UPDATE datum. Default is 10800 (3 hours).


	@item --max-replies @var{n}
	@opindex max-replies
	Do not return more that @var{n} items in one query. The default is
	10.

	@item --ignore-cert-extension @var{oid}
	@opindex ignore-cert-extension
	Add @var{oid} to the list of ignored certificate extensions. The
	@var{oid} is expected to be in dotted decimal form, like
	@code{2.5.29.3}. This option may be used more than once. Critical
	flagged certificate extensions matching one of the OIDs in the list
	are treated as if they are actually handled and thus the certificate
	won't be rejected due to an unknown critical extension. Use this
	option with care because extensions are usually flagged as critical
	for a reason.

	@item --hkp-cacert @var{file}
	Use the root certificates in @var{file} for verification of the TLS
	certificates used with @code{hkps} (keyserver access over TLS). If
	the file is in PEM format a suffix of @code{.pem} is expected for
	@var{file}. This option may be given multiple times to add more
	root certificates. Tilde expansion is supported.

	@end table


	@c
	@c Dirmngr Configuration
	@c
	@mansect files
	@node Dirmngr Configuration
	@section Configuration

	Dirmngr makes use of several directories when running in daemon mode:

	@table @file

	@item ~/.gnupg
	@itemx /etc/gnupg
	The first is the standard home directory for all configuration files.
	In the deprecated system daemon mode the second directory is used instead.

	@item /etc/gnupg/trusted-certs
	This directory should be filled with certificates of Root CAs you
	-are trusting in checking the CRLs and signing OCSP Reponses.
	+are trusting in checking the CRLs and signing OCSP Responses.

	Usually these are the same certificates you use with the applications
	making use of dirmngr. It is expected that each of these certificate
	files contain exactly one @acronym{DER} encoded certificate in a file
	with the suffix @file{.crt} or @file{.der}. @command{dirmngr} reads
	those certificates on startup and when given a SIGHUP. Certificates
	which are not readable or do not make up a proper X.509 certificate
	are ignored; see the log file for details.

	Applications using dirmngr (e.g. gpgsm) can request these
	certificates to complete a trust chain in the same way as with the
	extra-certs directory (see below).

	Note that for OCSP responses the certificate specified using the option
	@option{--ocsp-signer} is always considered valid to sign OCSP requests.

	@item /etc/gnupg/extra-certs
	This directory may contain extra certificates which are preloaded
	into the interal cache on startup. Applications using dirmngr (e.g. gpgsm)
	can request cached certificates to complete a trust chain.
	This is convenient in cases you have a couple intermediate CA certificates
	-or certificates ususally used to sign OCSP reponses.
	+or certificates ususally used to sign OCSP responses.
	These certificates are first tried before going
	out to the net to look for them. These certificates must also be
	@acronym{DER} encoded and suffixed with @file{.crt} or @file{.der}.

	@item @value{LOCALRUNDIR}
	This directory is only used in the deprecated system daemon mode. It
	keeps the socket file for accessing @command{dirmngr} services. The
	name of the socket file will be @file{S.dirmngr}. Make sure that this
	directory has the proper permissions to let @command{dirmngr} create
	the socket file and that eligible users may read and write to that
	socket.

	@item ~/.gnupg/crls.d
	@itemx @value{LOCALCACHEDIR}/crls.d
	The first directory is used to store cached CRLs. The @file{crls.d}
	part will be created by dirmngr if it does not exists but you need to
	make sure that the upper directory exists. The second directory is
	used instead in the deprecated systems daemon mode.

	@end table
	@manpause

	To be able to see what's going on you should create the configure file
	@file{~/gnupg/dirmngr.conf} with at least one line:

	@example
	log-file ~/dirmngr.log
	@end example

	To be able to perform OCSP requests you probably want to add the line:

	@example
	allow-ocsp
	@end example

	To make sure that new options are read and that after the installation
	of a new GnuPG versions the installed dirmngr is running, you may want
	to kill an existing dirmngr first:

	@example
	gpgconf --kill dirmngr
	@end example

	You may check the log file to see whether all desired root
	certificates have been loaded correctly.


	@c
	@c Dirmngr Signals
	@c
	@mansect signals
	@node Dirmngr Signals
	@section Use of signals.

	A running @command{dirmngr} may be controlled by signals, i.e. using
	the @command{kill} command to send a signal to the process.

	Here is a list of supported signals:

	@table @gnupgtabopt

	@item SIGHUP
	@cpindex SIGHUP
	This signals flushes all internally cached CRLs as well as any cached
	certificates. Then the certificate cache is reinitialized as on
	startup. Options are re-read from the configuration file. Instead of
	sending this signal it is better to use
	@example
	gpgconf --reload dirmngr
	@end example

	@item SIGTERM
	@cpindex SIGTERM
	Shuts down the process but waits until all current requests are
	fulfilled. If the process has received 3 of these signals and requests
	are still pending, a shutdown is forced. You may also use
	@example
	gpgconf --kill dirmngr
	@end example
	instead of this signal

	@item SIGINT
	@cpindex SIGINT
	Shuts down the process immediately.


	@item SIGUSR1
	@cpindex SIGUSR1
	This prints some caching statistics to the log file.

	@end table



	@c
	@c Examples
	@c
	@mansect examples
	@node Dirmngr Examples
	@section Examples

	Here is an example on how to show dirmngr's internal table of OpenPGP
	keyserver addresses. The output is intended for debugging purposes
	and not part of a defined API.

	@example
	gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
	@end example

	To inhibit the use of a particular host you have noticed in one of the
	keyserver pools, you may use

	@example
	gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye
	@end example

	The description of the @code{keyserver} command can be printed using

	@example
	gpg-connect-agent --dirmngr 'help keyserver' /bye
	@end example



	@c
	@c Assuan Protocol
	@c
	@manpause
	@node Dirmngr Protocol
	@section Dirmngr's Assuan Protocol

	Assuan is the IPC protocol used to access dirmngr. This is a
	description of the commands implemented by dirmngr.

	@menu
	* Dirmngr LOOKUP:: Look up a certificate via LDAP
	* Dirmngr ISVALID:: Validate a certificate using a CRL or OCSP.
	* Dirmngr CHECKCRL:: Validate a certificate using a CRL.
	* Dirmngr CHECKOCSP:: Validate a certificate using OCSP.
	* Dirmngr CACHECERT:: Put a certificate into the internal cache.
	* Dirmngr VALIDATE:: Validate a certificate for debugging.
	@end menu

	@node Dirmngr LOOKUP
	@subsection Return the certificate(s) found

	Lookup certificate. To allow multiple patterns (which are ORed)
	quoting is required: Spaces are to be translated into "+" or into
	"%20"; obviously this requires that the usual escape quoting rules
	are applied. The server responds with:

	@example
	S: D <DER encoded certificate>
	S: END
	S: D <second DER encoded certificate>
	S: END
	S: OK
	@end example

	In this example 2 certificates are returned. The server may return
	any number of certificates; OK will also be returned when no
	certificates were found. The dirmngr might return a status line

	@example
	S: S TRUNCATED <n>
	@end example


	To indicate that the output was truncated to N items due to a
	limitation of the server or by an arbitrary set limit.

	The option @option{--url} may be used if instead of a search pattern a
	complete URL to the certificate is known:

	@example
	C: LOOKUP --url CN%3DWerner%20Koch,o%3DIntevation%20GmbH,c%3DDE?userCertificate
	@end example

	If the option @option{--cache-only} is given, no external lookup is done
	so that only certificates from the cache are returned.

	With the option @option{--single}, the first and only the first match
	will be returned. Unless option @option{--cache-only} is also used, no
	local lookup will be done in this case.



	@node Dirmngr ISVALID
	@subsection Validate a certificate using a CRL or OCSP

	@example
	ISVALID [--only-ocsp] [--force-default-responder] @var{certid}\|@var{certfpr}
	@end example

	Check whether the certificate described by the @var{certid} has been
	revoked. Due to caching, the Dirmngr is able to answer immediately in
	most cases.

	The @var{certid} is a hex encoded string consisting of two parts,
	delimited by a single dot. The first part is the SHA-1 hash of the
	issuer name and the second part the serial number.

	Alternatively the certificate's SHA-1 fingerprint @var{certfpr} may be
	given in which case an OCSP request is done before consulting the CRL.
	If the option @option{--only-ocsp} is given, no fallback to a CRL check
	will be used. If the option @option{--force-default-responder} is
	given, only the default OCSP responder will be used and any other
	methods of obtaining an OCSP responder URL won't be used.

	@noindent
	Common return values are:

	@table @code
	@item GPG_ERR_NO_ERROR (0)
	This is the positive answer: The certificate is not revoked and we have
	an up-to-date revocation list for that certificate. If OCSP was used
	the responder confirmed that the certificate has not been revoked.

	@item GPG_ERR_CERT_REVOKED
	This is the negative answer: The certificate has been revoked. Either
	it is in a CRL and that list is up to date or an OCSP responder informed
	us that it has been revoked.

	@item GPG_ERR_NO_CRL_KNOWN
	No CRL is known for this certificate or the CRL is not valid or out of
	date.

	@item GPG_ERR_NO_DATA
	The OCSP responder returned an ``unknown'' status. This means that it
	is not aware of the certificate's status.

	@item GPG_ERR_NOT_SUPPORTED
	This is commonly seen if OCSP support has not been enabled in the
	configuration.
	@end table

	If DirMngr has not enough information about the given certificate (which
	is the case for not yet cached certificates), it will will inquire the
	missing data:

	@example
	S: INQUIRE SENDCERT <CertID>
	C: D <DER encoded certificate>
	C: END
	@end example

	A client should be aware that DirMngr may ask for more than one
	certificate.

	If Dirmngr has a certificate but the signature of the certificate
	could not been validated because the root certificate is not known to
	dirmngr as trusted, it may ask back to see whether the client trusts
	this the root certificate:

	@example
	S: INQUIRE ISTRUSTED <CertHexfpr>
	C: D 1
	C: END
	@end example

	Only this answer will let Dirmngr consider the CRL as valid.


	@node Dirmngr CHECKCRL
	@subsection Validate a certificate using a CRL

	Check whether the certificate with FINGERPRINT (SHA-1 hash of the
	entire X.509 certificate blob) is valid or not by consulting the CRL
	responsible for this certificate. If the fingerprint has not been
	given or the certificate is not know, the function inquires the
	certificate using:

	@example
	S: INQUIRE TARGETCERT
	C: D <DER encoded certificate>
	C: END
	@end example

	Thus the caller is expected to return the certificate for the request
	(which should match FINGERPRINT) as a binary blob. Processing then
	takes place without further interaction; in particular dirmngr tries
	to locate other required certificate by its own mechanism which
	includes a local certificate store as well as a list of trusted root
	certificates.

	@noindent
	The return code is 0 for success; i.e. the certificate has not been
	revoked or one of the usual error codes from libgpg-error.

	@node Dirmngr CHECKOCSP
	@subsection Validate a certificate using OCSP

	@example
	CHECKOCSP [--force-default-responder] [@var{fingerprint}]
	@end example

	Check whether the certificate with @var{fingerprint} (the SHA-1 hash of
	the entire X.509 certificate blob) is valid by consulting the appropiate
	OCSP responder. If the fingerprint has not been given or the
	certificate is not known by Dirmngr, the function inquires the
	certificate using:

	@example
	S: INQUIRE TARGETCERT
	C: D <DER encoded certificate>
	C: END
	@end example

	Thus the caller is expected to return the certificate for the request
	(which should match @var{fingerprint}) as a binary blob. Processing
	then takes place without further interaction; in particular dirmngr
	tries to locate other required certificates by its own mechanism which
	includes a local certificate store as well as a list of trusted root
	certificates.

	If the option @option{--force-default-responder} is given, only the
	default OCSP responder is used. This option is the per-command variant
	of the global option @option{--ignore-ocsp-service-url}.


	@noindent
	The return code is 0 for success; i.e. the certificate has not been
	revoked or one of the usual error codes from libgpg-error.

	@node Dirmngr CACHECERT
	@subsection Put a certificate into the internal cache

	Put a certificate into the internal cache. This command might be
	useful if a client knows in advance certificates required for a test and
	wnats to make sure they get added to the internal cache. It is also
	helpful for debugging. To get the actual certificate, this command
	immediately inquires it using

	@example
	S: INQUIRE TARGETCERT
	C: D <DER encoded certificate>
	C: END
	@end example

	Thus the caller is expected to return the certificate for the request
	as a binary blob.

	@noindent
	The return code is 0 for success; i.e. the certificate has not been
	succesfully cached or one of the usual error codes from libgpg-error.

	@node Dirmngr VALIDATE
	@subsection Validate a certificate for debugging

	Validate a certificate using the certificate validation function used
	internally by dirmngr. This command is only useful for debugging. To
	get the actual certificate, this command immediately inquires it using

	@example
	S: INQUIRE TARGETCERT
	C: D <DER encoded certificate>
	C: END
	@end example

	Thus the caller is expected to return the certificate for the request
	as a binary blob.


	@mansect see also
	@ifset isman
	@command{gpgsm}(1),
	@command{dirmngr-client}(1)
	@end ifset
	@include see-also-note.texi

	@c
	@c !!! UNDER CONSTRUCTION !!!
	@c
	@c
	@c @section Verifying a Certificate
	@c
	@c There are several ways to request services from Dirmngr. Almost all of
	@c them are done using the Assuan protocol. What we describe here is the
	@c Assuan command CHECKCRL as used for example by the dirmnr-client tool if
	@c invoked as
	@c
	@c @example
	@c dirmngr-client foo.crt
	@c @end example
	@c
	@c This command will send an Assuan request to an already running Dirmngr
	@c instance. foo.crt is expected to be a standard X.509 certificate and
	@c dirmngr will receive the Assuan command
	@c
	@c @example
	@c CHECKCRL @var [{fingerprint}]
	@c @end example
	@c
	@c @var{fingerprint} is optional and expected to be the SHA-1 has of the
	@c DER encoding of the certificate under question. It is to be HEX
	@c encoded. The rationale for sending the fingerprint is that it allows
	@c dirmngr to reply immediatly if it has already cached such a request. If
	@c this is not the case and no certificate has been found in dirmngr's
	@c internal certificate storage, dirmngr will request the certificate using
	@c the Assuan inquiry
	@c
	@c @example
	@c INQUIRE TARGETCERT
	@c @end example
	@c
	@c The caller (in our example dirmngr-client) is then expected to return
	@c the certificate for the request (which should match @var{fingerprint})
	@c as a binary blob.
	@c
	@c Dirmngr now passes control to @code{crl_cache_cert_isvalid}. This
	@c function checks whether a CRL item exists for target certificate. These
	@c CRL items are kept in a database of already loaded and verified CRLs.
	@c This mechanism is called the CRL cache. Obviously timestamps are kept
	@c there with each item to cope with the expiration date of the CRL. The
	@c possible return values are: @code{0} to indicate that a valid CRL is
	@c available for the certificate and the certificate itself is not listed
	@c in this CRL, @code{GPG_ERR_CERT_REVOKED} to indicate that the certificate is
	@c listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no
	@c information is available. The first two codes are immediatly returned to
	@c the caller and the processing of this request has been done.
	@c
	@c Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now
	@c calls @code{clr_cache_reload_crl} and if this succeeds calls
	@c @code{crl_cache_cert_isvald) once more. All further errors are
	@c immediately returned to the caller.
	@c
	@c @code{crl_cache_reload_crl} is the actual heart of the CRL management.
	@c It locates the corresponding CRL for the target certificate, reads and
	@c verifies this CRL and stores it in the CRL cache. It works like this:
	@c
	@c * Loop over all crlDPs in the target certificate.
	@c * If the crlDP is invalid immediately terminate the loop.
	@c * Loop over all names in the current crlDP.
	@c * If the URL scheme is unknown or not enabled
	@c (--ignore-http-dp, --ignore-ldap-dp) continues with
	@c the next name.
	@c * @code{crl_fetch} is called to actually retrieve the CRL.
	@c In case of problems this name is ignore and we continue with
	@c the next name. Note that @code{crl_fetch} does only return
	@c a descriptor for the CRL for further reading so does the CRL
	@c does not yet end up in memory.
	@c * @code{crl_cache_insert} is called with that descriptor to
	@c actually read the CRL into the cache. See below for a
	@c description of this function. If there is any error (e.g. read
	@c problem, CRL not correctly signed or verification of signature
	@c not possible), this descriptor is rejected and we continue
	@c with the next name. If the CRL has been successfully loaded,
	@c the loop is terminated.
	@c * If no crlDP has been found in the previous loop use a default CRL.
	@c Note, that if any crlDP has been found but loading of the CRL failed,
	@c this condition is not true.
	@c * Try to load a CRL from all configured servers (ldapservers.conf)
	@c in turn. The first server returning a CRL is used.
	@c * @code(crl_cache_insert) is then used to actually insert the CRL
	@c into the cache. If this failed we give up immediatley without
	@c checking the rest of the servers from the first step.
	@c * Ready.
	@c
	@c
	@c The @code{crl_cache_insert} function takes care of reading the bulk of
	@c the CRL, parsing it and checking the signature. It works like this: A
	@c new database file is created using a temporary file name. The CRL
	@c parsing machinery is started and all items of the CRL are put into
	@c this database file. At the end the issuer certificate of the CRL
	@c needs to be retrieved. Three cases are to be distinguished:
	@c
	@c a) An authorityKeyIdentifier with an issuer and serialno exits: The
	@c certificate is retrieved using @code{find_cert_bysn}. If
	@c the certificate is in the certificate cache, it is directly
	@c returned. Then the requester (i.e. the client who requested the
	@c CRL check) is asked via the Assuan inquiry ``SENDCERT'' whether
	@c he can provide this certificate. If this succeed the returned
	@c certificate gets cached and returned. Note, that dirmngr does not
	@c verify in any way whether the expected certificate is returned.
	@c It is in the interest of the client to return a useful certificate
	@c as otherwise the service request will fail due to a bad signature.
	@c The last way to get the certificate is by looking it up at
	@c external resources. This is done using the @code{ca_cert_fetch}
	@c and @code{fetch_next_ksba_cert} and comparing the returned
	@c certificate to match the requested issuer and seriano (This is
	@c needed because the LDAP layer may return several certificates as
	@c LDAP as no standard way to retrieve by serial number).
	@c
	@c b) An authorityKeyIdentifier with a key ID exists: The certificate is
	@c retrieved using @code{find_cert_bysubject}. If the certificate is
	@c in the certificate cache, it is directly returned. Then the
	@c requester is asked via the Assuan inquiry ``SENDCERT_SKI'' whether
	@c he can provide this certificate. If this succeed the returned
	@c certificate gets cached and returned. Note, that dirmngr does not
	@c verify in any way whether the expected certificate is returned.
	@c It is in the interest of the client to return a useful certificate
	@c as otherwise the service request will fail due to a bad signature.
	@c The last way to get the certificate is by looking it up at
	@c external resources. This is done using the @code{ca_cert_fetch}
	@c and @code{fetch_next_ksba_cert} and comparing the returned
	@c certificate to match the requested subject and key ID.
	@c
	@c c) No authorityKeyIdentifier exits: The certificate is retrieved
	@c using @code{find_cert_bysubject} without the key ID argument. If
	@c the certificate is in the certificate cache the first one with a
	@c matching subject is is directly returned. Then the requester is
	@c asked via the Assuan inquiry ``SENDCERT'' and an exact
	@c specification of the subject whether he can
	@c provide this certificate. If this succeed the returned
	@c certificate gets cached and returned. Note, that dirmngr does not
	@c verify in any way whether the expected certificate is returned.
	@c It is in the interest of the client to return a useful certificate
	@c as otherwise the service request will fail due to a bad signature.
	@c The last way to get the certificate is by looking it up at
	@c external resources. This is done using the @code{ca_cert_fetch}
	@c and @code{fetch_next_ksba_cert} and comparing the returned
	@c certificate to match the requested subject; the first certificate
	@c with a matching subject is then returned.
	@c
	@c If no certificate was found, the function returns with the error
	@c GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails,
	@c the erro is returned. On success the @code{validate_cert_chain} is
	@c used to verify that the certificate is actually valid.
	@c
	@c Here we may encounter a recursive situation:
	@c @code{validate_cert_chain} needs to look at other certificates and
	@c also at CRLs to check whether these other certificates and well, the
	@c CRL issuer certificate itself are not revoked. FIXME: We need to make
	@c sure that @code{validate_cert_chain} does not try to lookup the CRL we
	@c are currently processing. This would be a catch-22 and may indicate a
	@c broken PKI. However, due to overlapping expiring times and imprecise
	@c clocks thsi may actually happen.
	@c
	@c For historical reasons the Assuan command ISVALID is a bit different
	@c to CHECKCRL but this is mainly due to different calling conventions.
	@c In the end the same fucntionality is used, albeit hidden by a couple
	@c of indirection and argument and result code mangling. It furthere
	@c ingetrages OCSP checking depending on options are the way it is
	@c called. GPGSM still uses this command but might eventuall switch over
	@c to CHECKCRL and CHECKOCSP so that ISVALID can be retired.
	@c
	@c
	@c @section Validating a certificate
	@c
	@c We describe here how the internal function @code{validate_cert_chain}
	@c works. Note that mainly testing purposes this functionality may be
	@c called directly using @cmd{dirmngr-client --validate @file{foo.crt}}.
	@c
	@c For backward compatibility this function returns success if Dirmngr is
	@c not used as a system daemon. Thus not validating the certicates at
	@c all. FIXME: This is definitely not correct and should be fixed ASAP.
	@c
	@c The function takes the target certificate and a mode argument as
	@c parameters and returns an error code and optionally the closes
	@c expiration time of all certificates in the chain.
	@c
	@c We first check that the certificate may be used for the requested
	@c purpose (i.e. OCSP or CRL signing). If this is not the case
	@c GPG_ERR_WRONG_KEY_USAGE is returned.
	@c
	@c The next step is to find the trust anchor (root certificate) and to
	@c assemble the chain in memory: Starting with the target certificate,
	@c the expiration time is checked against the current date, unknown
	@c critical extensions are detected and certificate policies are matched
	@c (We only allow 2.289.9.9 but I have no clue about that OID and from
	@c where I got it - it does not even seem to be assigned - debug cruft?).
	@c
	@c Now if this certificate is a self-signed one, we have reached the
	@c trust anchor. In this case we check that the signature is good, the
	@c certificate is allowed to act as a CA, that it is a trusted one (by
	@c checking whether it is has been put into the trusted-certs
	@c configuration directory) and finally prepend into to our list
	@c representing the certificate chain. This steps ends then.
	@c
	@c If it is not a self-signed certificate, we check that the chain won't
	@c get too long (current limit is 100), if this is the case we terminate
	@c with the error GPG_ERR_BAD_CERT_CHAIN.
	@c
	@c Now the issuer's certificate is looked up: If an
	@c authorityKeyIdentifier is available, this one is used to locate the
	@c certificate either using issuer and serialnumber or subject DN
	@c (i.e. the issuer's DN) and the keyID. The functions
	@c @code{find_cert_bysn) and @code{find_cert_bysubject} are used
	@c respectively. The have already been described above under the
	@c description of @code{crl_cache_insert}. If no certificate was found
	@c or with no authorityKeyIdentifier, only the cache is consulted using
	@c @code{get_cert_bysubject}. The latter is is done under the assumption
	@c that a matching certificate has explicitly been put into the
	@c certificate cache. If the issuer's certificate could not be found,
	@c the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}.
	@c
	@c If the issuer's certificate has been found, the signature of the
	@c actual certificate is checked and in case this fails the error
	@c #code{GPG_ERR_BAD_CERT_CHAIN} is returned. If the signature checks out, the
	@c maximum cahin length of the issueing certificate is checked as well as
	@c the capiblity of the certificate (i.e. whether he may be used for
	@c certificate signing). Then the certificate is prepended to our list
	@c representing the certificate chain. Finally the loop is continued now
	@c with the issuer's certificate as the current certificate.
	@c
	@c After the end of the loop and if no error as been encountered
	@c (i.e. the certificate chain has been assempled correctly), a check is
	@c done whether any certificate expired or a critical policy has not been
	@c met. In any of these cases the validation terminates with an
	@c appropriate error.
	@c
	@c Finally the function @code{check_revocations} is called to verify no
	@c certificate in the assempled chain has been revoked: This is an
	@c recursive process because a CRL has to be checked for each certificate
	@c in the chain except for the root certificate, of which we already know
	@c that it is trusted and we avoid checking a CRL here due to common
	@c setup problems and the assumption that a revoked root certifcate has
	@c been removed from the list of trusted certificates.
	@c
	@c
	@c
	@c
	@c @section Looking up certificates through LDAP.
	@c
	@c This describes the LDAP layer to retrieve certificates.
	@c the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are
	@c used for this. The first one starts a search and the second one is
	@c used to retrieve certificate after certificate.
	@c


	diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
	index cd5d7518d..b481dd64b 100644
	--- a/doc/gpg-agent.texi
	+++ b/doc/gpg-agent.texi
	@@ -1,1505 +1,1505 @@
	@c Copyright (C) 2002 Free Software Foundation, Inc.
	@c This is part of the GnuPG manual.
	@c For copying conditions, see the file gnupg.texi.

	@include defs.inc

	@node Invoking GPG-AGENT
	@chapter Invoking GPG-AGENT
	@cindex GPG-AGENT command options
	@cindex command options
	@cindex options, GPG-AGENT command

	@manpage gpg-agent.1
	@ifset manverb
	.B gpg-agent
	\- Secret key management for GnuPG
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpg-agent
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.br
	.B gpg-agent
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.B \-\-server
	.br
	.B gpg-agent
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.B \-\-daemon
	.RI [ command_line ]
	@end ifset

	@mansect description
	@command{gpg-agent} is a daemon to manage secret (private) keys
	independently from any protocol. It is used as a backend for
	@command{gpg} and @command{gpgsm} as well as for a couple of other
	utilities.

	The agent is automatically started on demand by @command{gpg},
	@command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}.
	Thus there is no reason to start it manually. In case you want to use
	the included Secure Shell Agent you may start the agent using:

	@c From dkg on gnupg-devel on 2016-04-21:
	@c
	@c Here's an attempt at writing a short description of the goals of an
	@c isolated cryptographic agent:
	@c
	@c A cryptographic agent should control access to secret key material.
	@c The agent permits use of the secret key material by a supplicant
	@c without providing a copy of the secret key material to the supplicant.
	@c
	@c An isolated cryptographic agent separates the request for use of
	@c secret key material from permission for use of secret key material.
	@c That is, the system or process requesting use of the key (the
	@c "supplicant") can be denied use of the key by the owner/operator of
	@c the agent (the "owner"), which the supplicant has no control over.
	@c
	@c One way of enforcing this split is a per-key or per-session
	@c passphrase, known only by the owner, which must be supplied to the
	@c agent to permit the use of the secret key material. Another way is
	@c with an out-of-band permission mechanism (e.g. a button or GUI
	@c interface that the owner has access to, but the supplicant does not).
	@c
	@c The rationale for this separation is that it allows access to the
	@c secret key to be tightly controled and audited, and it doesn't permit
	@c the the supplicant to either copy the key or to override the owner's
	@c intentions.

	@example
	gpg-connect-agent /bye
	@end example

	@noindent
	@efindex GPG_TTY
	You should always add the following lines to your @code{.bashrc} or
	whatever initialization file is used for all shell invocations:

	@smallexample
	GPG_TTY=$(tty)
	export GPG_TTY
	@end smallexample

	@noindent
	It is important that this environment variable always reflects the
	output of the @code{tty} command. For W32 systems this option is not
	required.

	Please make sure that a proper pinentry program has been installed
	under the default filename (which is system dependent) or use the
	option @option{pinentry-program} to specify the full name of that program.
	It is often useful to install a symbolic link from the actual used
	pinentry (e.g. @file{@value{BINDIR}/pinentry-gtk}) to the expected
	one (e.g. @file{@value{BINDIR}/pinentry}).

	@manpause
	@noindent
	@xref{Option Index},for an index to @command{GPG-AGENT}'s commands and options.
	@mancont

	@menu
	* Agent Commands:: List of all commands.
	* Agent Options:: List of all options.
	* Agent Configuration:: Configuration files.
	* Agent Signals:: Use of some signals.
	* Agent Examples:: Some usage examples.
	* Agent Protocol:: The protocol the agent uses.
	@end menu

	@mansect commands
	@node Agent Commands
	@section Commands

	Commands are not distinguished from options except for the fact that
	only one command is allowed.

	@table @gnupgtabopt
	@item --version
	@opindex version
	Print the program version and licensing information. Note that you cannot
	abbreviate this command.

	@item --help
	@itemx -h
	@opindex help
	Print a usage message summarizing the most useful command-line options.
	Note that you cannot abbreviate this command.

	@item --dump-options
	@opindex dump-options
	Print a list of all available options and commands. Note that you cannot
	abbreviate this command.

	@item --server
	@opindex server
	Run in server mode and wait for commands on the @code{stdin}. The
	default mode is to create a socket and listen for commands there.

	@item --daemon [@var{command line}]
	@opindex daemon
	Start the gpg-agent as a daemon; that is, detach it from the console
	and run it in the background.

	As an alternative you may create a new process as a child of
	gpg-agent: @code{gpg-agent --daemon /bin/sh}. This way you get a new
	shell with the environment setup properly; after you exit from this
	shell, gpg-agent terminates within a few seconds.
	@end table

	@mansect options
	@node Agent Options
	@section Option Summary

	@table @gnupgtabopt

	@anchor{option --options}
	@item --options @var{file}
	@opindex options
	Reads configuration from @var{file} instead of from the default
	per-user configuration file. The default configuration file is named
	@file{gpg-agent.conf} and expected in the @file{.gnupg} directory directly
	below the home directory of the user.

	@anchor{option --homedir}
	@include opt-homedir.texi


	@item -v
	@item --verbose
	@opindex verbose
	Outputs additional information while running.
	You can increase the verbosity by giving several
	verbose commands to @command{gpgsm}, such as @samp{-vv}.

	@item -q
	@item --quiet
	@opindex quiet
	Try to be as quiet as possible.

	@item --batch
	@opindex batch
	Don't invoke a pinentry or do any other thing requiring human interaction.

	@item --faked-system-time @var{epoch}
	@opindex faked-system-time
	This option is only useful for testing; it sets the system time back or
	forth to @var{epoch} which is the number of seconds elapsed since the year
	1970.

	@item --debug-level @var{level}
	@opindex debug-level
	Select the debug level for investigating problems. @var{level} may be
	a numeric value or a keyword:

	@table @code
	@item none
	No debugging at all. A value of less than 1 may be used instead of
	the keyword.
	@item basic
	Some basic debug messages. A value between 1 and 2 may be used
	instead of the keyword.
	@item advanced
	More verbose debug messages. A value between 3 and 5 may be used
	instead of the keyword.
	@item expert
	Even more detailed messages. A value between 6 and 8 may be used
	instead of the keyword.
	@item guru
	All of the debug messages you can get. A value greater than 8 may be
	used instead of the keyword. The creation of hash tracing files is
	only enabled if the keyword is used.
	@end table

	How these messages are mapped to the actual debugging flags is not
	specified and may change with newer releases of this program. They are
	however carefully selected to best aid in debugging.

	@item --debug @var{flags}
	@opindex debug
	This option is only useful for debugging and the behaviour may change at
	any time without notice. FLAGS are bit encoded and may be given in
	usual C-Syntax. The currently defined bits are:

	@table @code
	@item 0 (1)
	X.509 or OpenPGP protocol related data
	@item 1 (2)
	values of big number integers
	@item 2 (4)
	low level crypto operations
	@item 5 (32)
	memory allocation
	@item 6 (64)
	caching
	@item 7 (128)
	show memory statistics.
	@item 9 (512)
	write hashed data to files named @code{dbgmd-000*}
	@item 10 (1024)
	trace Assuan protocol
	@item 12 (4096)
	bypass all certificate validation
	@end table

	@item --debug-all
	@opindex debug-all
	Same as @code{--debug=0xffffffff}

	@item --debug-wait @var{n}
	@opindex debug-wait
	When running in server mode, wait @var{n} seconds before entering the
	actual processing loop and print the pid. This gives time to attach a
	debugger.

	@item --debug-quick-random
	@opindex debug-quick-random
	This option inhibits the use of the very secure random quality level
	(Libgcrypt’s @code{GCRY_VERY_STRONG_RANDOM}) and degrades all request
	down to standard random quality. It is only used for testing and
	should not be used for any production quality keys. This option is
	only effective when given on the command line.

	On GNU/Linux, another way to quickly generate insecure keys is to use
	@command{rngd} to fill the kernel's entropy pool with lower quality
	random data. @command{rngd} is typically provided by the
	@command{rng-tools} package. It can be run as follows: @samp{sudo
	rngd -f -r /dev/urandom}.

	@item --debug-pinentry
	@opindex debug-pinentry
	This option enables extra debug information pertaining to the
	Pinentry. As of now it is only useful when used along with
	@code{--debug 1024}.

	@item --no-detach
	@opindex no-detach
	Don't detach the process from the console. This is mainly useful for
	debugging.

	@item -s
	@itemx --sh
	@itemx -c
	@itemx --csh
	@opindex sh
	@opindex csh
	@efindex SHELL
	Format the info output in daemon mode for use with the standard Bourne
	shell or the C-shell respectively. The default is to guess it based on
	the environment variable @code{SHELL} which is correct in almost all
	cases.


	@item --no-grab
	@opindex no-grab
	Tell the pinentry not to grab the keyboard and mouse. This option
	should in general not be used to avoid X-sniffing attacks.

	@anchor{option --log-file}
	@item --log-file @var{file}
	@opindex log-file
	@efindex HKCU\Software\GNU\GnuPG:DefaultLogFile
	Append all logging output to @var{file}. This is very helpful in seeing
	what the agent actually does. If neither a log file nor a log file
	descriptor has been set on a Windows platform, the Registry entry
	@code{HKCU\Software\GNU\GnuPG:DefaultLogFile}, if set, is used to specify
	the logging output.


	@anchor{option --no-allow-mark-trusted}
	@item --no-allow-mark-trusted
	@opindex no-allow-mark-trusted
	Do not allow clients to mark keys as trusted, i.e. put them into the
	@file{trustlist.txt} file. This makes it harder for users to inadvertently
	accept Root-CA keys.

	@anchor{option --allow-preset-passphrase}
	@item --allow-preset-passphrase
	@opindex allow-preset-passphrase
	This option allows the use of @command{gpg-preset-passphrase} to seed the
	internal cache of @command{gpg-agent} with passphrases.

	@anchor{option --no-allow-loopback-pinentry}
	@item --no-allow-loopback-pinentry
	@item --allow-loopback-pinentry
	@opindex no-allow-loopback-pinentry
	@opindex allow-loopback-pinentry
	Disallow or allow clients to use the loopback pinentry features; see
	the option @option{pinentry-mode} for details. Allow is the default.

	The @option{--force} option of the Assuan command @command{DELETE_KEY}
	is also controlled by this option: The option is ignored if a loopback
	pinentry is disallowed.

	@item --no-allow-external-cache
	@opindex no-allow-external-cache
	Tell Pinentry not to enable features which use an external cache for
	passphrases.

	Some desktop environments prefer to unlock all
	credentials with one master password and may have installed a Pinentry
	which employs an additional external cache to implement such a policy.
	By using this option the Pinentry is advised not to make use of such a
	cache and instead always ask the user for the requested passphrase.

	@item --allow-emacs-pinentry
	@opindex allow-emacs-pinentry
	Tell Pinentry to allow features to divert the passphrase entry to a
	running Emacs instance. How this is exactly handled depends on the
	version of the used Pinentry.

	@item --ignore-cache-for-signing
	@opindex ignore-cache-for-signing
	This option will let @command{gpg-agent} bypass the passphrase cache for all
	signing operation. Note that there is also a per-session option to
	control this behaviour but this command line option takes precedence.

	@item --default-cache-ttl @var{n}
	@opindex default-cache-ttl
	Set the time a cache entry is valid to @var{n} seconds. The default
	is 600 seconds. Each time a cache entry is accessed, the entry's
	timer is reset. To set an entry's maximum lifetime, use
	@command{max-cache-ttl}.

	@item --default-cache-ttl-ssh @var{n}
	@opindex default-cache-ttl
	Set the time a cache entry used for SSH keys is valid to @var{n}
	seconds. The default is 1800 seconds. Each time a cache entry is
	accessed, the entry's timer is reset. To set an entry's maximum
	lifetime, use @command{max-cache-ttl-ssh}.

	@item --max-cache-ttl @var{n}
	@opindex max-cache-ttl
	Set the maximum time a cache entry is valid to @var{n} seconds. After
	this time a cache entry will be expired even if it has been accessed
	recently or has been set using @command{gpg-preset-passphrase}. The
	default is 2 hours (7200 seconds).

	@item --max-cache-ttl-ssh @var{n}
	@opindex max-cache-ttl-ssh
	Set the maximum time a cache entry used for SSH keys is valid to
	@var{n} seconds. After this time a cache entry will be expired even
	if it has been accessed recently or has been set using
	@command{gpg-preset-passphrase}. The default is 2 hours (7200
	seconds).

	@item --enforce-passphrase-constraints
	@opindex enforce-passphrase-constraints
	Enforce the passphrase constraints by not allowing the user to bypass
	them using the ``Take it anyway'' button.

	@item --min-passphrase-len @var{n}
	@opindex min-passphrase-len
	Set the minimal length of a passphrase. When entering a new passphrase
	shorter than this value a warning will be displayed. Defaults to 8.

	@item --min-passphrase-nonalpha @var{n}
	@opindex min-passphrase-nonalpha
	Set the minimal number of digits or special characters required in a
	passphrase. When entering a new passphrase with less than this number
	of digits or special characters a warning will be displayed. Defaults
	to 1.

	@item --check-passphrase-pattern @var{file}
	@opindex check-passphrase-pattern
	Check the passphrase against the pattern given in @var{file}. When
	entering a new passphrase matching one of these pattern a warning will
	be displayed. @var{file} should be an absolute filename. The default is
	not to use any pattern file.

	Security note: It is known that checking a passphrase against a list of
	pattern or even against a complete dictionary is not very effective to
	enforce good passphrases. Users will soon figure up ways to bypass such
	a policy. A better policy is to educate users on good security
	behavior and optionally to run a passphrase cracker regularly on all
	users passphrases to catch the very simple ones.

	@item --max-passphrase-days @var{n}
	@opindex max-passphrase-days
	Ask the user to change the passphrase if @var{n} days have passed since
	the last change. With @option{--enforce-passphrase-constraints} set the
	user may not bypass this check.

	@item --enable-passphrase-history
	@opindex enable-passphrase-history
	This option does nothing yet.

	@item --pinentry-invisible-char @var{char}
	@opindex pinentry-invisible-char
	This option asks the Pinentry to use @var{char} for displaying hidden
	characters. @var{char} must be one character UTF-8 string. A
	Pinentry may or may not honor this request.

	@item --pinentry-timeout @var{n}
	@opindex pinentry-timeout
	This option asks the Pinentry to timeout after @var{n} seconds with no
	user input. The default value of 0 does not ask the pinentry to
	timeout, however a Pinentry may use its own default timeout value in
	this case. A Pinentry may or may not honor this request.

	@item --pinentry-program @var{filename}
	@opindex pinentry-program
	Use program @var{filename} as the PIN entry. The default is
	installation dependent. With the default configuration the name of
	the default pinentry is @file{pinentry}; if that file does not exist
	but a @file{pinentry-basic} exist the latter is used.

	On a Windows platform the default is to use the first existing program
	from this list:
	@file{bin\pinentry.exe},
	@file{..\Gpg4win\bin\pinentry.exe},
	@file{..\Gpg4win\pinentry.exe},
	@file{..\GNU\GnuPG\pinentry.exe},
	@file{..\GNU\bin\pinentry.exe},
	@file{bin\pinentry-basic.exe}
	where the file names are relative to the GnuPG installation directory.


	@item --pinentry-touch-file @var{filename}
	@opindex pinentry-touch-file
	By default the filename of the socket gpg-agent is listening for
	requests is passed to Pinentry, so that it can touch that file before
	exiting (it does this only in curses mode). This option changes the
	file passed to Pinentry to @var{filename}. The special name
	@code{/dev/null} may be used to completely disable this feature. Note
	that Pinentry will not create that file, it will only change the
	modification and access time.


	@item --scdaemon-program @var{filename}
	@opindex scdaemon-program
	Use program @var{filename} as the Smartcard daemon. The default is
	installation dependent and can be shown with the @command{gpgconf}
	command.

	@item --disable-scdaemon
	@opindex disable-scdaemon
	Do not make use of the scdaemon tool. This option has the effect of
	disabling the ability to do smartcard operations. Note, that enabling
	this option at runtime does not kill an already forked scdaemon.

	@item --disable-check-own-socket
	@opindex disable-check-own-socket
	@command{gpg-agent} employs a periodic self-test to detect a stolen
	socket. This usually means a second instance of @command{gpg-agent}
	has taken over the socket and @command{gpg-agent} will then terminate
	itself. This option may be used to disable this self-test for
	debugging purposes.

	@item --use-standard-socket
	@itemx --no-use-standard-socket
	@itemx --use-standard-socket-p
	@opindex use-standard-socket
	@opindex no-use-standard-socket
	@opindex use-standard-socket-p
	Since GnuPG 2.1 the standard socket is always used. These options
	have no more effect. The command @code{gpg-agent
	--use-standard-socket-p} will thus always return success.

	@item --display @var{string}
	@itemx --ttyname @var{string}
	@itemx --ttytype @var{string}
	@itemx --lc-ctype @var{string}
	@itemx --lc-messages @var{string}
	@itemx --xauthority @var{string}
	@opindex display
	@opindex ttyname
	@opindex ttytype
	@opindex lc-ctype
	@opindex lc-messages
	@opindex xauthority
	These options are used with the server mode to pass localization
	information.

	@item --keep-tty
	@itemx --keep-display
	@opindex keep-tty
	@opindex keep-display
	Ignore requests to change the current @code{tty} or X window system's
	@code{DISPLAY} variable respectively. This is useful to lock the
	pinentry to pop up at the @code{tty} or display you started the agent.


	@anchor{option --extra-socket}
	@item --extra-socket @var{name}
	@opindex extra-socket
	Also listen on native gpg-agent connections on the given socket. The
	intended use for this extra socket is to setup a Unix domain socket
	forwarding from a remote machine to this socket on the local machine.
	A @command{gpg} running on the remote machine may then connect to the
	-local gpg-agent and use its private keys. This allows to decrypt or
	-sign data on a remote machine without exposing the private keys to the
	+local gpg-agent and use its private keys. This enables decrypting or
	+signing data on a remote machine without exposing the private keys to the
	remote machine.


	@anchor{option --enable-ssh-support}
	@item --enable-ssh-support
	@itemx --enable-putty-support
	@opindex enable-ssh-support
	@opindex enable-putty-support

	Enable the OpenSSH Agent protocol.

	In this mode of operation, the agent does not only implement the
	gpg-agent protocol, but also the agent protocol used by OpenSSH
	(through a separate socket). Consequently, it should be possible to use
	the gpg-agent as a drop-in replacement for the well known ssh-agent.

	SSH Keys, which are to be used through the agent, need to be added to
	the gpg-agent initially through the ssh-add utility. When a key is
	added, ssh-add will ask for the password of the provided key file and
	send the unprotected key material to the agent; this causes the
	gpg-agent to ask for a passphrase, which is to be used for encrypting
	the newly received key and storing it in a gpg-agent specific
	directory.

	Once a key has been added to the gpg-agent this way, the gpg-agent
	will be ready to use the key.

	Note: in case the gpg-agent receives a signature request, the user might
	need to be prompted for a passphrase, which is necessary for decrypting
	the stored key. Since the ssh-agent protocol does not contain a
	mechanism for telling the agent on which display/terminal it is running,
	gpg-agent's ssh-support will use the TTY or X display where gpg-agent
	has been started. To switch this display to the current one, the
	following command may be used:

	@smallexample
	gpg-connect-agent updatestartuptty /bye
	@end smallexample

	Although all GnuPG components try to start the gpg-agent as needed, this
	is not possible for the ssh support because ssh does not know about it.
	Thus if no GnuPG tool which accesses the agent has been run, there is no
	guarantee that ssh is able to use gpg-agent for authentication. To fix
	this you may start gpg-agent if needed using this simple command:

	@smallexample
	gpg-connect-agent /bye
	@end smallexample

	Adding the @option{--verbose} shows the progress of starting the agent.

	The @option{--enable-putty-support} is only available under Windows
	and allows the use of gpg-agent with the ssh implementation
	@command{putty}. This is similar to the regular ssh-agent support but
	makes use of Windows message queue as required by @command{putty}.


	@end table

	All the long options may also be given in the configuration file after
	stripping off the two leading dashes.


	@mansect files
	@node Agent Configuration
	@section Configuration

	There are a few configuration files needed for the operation of the
	agent. By default they may all be found in the current home directory
	(@pxref{option --homedir}).

	@table @file

	@item gpg-agent.conf
	@efindex gpg-agent.conf
	This is the standard configuration file read by @command{gpg-agent} on
	startup. It may contain any valid long option; the leading
	two dashes may not be entered and the option may not be abbreviated.
	This file is also read after a @code{SIGHUP} however only a few
	options will actually have an effect. This default name may be
	changed on the command line (@pxref{option --options}).
	You should backup this file.

	@item trustlist.txt
	@efindex trustlist.txt
	This is the list of trusted keys. You should backup this file.

	Comment lines, indicated by a leading hash mark, as well as empty
	lines are ignored. To mark a key as trusted you need to enter its
	fingerprint followed by a space and a capital letter @code{S}. Colons
	may optionally be used to separate the bytes of a fingerprint; this
	- allows to cut and paste the fingerprint from a key listing output. If
	+ enables cutting and pasting the fingerprint from a key listing output. If
	the line is prefixed with a @code{!} the key is explicitly marked as
	not trusted.

	Here is an example where two keys are marked as ultimately trusted
	and one as not trusted:

	@cartouche
	@smallexample
	# CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
	A6935DD34EF3087973C706FC311AA2CCF733765B S

	# CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
	DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S

	# CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
	!14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
	@end smallexample
	@end cartouche

	Before entering a key into this file, you need to ensure its
	authenticity. How to do this depends on your organisation; your
	administrator might have already entered those keys which are deemed
	trustworthy enough into this file. Places where to look for the
	fingerprint of a root certificate are letters received from the CA or
	the website of the CA (after making 100% sure that this is indeed the
	website of that CA). You may want to consider disallowing interactive
	updates of this file by using the @xref{option --no-allow-mark-trusted}.
	It might even be advisable to change the permissions to read-only so
	that this file can't be changed inadvertently.

	As a special feature a line @code{include-default} will include a global
	list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}).
	This global list is also used if the local list is not available.

	It is possible to add further flags after the @code{S} for use by the
	caller:

	@table @code

	@item relax
	@cindex relax
	Relax checking of some root certificate requirements. As of now this
	flag allows the use of root certificates with a missing basicConstraints
	attribute (despite that it is a MUST for CA certificates) and disables
	CRL checking for the root certificate.

	@item cm
	If validation of a certificate finally issued by a CA with this flag set
	fails, try again using the chain validation model.

	@end table


	@item sshcontrol
	@efindex sshcontrol
	This file is used when support for the secure shell agent protocol has
	been enabled (@pxref{option --enable-ssh-support}). Only keys present in
	this file are used in the SSH protocol. You should backup this file.

	The @command{ssh-add} tool may be used to add new entries to this file;
	you may also add them manually. Comment lines, indicated by a leading
	hash mark, as well as empty lines are ignored. An entry starts with
	optional whitespace, followed by the keygrip of the key given as 40 hex
	digits, optionally followed by the caching TTL in seconds and another
	optional field for arbitrary flags. A non-zero TTL overrides the global
	default as set by @option{--default-cache-ttl-ssh}.

	The only flag support is @code{confirm}. If this flag is found for a
	key, each use of the key will pop up a pinentry to confirm the use of
	that key. The flag is automatically set if a new key was loaded into
	@code{gpg-agent} using the option @option{-c} of the @code{ssh-add}
	command.

	The keygrip may be prefixed with a @code{!} to disable an entry entry.

	The following example lists exactly one key. Note that keys available
	through a OpenPGP smartcard in the active smartcard reader are
	implicitly added to this list; i.e. there is no need to list them.

	@cartouche
	@smallexample
	# Key added on: 2011-07-20 20:38:46
	# Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
	34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
	@end smallexample
	@end cartouche

	@item private-keys-v1.d/
	@efindex private-keys-v1.d

	This is the directory where gpg-agent stores the private keys. Each
	key is stored in a file with the name made up of the keygrip and the
	suffix @file{key}. You should backup all files in this directory
	and take great care to keep this backup closed away.


	@end table

	Note that on larger installations, it is useful to put predefined
	files into the directory @file{@value{SYSCONFSKELDIR}} so that newly created
	users start up with a working configuration. For existing users the
	a small helper script is provided to create these files (@pxref{addgnupghome}).



	@c
	@c Agent Signals
	@c
	@mansect signals
	@node Agent Signals
	@section Use of some signals.
	A running @command{gpg-agent} may be controlled by signals, i.e. using
	the @command{kill} command to send a signal to the process.

	Here is a list of supported signals:

	@table @gnupgtabopt

	@item SIGHUP
	@cpindex SIGHUP
	This signal flushes all cached passphrases and if the program has been
	started with a configuration file, the configuration file is read
	again. Only certain options are honored: @code{quiet},
	@code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level},
	@code{debug-pinentry},
	@code{no-grab},
	@code{pinentry-program},
	@code{pinentry-invisible-char},
	@code{default-cache-ttl},
	@code{max-cache-ttl}, @code{ignore-cache-for-signing},
	@code{no-allow-external-cache}, @code{allow-emacs-pinentry},
	@code{no-allow-mark-trusted}, @code{disable-scdaemon}, and
	@code{disable-check-own-socket}. @code{scdaemon-program} is also
	supported but due to the current implementation, which calls the
	scdaemon only once, it is not of much use unless you manually kill the
	scdaemon.


	@item SIGTERM
	@cpindex SIGTERM
	Shuts down the process but waits until all current requests are
	fulfilled. If the process has received 3 of these signals and requests
	are still pending, a shutdown is forced.

	@item SIGINT
	@cpindex SIGINT
	Shuts down the process immediately.

	@item SIGUSR1
	@cpindex SIGUSR1
	Dump internal information to the log file.

	@item SIGUSR2
	@cpindex SIGUSR2
	This signal is used for internal purposes.

	@end table

	@c
	@c Examples
	@c
	@mansect examples
	@node Agent Examples
	@section Examples

	It is important to set the environment variable @code{GPG_TTY} in
	your login shell, for example in the @file{~/.bashrc} init script:

	@cartouche
	@example
	export GPG_TTY=$(tty)
	@end example
	@end cartouche

	If you enabled the Ssh Agent Support, you also need to tell ssh about
	it by adding this to your init script:

	@cartouche
	@example
	unset SSH_AGENT_PID
	if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then
	export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
	fi
	@end example
	@end cartouche


	@c
	@c Assuan Protocol
	@c
	@manpause
	@node Agent Protocol
	@section Agent's Assuan Protocol

	Note: this section does only document the protocol, which is used by
	GnuPG components; it does not deal with the ssh-agent protocol. To
	see the full specification of each command, use

	@example
	gpg-connect-agent 'help COMMAND' /bye
	@end example

	@noindent
	or just 'help' to list all available commands.

	@noindent
	The @command{gpg-agent} daemon is started on demand by the GnuPG
	components.

	To identify a key we use a thing called keygrip which is the SHA-1 hash
	of an canonical encoded S-Expression of the public key as used in
	Libgcrypt. For the purpose of this interface the keygrip is given as a
	hex string. The advantage of using this and not the hash of a
	certificate is that it will be possible to use the same keypair for
	different protocols, thereby saving space on the token used to keep the
	secret keys.

	The @command{gpg-agent} may send status messages during a command or when
	returning from a command to inform a client about the progress or result of an
	operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent
	during a server inquire to inform the client of the maximum usable length of
	the inquired data (which should not be exceeded).

	@menu
	* Agent PKDECRYPT:: Decrypting a session key
	* Agent PKSIGN:: Signing a Hash
	* Agent GENKEY:: Generating a Key
	* Agent IMPORT:: Importing a Secret Key
	* Agent EXPORT:: Exporting a Secret Key
	* Agent ISTRUSTED:: Importing a Root Certificate
	* Agent GET_PASSPHRASE:: Ask for a passphrase
	* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase
	* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip
	* Agent GET_CONFIRMATION:: Ask for confirmation
	* Agent HAVEKEY:: Check whether a key is available
	* Agent LEARN:: Register a smartcard
	* Agent PASSWD:: Change a Passphrase
	* Agent UPDATESTARTUPTTY:: Change the Standard Display
	* Agent GETEVENTCOUNTER:: Get the Event Counters
	* Agent GETINFO:: Return information about the process
	* Agent OPTION:: Set options for the session
	@end menu

	@node Agent PKDECRYPT
	@subsection Decrypting a session key

	The client asks the server to decrypt a session key. The encrypted
	session key should have all information needed to select the
	appropriate secret key or to delegate it to a smartcard.

	@example
	SETKEY <keyGrip>
	@end example

	Tell the server about the key to be used for decryption. If this is
	not used, @command{gpg-agent} may try to figure out the key by trying to
	decrypt the message with each key available.

	@example
	PKDECRYPT
	@end example

	The agent checks whether this command is allowed and then does an
	INQUIRY to get the ciphertext the client should then send the cipher
	text.

	@example
	S: INQUIRE CIPHERTEXT
	C: D (xxxxxx
	C: D xxxx)
	C: END
	@end example

	Please note that the server may send status info lines while reading the
	data lines from the client. The data send is a SPKI like S-Exp with
	this structure:

	@example
	(enc-val
	(<algo>
	(<param_name1> <mpi>)
	...
	(<param_namen> <mpi>)))
	@end example

	Where algo is a string with the name of the algorithm; see the libgcrypt
	documentation for a list of valid algorithms. The number and names of
	the parameters depend on the algorithm. The agent does return an error
	if there is an inconsistency.

	If the decryption was successful the decrypted data is returned by
	means of "D" lines.

	Here is an example session:
	@cartouche
	@smallexample
	C: PKDECRYPT
	S: INQUIRE CIPHERTEXT
	C: D (enc-val elg (a 349324324)
	C: D (b 3F444677CA)))
	C: END
	S: # session key follows
	S: S PADDING 0
	S: D (value 1234567890ABCDEF0)
	S: OK descryption successful
	@end smallexample
	@end cartouche

	The “PADDING” status line is only send if gpg-agent can tell what kind
	of padding is used. As of now only the value 0 is used to indicate
	that the padding has been removed.


	@node Agent PKSIGN
	@subsection Signing a Hash

	The client ask the agent to sign a given hash value. A default key
	will be chosen if no key has been set. To set a key a client first
	uses:

	@example
	SIGKEY <keyGrip>
	@end example

	This can be used multiple times to create multiple signature, the list
	of keys is reset with the next PKSIGN command or a RESET. The server
	test whether the key is a valid key to sign something and responds with
	okay.

	@example
	SETHASH --hash=<name>\|<algo> <hexstring>
	@end example

	The client can use this command to tell the server about the data <hexstring>
	(which usually is a hash) to be signed. <algo> is the decimal encoded hash
	algorithm number as used by Libgcrypt. Either <algo> or --hash=<name>
	must be given. Valid names for <name> are:

	@table @code
	@item sha1
	The SHA-1 hash algorithm
	@item sha256
	The SHA-256 hash algorithm
	@item rmd160
	The RIPE-MD160 hash algorithm
	@item md5
	The old and broken MD5 hash algorithm
	@item tls-md5sha1
	A combined hash algorithm as used by the TLS protocol.
	@end table

	@noindent
	The actual signing is done using

	@example
	PKSIGN <options>
	@end example

	Options are not yet defined, but my later be used to choose among
	different algorithms. The agent does then some checks, asks for the
	passphrase and as a result the server returns the signature as an SPKI
	like S-expression in "D" lines:

	@example
	(sig-val
	(<algo>
	(<param_name1> <mpi>)
	...
	(<param_namen> <mpi>)))
	@end example


	The operation is affected by the option

	@example
	OPTION use-cache-for-signing=0\|1
	@end example

	The default of @code{1} uses the cache. Setting this option to @code{0}
	will lead @command{gpg-agent} to ignore the passphrase cache. Note, that there is
	also a global command line option for @command{gpg-agent} to globally disable the
	caching.


	Here is an example session:
	@cartouche
	@smallexample
	C: SIGKEY <keyGrip>
	S: OK key available
	C: SIGKEY <keyGrip>
	S: OK key available
	C: PKSIGN
	S: # I did ask the user whether he really wants to sign
	S: # I did ask the user for the passphrase
	S: INQUIRE HASHVAL
	C: D ABCDEF012345678901234
	C: END
	S: # signature follows
	S: D (sig-val rsa (s 45435453654612121212))
	S: OK
	@end smallexample
	@end cartouche

	@node Agent GENKEY
	@subsection Generating a Key

	This is used to create a new keypair and store the secret key inside the
	-active PSE --- which is in most cases a Soft-PSE. An not yet defined
	-option allows to choose the storage location. To get the secret key out
	+active PSE --- which is in most cases a Soft-PSE. A not-yet-defined
	+option allows choosing the storage location. To get the secret key out
	of the PSE, a special export tool has to be used.

	@example
	GENKEY [--no-protection] [--preset] [<cache_nonce>]
	@end example

	Invokes the key generation process and the server will then inquire
	on the generation parameters, like:

	@example
	S: INQUIRE KEYPARM
	C: D (genkey (rsa (nbits 1024)))
	C: END
	@end example

	The format of the key parameters which depends on the algorithm is of
	the form:

	@example
	(genkey
	(algo
	(parameter_name_1 ....)
	....
	(parameter_name_n ....)))
	@end example

	If everything succeeds, the server returns the public key in a SPKI
	like S-Expression like this:

	@example
	(public-key
	(rsa
	(n <mpi>)
	(e <mpi>)))
	@end example

	Here is an example session:
	@cartouche
	@smallexample
	C: GENKEY
	S: INQUIRE KEYPARM
	C: D (genkey (rsa (nbits 1024)))
	C: END
	S: D (public-key
	S: D (rsa (n 326487324683264) (e 10001)))
	S OK key created
	@end smallexample
	@end cartouche

	The @option{--no-protection} option may be used to prevent prompting for a
	passphrase to protect the secret key while leaving the secret key unprotected.
	The @option{--preset} option may be used to add the passphrase to the cache
	using the default cache parameters.

	The @option{--inq-passwd} option may be used to create the key with a
	supplied passphrase. When used the agent does an inquiry with the
	keyword @code{NEWPASSWD} to retrieve that passphrase. This option
	takes precedence over @option{--no-protection}; however if the client
	sends a empty (zero-length) passphrase, this is identical to
	@option{--no-protection}.

	@node Agent IMPORT
	@subsection Importing a Secret Key

	This operation is not yet supported by GpgAgent. Specialized tools
	are to be used for this.

	There is no actual need because we can expect that secret keys
	created by a 3rd party are stored on a smartcard. If we have
	generated the key ourself, we do not need to import it.

	@node Agent EXPORT
	@subsection Export a Secret Key

	Not implemented.

	Should be done by an extra tool.

	@node Agent ISTRUSTED
	@subsection Importing a Root Certificate

	Actually we do not import a Root Cert but provide a way to validate
	any piece of data by storing its Hash along with a description and
	an identifier in the PSE. Here is the interface description:

	@example
	ISTRUSTED <fingerprint>
	@end example

	Check whether the OpenPGP primary key or the X.509 certificate with the
	given fingerprint is an ultimately trusted key or a trusted Root CA
	certificate. The fingerprint should be given as a hexstring (without
	any blanks or colons or whatever in between) and may be left padded with
	00 in case of an MD5 fingerprint. GPGAgent will answer with:

	@example
	OK
	@end example

	The key is in the table of trusted keys.

	@example
	ERR 304 (Not Trusted)
	@end example

	The key is not in this table.

	Gpg needs the entire list of trusted keys to maintain the web of
	trust; the following command is therefore quite helpful:

	@example
	LISTTRUSTED
	@end example

	GpgAgent returns a list of trusted keys line by line:

	@example
	S: D 000000001234454556565656677878AF2F1ECCFF P
	S: D 340387563485634856435645634856438576457A P
	S: D FEDC6532453745367FD83474357495743757435D S
	S: OK
	@end example

	The first item on a line is the hexified fingerprint where MD5
	fingerprints are @code{00} padded to the left and the second item is a
	flag to indicate the type of key (so that gpg is able to only take care
	of PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest
	of the line, so that we can extend the format in the future.

	Finally a client should be able to mark a key as trusted:

	@example
	MARKTRUSTED @var{fingerprint} "P"\|"S"
	@end example

	The server will then pop up a window to ask the user whether she
	really trusts this key. For this it will probably ask for a text to
	be displayed like this:

	@example
	S: INQUIRE TRUSTDESC
	C: D Do you trust the key with the fingerprint @@FPR@@
	C: D bla fasel blurb.
	C: END
	S: OK
	@end example

	Known sequences with the pattern @@foo@@ are replaced according to this
	table:

	@table @code
	@item @@FPR16@@
	Format the fingerprint according to gpg rules for a v3 keys.
	@item @@FPR20@@
	Format the fingerprint according to gpg rules for a v4 keys.
	@item @@FPR@@
	Choose an appropriate format to format the fingerprint.
	@item @@@@
	Replaced by a single @code{@@}
	@end table

	@node Agent GET_PASSPHRASE
	@subsection Ask for a passphrase

	This function is usually used to ask for a passphrase to be used for
	symmetric encryption, but may also be used by programs which need
	special handling of passphrases. This command uses a syntax which helps
	clients to use the agent with minimum effort.

	@example
	GET_PASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]] \
	[--qualitybar] @var{cache_id} \
	[@var{error_message} @var{prompt} @var{description}]
	@end example

	@var{cache_id} is expected to be a string used to identify a cached
	passphrase. Use a @code{X} to bypass the cache. With no other
	arguments the agent returns a cached passphrase or an error. By
	convention either the hexified fingerprint of the key shall be used for
	@var{cache_id} or an arbitrary string prefixed with the name of the
	calling application and a colon: Like @code{gpg:somestring}.

	@var{error_message} is either a single @code{X} for no error message or
	a string to be shown as an error message like (e.g. "invalid
	passphrase"). Blanks must be percent escaped or replaced by @code{+}'.

	@var{prompt} is either a single @code{X} for a default prompt or the
	text to be shown as the prompt. Blanks must be percent escaped or
	replaced by @code{+}.

	@var{description} is a text shown above the entry field. Blanks must be
	percent escaped or replaced by @code{+}.

	The agent either returns with an error or with a OK followed by the hex
	encoded passphrase. Note that the length of the strings is implicitly
	limited by the maximum length of a command. If the option
	@option{--data} is used, the passphrase is not returned on the OK line
	but by regular data lines; this is the preferred method.

	If the option @option{--check} is used, the standard passphrase
	constraints checks are applied. A check is not done if the passphrase
	has been found in the cache.

	If the option @option{--no-ask} is used and the passphrase is not in the
	cache the user will not be asked to enter a passphrase but the error
	code @code{GPG_ERR_NO_DATA} is returned.

	If the option @option{--qualitybar} is used and a minimum passphrase
	length has been configured, a visual indication of the entered
	passphrase quality is shown.

	@example
	CLEAR_PASSPHRASE @var{cache_id}
	@end example

	may be used to invalidate the cache entry for a passphrase. The
	function returns with OK even when there is no cached passphrase.



	@node Agent CLEAR_PASSPHRASE
	@subsection Remove a cached passphrase

	Use this command to remove a cached passphrase.

	@example
	CLEAR_PASSPHRASE [--mode=normal] <cache_id>
	@end example

	The @option{--mode=normal} option can be used to clear a @var{cache_id} that
	was set by gpg-agent.


	@node Agent PRESET_PASSPHRASE
	@subsection Set a passphrase for a keygrip

	This command adds a passphrase to the cache for the specified @var{keygrip}.

	@example
	PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>]
	@end example

	The passphrase is a hexidecimal string when specified. When not specified, the
	passphrase will be retrieved from the pinentry module unless the
	@option{--inquire} option was specified in which case the passphrase will be
	retrieved from the client.

	The @var{timeout} parameter keeps the passphrase cached for the specified
	number of seconds. A value of @code{-1} means infinate while @code{0} means
	the default (currently only a timeout of -1 is allowed, which means to never
	expire it).


	@node Agent GET_CONFIRMATION
	@subsection Ask for confirmation

	This command may be used to ask for a simple confirmation by
	presenting a text and 2 buttons: Okay and Cancel.

	@example
	GET_CONFIRMATION @var{description}
	@end example

	@var{description}is displayed along with a Okay and Cancel
	button. Blanks must be percent escaped or replaced by @code{+}. A
	@code{X} may be used to display confirmation dialog with a default
	text.

	The agent either returns with an error or with a OK. Note, that the
	length of @var{description} is implicitly limited by the maximum
	length of a command.



	@node Agent HAVEKEY
	@subsection Check whether a key is available

	This can be used to see whether a secret key is available. It does
	not return any information on whether the key is somehow protected.

	@example
	HAVEKEY @var{keygrips}
	@end example

	The agent answers either with OK or @code{No_Secret_Key} (208). The
	caller may want to check for other error codes as well. More than one
	keygrip may be given. In this case the command returns success if at
	least one of the keygrips corresponds to an available secret key.


	@node Agent LEARN
	@subsection Register a smartcard

	@example
	LEARN [--send]
	@end example

	This command is used to register a smartcard. With the --send
	option given the certificates are send back.


	@node Agent PASSWD
	@subsection Change a Passphrase

	@example
	PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] @var{keygrip}
	@end example

	This command is used to interactively change the passphrase of the key
	identified by the hex string @var{keygrip}. The @option{--preset}
	option may be used to add the new passphrase to the cache using the
	default cache parameters.


	@node Agent UPDATESTARTUPTTY
	@subsection Change the standard display

	@example
	UPDATESTARTUPTTY
	@end example

	Set the startup TTY and X-DISPLAY variables to the values of this
	session. This command is useful to direct future pinentry invocations
	to another screen. It is only required because there is no way in the
	ssh-agent protocol to convey this information.


	@node Agent GETEVENTCOUNTER
	@subsection Get the Event Counters

	@example
	GETEVENTCOUNTER
	@end example

	This function return one status line with the current values of the
	event counters. The event counters are useful to avoid polling by
	delaying a poll until something has changed. The values are decimal
	numbers in the range @code{0} to @code{UINT_MAX} and wrapping around to
	0. The actual values should not be relied upon; they shall only be used
	to detect a change.

	The currently defined counters are are:
	@table @code
	@item ANY
	Incremented with any change of any of the other counters.
	@item KEY
	Incremented for added or removed private keys.
	@item CARD
	Incremented for changes of the card readers stati.
	@end table

	@node Agent GETINFO
	@subsection Return information about the process

	This is a multipurpose function to return a variety of information.

	@example
	GETINFO @var{what}
	@end example

	The value of @var{what} specifies the kind of information returned:
	@table @code
	@item version
	Return the version of the program.
	@item pid
	Return the process id of the process.
	@item socket_name
	Return the name of the socket used to connect the agent.
	@item ssh_socket_name
	Return the name of the socket used for SSH connections. If SSH support
	has not been enabled the error @code{GPG_ERR_NO_DATA} will be returned.
	@end table

	@node Agent OPTION
	@subsection Set options for the session

	Here is a list of session options which are not yet described with
	other commands. The general syntax for an Assuan option is:

	@smallexample
	OPTION @var{key}=@var{value}
	@end smallexample

	@noindent
	Supported @var{key}s are:

	@table @code
	@item agent-awareness
	This may be used to tell gpg-agent of which gpg-agent version the
	client is aware of. gpg-agent uses this information to enable
	features which might break older clients.

	@item putenv
	Change the session's environment to be used for the
	Pinentry. Valid values are:

	@table @code
	@item @var{name}
	Delete envvar @var{name}
	@item @var{name}=
	Set envvar @var{name} to the empty string
	@item @var{name}=@var{value}
	Set envvar @var{name} to the string @var{value}.
	@end table

	@item use-cache-for-signing
	See Assuan command @code{PKSIGN}.

	@item allow-pinentry-notify
	This does not need any value. It is used to enable the
	PINENTRY_LAUNCHED inquiry.

	@item pinentry-mode
	This option is used to change the operation mode of the pinentry. The
	following values are defined:

	@table @code
	@item ask
	This is the default mode which pops up a pinentry as needed.

	@item cancel
	Instead of popping up a pinentry, return the error code
	@code{GPG_ERR_CANCELED}.

	@item error
	Instead of popping up a pinentry, return the error code
	@code{GPG_ERR_NO_PIN_ENTRY}.

	@item loopback
	Use a loopback pinentry. This fakes a pinentry by using inquiries
	back to the caller to ask for a passphrase. This option may only be
	set if the agent has been configured for that.
	To disable this feature use @xref{option --no-allow-loopback-pinentry}.

	@end table

	@item cache-ttl-opt-preset
	This option sets the cache TTL for new entries created by GENKEY and
	PASSWD commands when using the @option{--preset} option. It it is not
	used a default value is used.

	@item s2k-count
	Instead of using the standard S2K count (which is computed on the
	fly), the given S2K count is used for new keys or when changing the
	passphrase of a key. Values below 65536 are considered to be 0. This
	option is valid for the entire session or until reset to 0. This
	option is useful if the key is later used on boxes which are either
	much slower or faster than the actual box.

	@end table


	@mansect see also
	@ifset isman
	@command{gpg2}(1),
	@command{gpgsm}(1),
	@command{gpg-connect-agent}(1),
	@command{scdaemon}(1)
	@end ifset
	@include see-also-note.texi
	diff --git a/doc/gpg.texi b/doc/gpg.texi
	index 38f417e29..3be401f53 100644
	--- a/doc/gpg.texi
	+++ b/doc/gpg.texi
	@@ -1,3871 +1,3871 @@
	@c Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
	@c 2008, 2009, 2010 Free Software Foundation, Inc.
	@c This is part of the GnuPG manual.
	@c For copying conditions, see the file gnupg.texi.

	@include defs.inc

	@node Invoking GPG
	@chapter Invoking GPG
	@cindex GPG command options
	@cindex command options
	@cindex options, GPG command


	@c Begin standard stuff
	@ifclear gpgtwohack
	@manpage gpg.1
	@ifset manverb
	.B gpg
	\- OpenPGP encryption and signing tool
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpg
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.I command
	.RI [ args ]
	@end ifset
	@end ifclear
	@c End standard stuff

	@c Begin gpg2 hack stuff
	@ifset gpgtwohack
	@manpage gpg2.1
	@ifset manverb
	.B gpg2
	\- OpenPGP encryption and signing tool
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpg2
	.RB [ \-\-homedir
	.IR dir ]
	.RB [ \-\-options
	.IR file ]
	.RI [ options ]
	.I command
	.RI [ args ]
	@end ifset
	@end ifset
	@c End gpg2 hack stuff


	@mansect description
	@command{@gpgname} is the OpenPGP part of the GNU Privacy Guard (GnuPG). It
	is a tool to provide digital encryption and signing services using the
	OpenPGP standard. @command{@gpgname} features complete key management and
	all bells and whistles you can expect from a decent OpenPGP
	implementation.

	@ifclear gpgtwohack
	Note that this version of GnuPG features all modern algorithms and
	should thus be preferred over older GnuPG versions. If you are
	looking for version 1 of GnuPG, you may find that version installed
	under the name @command{gpg1}.
	@end ifclear
	@ifset gpgtwohack
	In contrast to the standalone command gpg from GnuPG 1.x, which
	might be better suited for server and embedded platforms, the 2.x
	version is commonly installed under the name @command{@gpgname} and
	targeted to the desktop as it requires several other modules to be
	installed.
	@end ifset

	@manpause

	@xref{Option Index}, for an index to @command{@gpgname}'s commands and options.
	@mancont

	@menu
	* GPG Commands:: List of all commands.
	* GPG Options:: List of all options.
	* GPG Configuration:: Configuration files.
	* GPG Examples:: Some usage examples.

	Developer information:
	* Unattended Usage of GPG:: Using @command{gpg} from other programs.
	@end menu

	@c * GPG Protocol:: The protocol the server mode uses.


	@c *******************************************
	@c ************* **************
	@c ************* COMMANDS **************
	@c ************* **************
	@c *******************************************
	@mansect commands
	@node GPG Commands
	@section Commands

	Commands are not distinguished from options except for the fact that
	only one command is allowed.

	@command{@gpgname} may be run with no commands, in which case it will
	perform a reasonable action depending on the type of file it is given
	as input (an encrypted message is decrypted, a signature is verified,
	a file containing keys is listed).

	Please remember that option as well as command parsing stops as soon as
	a non-option is encountered, you can explicitly stop parsing by
	using the special option @option{--}.


	@menu
	* General GPG Commands:: Commands not specific to the functionality.
	* Operational GPG Commands:: Commands to select the type of operation.
	* OpenPGP Key Management:: How to manage your keys.
	@end menu


	@c *******************************************
	@c ******** GENERAL COMMANDS ***********
	@c *******************************************
	@node General GPG Commands
	@subsection Commands not specific to the function

	@table @gnupgtabopt
	@item --version
	@opindex version
	Print the program version and licensing information. Note that you
	cannot abbreviate this command.

	@item --help
	@itemx -h
	@opindex help
	Print a usage message summarizing the most useful command line options.
	Note that you cannot abbreviate this command.

	@item --warranty
	@opindex warranty
	Print warranty information.

	@item --dump-options
	@opindex dump-options
	Print a list of all available options and commands. Note that you cannot
	abbreviate this command.
	@end table


	@c *******************************************
	@c ****** OPERATIONAL COMMANDS *********
	@c *******************************************
	@node Operational GPG Commands
	@subsection Commands to select the type of operation


	@table @gnupgtabopt

	@item --sign
	@itemx -s
	@opindex sign
	Make a signature. This command may be combined with @option{--encrypt}
	(for a signed and encrypted message), @option{--symmetric} (for a
	signed and symmetrically encrypted message), or @option{--encrypt} and
	@option{--symmetric} together (for a signed message that may be
	decrypted via a secret key or a passphrase). The key to be used for
	signing is chosen by default or can be set with the
	@option{--local-user} and @option{--default-key} options.

	@item --clearsign
	@opindex clearsign
	Make a clear text signature. The content in a clear text signature is
	readable without any special software. OpenPGP software is only needed
	to verify the signature. Clear text signatures may modify end-of-line
	whitespace for platform independence and are not intended to be
	reversible. The key to be used for signing is chosen by default or
	can be set with the @option{--local-user} and @option{--default-key}
	options.


	@item --detach-sign
	@itemx -b
	@opindex detach-sign
	Make a detached signature.

	@item --encrypt
	@itemx -e
	@opindex encrypt
	Encrypt data. This option may be combined with @option{--sign} (for a
	signed and encrypted message), @option{--symmetric} (for a message that
	may be decrypted via a secret key or a passphrase), or @option{--sign}
	and @option{--symmetric} together (for a signed message that may be
	decrypted via a secret key or a passphrase).

	@item --symmetric
	@itemx -c
	@opindex symmetric
	Encrypt with a symmetric cipher using a passphrase. The default
	symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the
	@option{--cipher-algo} option. This option may be combined with
	@option{--sign} (for a signed and symmetrically encrypted message),
	@option{--encrypt} (for a message that may be decrypted via a secret key
	or a passphrase), or @option{--sign} and @option{--encrypt} together
	(for a signed message that may be decrypted via a secret key or a
	passphrase).

	@item --store
	@opindex store
	Store only (make a simple literal data packet).

	@item --decrypt
	@itemx -d
	@opindex decrypt
	Decrypt the file given on the command line (or STDIN if no file
	is specified) and write it to STDOUT (or the file specified with
	@option{--output}). If the decrypted file is signed, the signature is also
	verified. This command differs from the default operation, as it never
	writes to the filename which is included in the file and it rejects
	files which don't begin with an encrypted message.

	@item --verify
	@opindex verify
	Assume that the first argument is a signed file and verify it without
	generating any output. With no arguments, the signature packet is
	read from STDIN. If only a one argument is given, it is expected to
	be a complete signature.

	With more than 1 argument, the first should be a detached signature
	and the remaining files make up the the signed data. To read the signed
	data from STDIN, use @samp{-} as the second filename. For security
	reasons a detached signature cannot read the signed material from
	STDIN without denoting it in the above way.

	Note: If the option @option{--batch} is not used, @command{@gpgname}
	may assume that a single argument is a file with a detached signature
	and it will try to find a matching data file by stripping certain
	suffixes. Using this historical feature to verify a detached
	signature is strongly discouraged; always specify the data file too.

	Note: When verifying a cleartext signature, @command{gpg} verifies
	only what makes up the cleartext signed data and not any extra data
	outside of the cleartext signature or header lines following directly
	the dash marker line. The option @code{--output} may be used to write
	out the actual signed data; but there are other pitfalls with this
	format as well. It is suggested to avoid cleartext signatures in
	favor of detached signatures.

	@item --multifile
	@opindex multifile
	This modifies certain other commands to accept multiple files for
	processing on the command line or read from STDIN with each filename on
	a separate line. This allows for many files to be processed at
	once. @option{--multifile} may currently be used along with
	@option{--verify}, @option{--encrypt}, and @option{--decrypt}. Note that
	@option{--multifile --verify} may not be used with detached signatures.

	@item --verify-files
	@opindex verify-files
	Identical to @option{--multifile --verify}.

	@item --encrypt-files
	@opindex encrypt-files
	Identical to @option{--multifile --encrypt}.

	@item --decrypt-files
	@opindex decrypt-files
	Identical to @option{--multifile --decrypt}.

	@item --list-keys
	@itemx -k
	@itemx --list-public-keys
	@opindex list-keys
	List all keys from the public keyrings, or just the keys given on the
	command line.

	Avoid using the output of this command in scripts or other programs as
	it is likely to change as GnuPG changes. See @option{--with-colons}
	for a machine-parseable key listing command that is appropriate for
	use in scripts and other programs. Never use the regular output for
	scripts - it is only for human consumption.

	@item --list-secret-keys
	@itemx -K
	@opindex list-secret-keys
	List all keys from the secret keyrings, or just the ones given on the
	command line. A @code{#} after the letters @code{sec} means that the
	secret key is not usable (for example, if it was created via
	@option{--export-secret-subkeys}). See also @option{--list-keys}.

	@item --list-sigs
	@opindex list-sigs
	Same as @option{--list-keys}, but the signatures are listed too.
	This command has the same effect as
	using @option{--list-keys} with @option{--with-sig-list}.

	For each signature listed, there are several flags in between the "sig"
	tag and keyid. These flags give additional information about each
	signature. From left to right, they are the numbers 1-3 for certificate
	check level (see @option{--ask-cert-level}), "L" for a local or
	non-exportable signature (see @option{--lsign-key}), "R" for a
	nonRevocable signature (see the @option{--edit-key} command "nrsign"),
	"P" for a signature that contains a policy URL (see
	@option{--cert-policy-url}), "N" for a signature that contains a
	notation (see @option{--cert-notation}), "X" for an eXpired signature
	(see @option{--ask-cert-expire}), and the numbers 1-9 or "T" for 10 and
	above to indicate trust signature levels (see the @option{--edit-key}
	command "tsign").

	@item --check-sigs
	@opindex check-sigs
	Same as @option{--list-sigs}, but the signatures are verified. Note
	that for performance reasons the revocation status of a signing key is
	not shown.
	This command has the same effect as
	using @option{--list-keys} with @option{--with-sig-check}.

	The status of the verification is indicated by a flag directly following
	the "sig" tag (and thus before the flags described above for
	@option{--list-sigs}). A "!" indicates that the signature has been
	successfully verified, a "-" denotes a bad signature and a "%" is used
	if an error occurred while checking the signature (e.g. a non supported
	algorithm).

	@item --locate-keys
	@opindex locate-keys
	Locate the keys given as arguments. This command basically uses the
	same algorithm as used when locating keys for encryption or signing and
	may thus be used to see what keys @command{@gpgname} might use. In
	particular external methods as defined by @option{--auto-key-locate} may
	be used to locate a key. Only public keys are listed.

	@item --fingerprint
	@opindex fingerprint
	List all keys (or the specified ones) along with their
	fingerprints. This is the same output as @option{--list-keys} but with
	the additional output of a line with the fingerprint. May also be
	combined with @option{--list-sigs} or @option{--check-sigs}. If this
	command is given twice, the fingerprints of all secondary keys are
	listed too. This command also forces pretty printing of fingerprints
	if the keyid format has been set to "none".

	@item --list-packets
	@opindex list-packets
	List only the sequence of packets. This is mainly useful for
	debugging. When used with option @option{--verbose} the actual MPI
	values are dumped and not only their lengths.


	@item --card-edit
	@opindex card-edit
	Present a menu to work with a smartcard. The subcommand "help" provides
	an overview on available commands. For a detailed description, please
	see the Card HOWTO at
	https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .

	@item --card-status
	@opindex card-status
	Show the content of the smart card.

	@item --change-pin
	@opindex change-pin
	Present a menu to allow changing the PIN of a smartcard. This
	functionality is also available as the subcommand "passwd" with the
	@option{--card-edit} command.

	@item --delete-keys @code{name}
	@itemx --delete-keys @code{name}
	Remove key from the public keyring. In batch mode either @option{--yes} is
	required or the key must be specified by fingerprint. This is a
	safeguard against accidental deletion of multiple keys.

	@item --delete-secret-keys @code{name}
	@opindex delete-secret-keys
	gRemove key from the secret keyring. In batch mode the key must be
	specified by fingerprint. The option @option{--yes} can be used to
	advice gpg-agent not to request a confirmation. This extra
	pre-caution is done because @command{gpg} can't be sure that the
	secret key (as controlled by gpg-agent) is only used for the given
	OpenPGP public key.


	@item --delete-secret-and-public-key @code{name}
	@opindex delete-secret-and-public-key
	Same as @option{--delete-key}, but if a secret key exists, it will be
	removed first. In batch mode the key must be specified by fingerprint.
	The option @option{--yes} can be used to advice gpg-agent not to
	request a confirmation.

	@item --export
	@opindex export
	Either export all keys from all keyrings (default keyrings and those
	registered via option @option{--keyring}), or if at least one name is given,
	those of the given name. The exported keys are written to STDOUT or to the
	file given with option @option{--output}. Use together with
	@option{--armor} to mail those keys.

	@item --send-keys @code{key IDs}
	@opindex send-keys
	Similar to @option{--export} but sends the keys to a keyserver.
	Fingerprints may be used instead of key IDs. Option @option{--keyserver}
	must be used to give the name of this keyserver. Don't send your
	complete keyring to a keyserver --- select only those keys which are new
	or changed by you. If no key IDs are given, @command{gpg} does nothing.

	@item --export-secret-keys
	@itemx --export-secret-subkeys
	@opindex export-secret-keys
	@opindex export-secret-subkeys
	Same as @option{--export}, but exports the secret keys instead. The
	exported keys are written to STDOUT or to the file given with option
	@option{--output}. This command is often used along with the option
	@option{--armor} to allow easy printing of the key for paper backup;
	however the external tool @command{paperkey} does a better job for
	creating backups on paper. Note that exporting a secret key can be a
	security risk if the exported keys are send over an insecure channel.

	The second form of the command has the special property to render the
	secret part of the primary key useless; this is a GNU extension to
	OpenPGP and other implementations can not be expected to successfully
	import such a key. Its intended use is to generated a full key with
	an additional signing subkey on a dedicated machine and then using
	this command to export the key without the primary key to the main
	machine.

	GnuPG may ask you to enter the passphrase for the key. This is
	required because the internal protection method of the secret key is
	different from the one specified by the OpenPGP protocol.

	@item --export-ssh-key
	@opindex export-ssh-key
	This command is used to export a key in the OpenSSH public key format.
	It requires the specification of one key by the usual means and
	exports the latest valid subkey which has an authentication capability
	to STDOUT or to the file given with option @option{--output}. That
	output can directly be added to ssh's @file{authorized_key} file.

	By specifying the key to export using a key ID or a fingerprint
	suffixed with an exclamation mark (!), a specific subkey or the
	primary key can be exported. This does not even require that the key
	has the authentication capability flag set.

	@item --import
	@itemx --fast-import
	@opindex import
	Import/merge keys. This adds the given keys to the
	keyring. The fast version is currently just a synonym.

	There are a few other options which control how this command works.
	Most notable here is the @option{--import-options merge-only} option
	which does not insert new keys but does only the merging of new
	signatures, user-IDs and subkeys.

	@item --recv-keys @code{key IDs}
	@opindex recv-keys
	Import the keys with the given key IDs from a keyserver. Option
	@option{--keyserver} must be used to give the name of this keyserver.

	@item --refresh-keys
	@opindex refresh-keys
	Request updates from a keyserver for keys that already exist on the
	local keyring. This is useful for updating a key with the latest
	signatures, user IDs, etc. Calling this with no arguments will refresh
	the entire keyring. Option @option{--keyserver} must be used to give the
	name of the keyserver for all keys that do not have preferred keyservers
	set (see @option{--keyserver-options honor-keyserver-url}).

	@item --search-keys @code{names}
	@opindex search-keys
	Search the keyserver for the given names. Multiple names given here will
	be joined together to create the search string for the keyserver.
	Option @option{--keyserver} must be used to give the name of this
	keyserver. Keyservers that support different search methods allow using
	the syntax specified in "How to specify a user ID" below. Note that
	different keyserver types support different search methods. Currently
	only LDAP supports them all.

	@item --fetch-keys @code{URIs}
	@opindex fetch-keys
	Retrieve keys located at the specified URIs. Note that different
	installations of GnuPG may support different protocols (HTTP, FTP,
	LDAP, etc.). When using HTTPS the system provided root certificates
	are used by this command.

	@item --update-trustdb
	@opindex update-trustdb
	Do trust database maintenance. This command iterates over all keys and
	builds the Web of Trust. This is an interactive command because it may
	have to ask for the "ownertrust" values for keys. The user has to give
	an estimation of how far she trusts the owner of the displayed key to
	correctly certify (sign) other keys. GnuPG only asks for the ownertrust
	value if it has not yet been assigned to a key. Using the
	@option{--edit-key} menu, the assigned value can be changed at any time.

	@item --check-trustdb
	@opindex check-trustdb
	Do trust database maintenance without user interaction. From time to
	time the trust database must be updated so that expired keys or
	signatures and the resulting changes in the Web of Trust can be
	tracked. Normally, GnuPG will calculate when this is required and do it
	automatically unless @option{--no-auto-check-trustdb} is set. This
	command can be used to force a trust database check at any time. The
	processing is identical to that of @option{--update-trustdb} but it
	skips keys with a not yet defined "ownertrust".

	For use with cron jobs, this command can be used together with
	@option{--batch} in which case the trust database check is done only if
	a check is needed. To force a run even in batch mode add the option
	@option{--yes}.

	@anchor{option --export-ownertrust}
	@item --export-ownertrust
	@opindex export-ownertrust
	Send the ownertrust values to STDOUT. This is useful for backup purposes
	as these values are the only ones which can't be re-created from a
	corrupted trustdb. Example:
	@c man:.RS
	@example
	@gpgname{} --export-ownertrust > otrust.txt
	@end example
	@c man:.RE


	@item --import-ownertrust
	@opindex import-ownertrust
	Update the trustdb with the ownertrust values stored in @code{files} (or
	STDIN if not given); existing values will be overwritten. In case of a
	severely damaged trustdb and if you have a recent backup of the
	ownertrust values (e.g. in the file @file{otrust.txt}, you may re-create
	the trustdb using these commands:
	@c man:.RS
	@example
	cd ~/.gnupg
	rm trustdb.gpg
	@gpgname{} --import-ownertrust < otrust.txt
	@end example
	@c man:.RE


	@item --rebuild-keydb-caches
	@opindex rebuild-keydb-caches
	When updating from version 1.0.6 to 1.0.7 this command should be used
	to create signature caches in the keyring. It might be handy in other
	situations too.

	@item --print-md @code{algo}
	@itemx --print-mds
	@opindex print-md
	Print message digest of algorithm ALGO for all given files or STDIN.
	With the second form (or a deprecated "*" as algo) digests for all
	available algorithms are printed.

	@item --gen-random @code{0\|1\|2} @code{count}
	@opindex gen-random
	Emit @var{count} random bytes of the given quality level 0, 1 or 2. If
	@var{count} is not given or zero, an endless sequence of random bytes
	will be emitted. If used with @option{--armor} the output will be
	base64 encoded. PLEASE, don't use this command unless you know what
	you are doing; it may remove precious entropy from the system!

	@item --gen-prime @code{mode} @code{bits}
	@opindex gen-prime
	Use the source, Luke :-). The output format is still subject to change.


	@item --enarmor
	@itemx --dearmor
	@opindex enarmor
	@opindex dearmor
	Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
	This is a GnuPG extension to OpenPGP and in general not very useful.

	@item --tofu-policy @code{auto\|good\|unknown\|bad\|ask} @code{key...}
	@opindex tofu-policy
	Set the TOFU policy for all the bindings associated with the specified
	keys. For more information about the meaning of the policies,
	@pxref{trust-model-tofu}. The keys may be specified either by their
	fingerprint (preferred) or their keyid.

	@c @item --server
	@c @opindex server
	@c Run gpg in server mode. This feature is not yet ready for use and
	@c thus not documented.

	@end table


	@c *******************************************
	@c ***** KEY MANGEMENT COMMANDS ********
	@c *******************************************
	@node OpenPGP Key Management
	@subsection How to manage your keys

	This section explains the main commands for key management

	@table @gnupgtabopt

	@item --quick-gen-key @code{user-id} [@code{algo} [@code{usage} [@code{expire}]]]
	@opindex quick-gen-key
	This is a simple command to generate a standard key with one user id.
	In contrast to @option{--gen-key} the key is generated directly
	without the need to answer a bunch of prompts. Unless the option
	@option{--yes} is given, the key creation will be canceled if the
	given user id already exists in the key ring.

	If invoked directly on the console without any special options an
	answer to a ``Continue?'' style confirmation prompt is required. In
	case the user id already exists in the key ring a second prompt to
	force the creation of the key will show up.

	If any of the optional arguments are given, only the primary key is
	created and no prompts are shown. For a description of these optional
	arguments see the command @code{--quick-addkey}. The @code{usage}
	accepts also the value ``cert'' which can be used to create a
	certification only primary key; the default is to a create
	certification and signing key.

	If this command is used with @option{--batch},
	@option{--pinentry-mode} has been set to @code{loopback}, and one of
	the passphrase options (@option{--passphrase},
	@option{--passphrase-fd}, or @option{passphrase-file}) is used, the
	supplied passphrase is used for the new key and the agent does not ask
	for it. To create a key without any protection @code{--passphrase ''}
	may be used.

	@item --quick-addkey @code{fpr} [@code{algo} [@code{usage} [@code{expire}]]]
	@opindex quick-addkey
	Directly add a subkey to the key identified by the fingerprint
	@code{fpr}. Without the optional arguments an encryption subkey is
	added. If any of the arguments are given a more specific subkey is
	added.

	@code{algo} may be any of the supported algorithms or curve names given
	in the format as used by key listings. To use the default algorithm
	the string ``default'' or ``-'' can be used. Supported algorithms are
	``rsa'', ``dsa'', ``elg'', ``ed25519'', ``cv25519'', and other ECC
	curves. For example the string ``rsa'' adds an RSA key with the
	default key length; a string ``rsa4096'' requests that the key length
	is 4096 bits.

	Depending on the given @code{algo} the subkey may either be an
	encryption subkey or a signing subkey. If an algorithm is capable of
	signing and encryption and such a subkey is desired, a @code{usage}
	string must be given. This string is either ``default'' or ``-'' to
	keep the default or a comma delimited list of keywords: ``sign'' for a
	signing subkey, ``auth'' for an authentication subkey, and ``encr''
	for an encryption subkey (``encrypt'' can be used as alias for
	``encr''). The valid combinations depend on the algorithm.

	The @code{expire} argument can be used to specify an expiration date
	for the subkey. Several formats are supported; commonly the ISO
	YYYY-MM-DD format is used. The values ``never'', ``none'', or ``-''
	can be used for no expiration date.

	@item --gen-key
	@opindex gen-key
	Generate a new key pair using the current default parameters. This is
	the standard command to create a new key. In addition to the key a
	revocation certificate is created and stored in the
	@file{openpgp-revocs.d} directory below the GnuPG home directory.

	@item --full-gen-key
	@opindex gen-key
	Generate a new key pair with dialogs for all options. This is an
	extended version of @option{--gen-key}.

	There is also a feature which allows you to create keys in batch
	mode. See the manual section ``Unattended key generation'' on how
	to use this.


	@item --gen-revoke @code{name}
	@opindex gen-revoke
	Generate a revocation certificate for the complete key. To only revoke
	a subkey or a key signature, use the @option{--edit} command.

	This command merely creates the revocation certificate so that it can
	be used to revoke the key if that is ever needed. To actually revoke
	a key the created revocation certificate needs to be merged with the
	key to revoke. This is done by importing the revocation certificate
	using the @option{--import} command. Then the revoked key needs to be
	published, which is best done by sending the key to a keyserver
	(command @option{--send-key}) and by exporting (@option{--export}) it
	to a file which is then send to frequent communication partners.


	@item --desig-revoke @code{name}
	@opindex desig-revoke
	Generate a designated revocation certificate for a key. This allows a
	user (with the permission of the keyholder) to revoke someone else's
	key.


	@item --edit-key
	@opindex edit-key
	Present a menu which enables you to do most of the key management
	related tasks. It expects the specification of a key on the command
	line.

	@c ****** Begin Edit-key Options ********
	@table @asis

	@item uid @code{n}
	@opindex keyedit:uid
	Toggle selection of user ID or photographic user ID with index @code{n}.
	Use @code{*} to select all and @code{0} to deselect all.

	@item key @code{n}
	@opindex keyedit:key
	Toggle selection of subkey with index @code{n} or key ID @code{n}.
	Use @code{*} to select all and @code{0} to deselect all.

	@item sign
	@opindex keyedit:sign
	Make a signature on key of user @code{name} If the key is not yet
	signed by the default user (or the users given with -u), the program
	displays the information of the key again, together with its
	fingerprint and asks whether it should be signed. This question is
	repeated for all users specified with
	-u.

	@item lsign
	@opindex keyedit:lsign
	Same as "sign" but the signature is marked as non-exportable and will
	therefore never be used by others. This may be used to make keys
	valid only in the local environment.

	@item nrsign
	@opindex keyedit:nrsign
	Same as "sign" but the signature is marked as non-revocable and can
	therefore never be revoked.

	@item tsign
	@opindex keyedit:tsign
	Make a trust signature. This is a signature that combines the notions
	of certification (like a regular signature), and trust (like the
	"trust" command). It is generally only useful in distinct communities
	or groups. For more information please read the sections
	``Trust Signature'' and ``Regular Expression'' in RFC-4880.
	@end table

	@c man:.RS
	Note that "l" (for local / non-exportable), "nr" (for non-revocable,
	and "t" (for trust) may be freely mixed and prefixed to "sign" to
	create a signature of any type desired.
	@c man:.RE

	If the option @option{--only-sign-text-ids} is specified, then any
	non-text based user ids (e.g., photo IDs) will not be selected for
	signing.

	@table @asis

	@item delsig
	@opindex keyedit:delsig
	Delete a signature. Note that it is not possible to retract a signature,
	once it has been send to the public (i.e. to a keyserver). In that case
	you better use @code{revsig}.

	@item revsig
	@opindex keyedit:revsig
	Revoke a signature. For every signature which has been generated by
	one of the secret keys, GnuPG asks whether a revocation certificate
	should be generated.

	@item check
	@opindex keyedit:check
	Check the signatures on all selected user IDs. With the extra
	option @code{selfsig} only self-signatures are shown.

	@item adduid
	@opindex keyedit:adduid
	Create an additional user ID.

	@item addphoto
	@opindex keyedit:addphoto
	Create a photographic user ID. This will prompt for a JPEG file that
	will be embedded into the user ID. Note that a very large JPEG will make
	for a very large key. Also note that some programs will display your
	JPEG unchanged (GnuPG), and some programs will scale it to fit in a
	dialog box (PGP).

	@item showphoto
	@opindex keyedit:showphoto
	Display the selected photographic user ID.

	@item deluid
	@opindex keyedit:deluid
	Delete a user ID or photographic user ID. Note that it is not
	possible to retract a user id, once it has been send to the public
	(i.e. to a keyserver). In that case you better use @code{revuid}.

	@item revuid
	@opindex keyedit:revuid
	Revoke a user ID or photographic user ID.

	@item primary
	@opindex keyedit:primary
	Flag the current user id as the primary one, removes the primary user
	id flag from all other user ids and sets the timestamp of all affected
	self-signatures one second ahead. Note that setting a photo user ID
	as primary makes it primary over other photo user IDs, and setting a
	regular user ID as primary makes it primary over other regular user
	IDs.

	@item keyserver
	@opindex keyedit:keyserver
	Set a preferred keyserver for the specified user ID(s). This allows
	other users to know where you prefer they get your key from. See
	@option{--keyserver-options honor-keyserver-url} for more on how this
	works. Setting a value of "none" removes an existing preferred
	keyserver.

	@item notation
	@opindex keyedit:notation
	Set a name=value notation for the specified user ID(s). See
	@option{--cert-notation} for more on how this works. Setting a value of
	"none" removes all notations, setting a notation prefixed with a minus
	sign (-) removes that notation, and setting a notation name (without the
	=value) prefixed with a minus sign removes all notations with that name.

	@item pref
	@opindex keyedit:pref
	List preferences from the selected user ID. This shows the actual
	preferences, without including any implied preferences.

	@item showpref
	@opindex keyedit:showpref
	More verbose preferences listing for the selected user ID. This shows
	the preferences in effect by including the implied preferences of 3DES
	(cipher), SHA-1 (digest), and Uncompressed (compression) if they are
	not already included in the preference list. In addition, the
	preferred keyserver and signature notations (if any) are shown.

	@item setpref @code{string}
	@opindex keyedit:setpref
	Set the list of user ID preferences to @code{string} for all (or just
	the selected) user IDs. Calling setpref with no arguments sets the
	preference list to the default (either built-in or set via
	@option{--default-preference-list}), and calling setpref with "none"
	as the argument sets an empty preference list. Use @command{@gpgname
	--version} to get a list of available algorithms. Note that while you
	can change the preferences on an attribute user ID (aka "photo ID"),
	GnuPG does not select keys via attribute user IDs so these preferences
	will not be used by GnuPG.

	When setting preferences, you should list the algorithms in the order
	which you'd like to see them used by someone else when encrypting a
	message to your key. If you don't include 3DES, it will be
	automatically added at the end. Note that there are many factors that
	go into choosing an algorithm (for example, your key may not be the
	only recipient), and so the remote OpenPGP application being used to
	send to you may or may not follow your exact chosen order for a given
	message. It will, however, only choose an algorithm that is present
	on the preference list of every recipient key. See also the
	INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.

	@item addkey
	@opindex keyedit:addkey
	Add a subkey to this key.

	@item addcardkey
	@opindex keyedit:addcardkey
	Generate a subkey on a card and add it to this key.

	@item keytocard
	@opindex keyedit:keytocard
	Transfer the selected secret subkey (or the primary key if no subkey
	has been selected) to a smartcard. The secret key in the keyring will
	be replaced by a stub if the key could be stored successfully on the
	card and you use the save command later. Only certain key types may be
	transferred to the card. A sub menu allows you to select on what card
	to store the key. Note that it is not possible to get that key back
	from the card - if the card gets broken your secret key will be lost
	unless you have a backup somewhere.

	@item bkuptocard @code{file}
	@opindex keyedit:bkuptocard
	Restore the given file to a card. This command may be used to restore a
	backup key (as generated during card initialization) to a new card. In
	almost all cases this will be the encryption key. You should use this
	command only with the corresponding public key and make sure that the
	file given as argument is indeed the backup to restore. You should then
	select 2 to restore as encryption key. You will first be asked to enter
	the passphrase of the backup key and then for the Admin PIN of the card.

	@item delkey
	@opindex keyedit:delkey
	Remove a subkey (secondary key). Note that it is not possible to retract
	a subkey, once it has been send to the public (i.e. to a keyserver). In
	that case you better use @code{revkey}.

	@item revkey
	@opindex keyedit:revkey
	Revoke a subkey.

	@item expire
	@opindex keyedit:expire
	Change the key or subkey expiration time. If a subkey is selected, the
	expiration time of this subkey will be changed. With no selection, the
	key expiration of the primary key is changed.

	@item trust
	@opindex keyedit:trust
	Change the owner trust value for the key. This updates the trust-db
	immediately and no save is required.

	@item disable
	@itemx enable
	@opindex keyedit:disable
	@opindex keyedit:enable
	Disable or enable an entire key. A disabled key can not normally be
	used for encryption.

	@item addrevoker
	@opindex keyedit:addrevoker
	Add a designated revoker to the key. This takes one optional argument:
	"sensitive". If a designated revoker is marked as sensitive, it will
	not be exported by default (see export-options).

	@item passwd
	@opindex keyedit:passwd
	Change the passphrase of the secret key.

	@item toggle
	@opindex keyedit:toggle
	This is dummy command which exists only for backward compatibility.

	@item clean
	@opindex keyedit:clean
	Compact (by removing all signatures except the selfsig) any user ID
	that is no longer usable (e.g. revoked, or expired). Then, remove any
	signatures that are not usable by the trust calculations.
	Specifically, this removes any signature that does not validate, any
	signature that is superseded by a later signature, revoked signatures,
	and signatures issued by keys that are not present on the keyring.

	@item minimize
	@opindex keyedit:minimize
	Make the key as small as possible. This removes all signatures from
	each user ID except for the most recent self-signature.

	@item cross-certify
	@opindex keyedit:cross-certify
	Add cross-certification signatures to signing subkeys that may not
	currently have them. Cross-certification signatures protect against a
	subtle attack against signing subkeys. See
	@option{--require-cross-certification}. All new keys generated have
	this signature by default, so this option is only useful to bring
	older keys up to date.

	@item save
	@opindex keyedit:save
	Save all changes to the key rings and quit.

	@item quit
	@opindex keyedit:quit
	Quit the program without updating the
	key rings.
	@end table

	@c man:.RS
	The listing shows you the key with its secondary keys and all user
	ids. The primary user id is indicated by a dot, and selected keys or
	user ids are indicated by an asterisk. The trust
	value is displayed with the primary key: the first is the assigned owner
	trust and the second is the calculated trust value. Letters are used for
	the values:
	@c man:.RE

	@table @asis

	@item -
	No ownertrust assigned / not yet calculated.

	@item e
	Trust
	calculation has failed; probably due to an expired key.

	@item q
	Not enough information for calculation.

	@item n
	Never trust this key.

	@item m
	Marginally trusted.

	@item f
	Fully trusted.

	@item u
	Ultimately trusted.

	@end table
	@c ****** End Edit-key Options ********

	@item --sign-key @code{name}
	@opindex sign-key
	Signs a public key with your secret key. This is a shortcut version of
	the subcommand "sign" from @option{--edit}.

	@item --lsign-key @code{name}
	@opindex lsign-key
	Signs a public key with your secret key but marks it as
	non-exportable. This is a shortcut version of the subcommand "lsign"
	from @option{--edit-key}.

	@item --quick-sign-key @code{fpr} [@code{names}]
	@itemx --quick-lsign-key @code{fpr} [@code{names}]
	@opindex quick-sign-key
	@opindex quick-lsign-key
	Directly sign a key from the passphrase without any further user
	interaction. The @code{fpr} must be the verified primary fingerprint
	of a key in the local keyring. If no @code{names} are given, all
	useful user ids are signed; with given [@code{names}] only useful user
	ids matching one of theses names are signed. By default, or if a name
	is prefixed with a '*', a case insensitive substring match is used.
	If a name is prefixed with a '=' a case sensitive exact match is done.

	The command @option{--quick-lsign-key} marks the signatures as
	non-exportable. If such a non-exportable signature already exists the
	@option{--quick-sign-key} turns it into a exportable signature.

	This command uses reasonable defaults and thus does not provide the
	full flexibility of the "sign" subcommand from @option{--edit-key}.
	Its intended use is to help unattended key signing by utilizing a list
	of verified fingerprints.

	@item --quick-adduid @var{user-id} @var{new-user-id}
	@opindex quick-adduid
	This command adds a new user id to an existing key. In contrast to
	the interactive sub-command @code{adduid} of @option{--edit-key} the
	@var{new-user-id} is added verbatim with only leading and trailing
	white space removed, it is expected to be UTF-8 encoded, and no checks
	on its form are applied.

	@item --quick-revuid @var{user-id} @var{user-id-to-revoke}
	@opindex quick-revuid
	This command revokes a User ID on an existing key. It cannot be used
	to revoke the last User ID on key (some non-revoked User ID must
	remain), with revocation reason ``User ID is no longer valid''. If
	you want to specify a different revocation reason, or to supply
	supplementary revocation text, you should use the interactive
	sub-command @code{revuid} of @option{--edit-key}.

	@item --passwd @var{user_id}
	@opindex passwd
	Change the passphrase of the secret key belonging to the certificate
	specified as @var{user_id}. This is a shortcut for the sub-command
	@code{passwd} of the edit key menu.

	@end table


	@c *******************************************
	@c ************* **************
	@c ************* OPTIONS **************
	@c ************* **************
	@c *******************************************
	@mansect options
	@node GPG Options
	@section Option Summary

	@command{@gpgname} features a bunch of options to control the exact
	behaviour and to change the default configuration.

	@menu
	* GPG Configuration Options:: How to change the configuration.
	* GPG Key related Options:: Key related options.
	* GPG Input and Output:: Input and Output.
	* OpenPGP Options:: OpenPGP protocol specific options.
	* Compliance Options:: Compliance options.
	* GPG Esoteric Options:: Doing things one usually don't want to do.
	* Deprecated Options:: Deprecated options.
	@end menu

	Long options can be put in an options file (default
	"~/.gnupg/gpg.conf"). Short option names will not work - for example,
	"armor" is a valid option for the options file, while "a" is not. Do not
	write the 2 dashes, but simply the name of the option and any required
	arguments. Lines with a hash ('#') as the first non-white-space
	character are ignored. Commands may be put in this file too, but that is
	not generally useful as the command will execute automatically with
	every execution of gpg.

	Please remember that option parsing stops as soon as a non-option is
	encountered, you can explicitly stop parsing by using the special option
	@option{--}.

	@c *******************************************
	@c ****** CONFIGURATION OPTIONS ********
	@c *******************************************
	@node GPG Configuration Options
	@subsection How to change the configuration

	These options are used to change the configuration and are usually found
	in the option file.

	@table @gnupgtabopt

	@item --default-key @var{name}
	@opindex default-key
	Use @var{name} as the default key to sign with. If this option is not
	used, the default key is the first key found in the secret keyring.
	Note that @option{-u} or @option{--local-user} overrides this option.
	This option may be given multiple times. In this case, the last key
	for which a secret key is available is used. If there is no secret
	key available for any of the specified values, GnuPG will not emit an
	error message but continue as if this option wasn't given.

	@item --default-recipient @var{name}
	@opindex default-recipient
	Use @var{name} as default recipient if option @option{--recipient} is
	not used and don't ask if this is a valid one. @var{name} must be
	non-empty.

	@item --default-recipient-self
	@opindex default-recipient-self
	Use the default key as default recipient if option @option{--recipient} is not
	used and don't ask if this is a valid one. The default key is the first
	one from the secret keyring or the one set with @option{--default-key}.

	@item --no-default-recipient
	@opindex no-default-recipient
	Reset @option{--default-recipient} and @option{--default-recipient-self}.

	@item -v, --verbose
	@opindex verbose
	Give more information during processing. If used
	twice, the input data is listed in detail.

	@item --no-verbose
	@opindex no-verbose
	Reset verbose level to 0.

	@item -q, --quiet
	@opindex quiet
	Try to be as quiet as possible.

	@item --batch
	@itemx --no-batch
	@opindex batch
	@opindex no-batch
	Use batch mode. Never ask, do not allow interactive commands.
	@option{--no-batch} disables this option. Note that even with a
	filename given on the command line, gpg might still need to read from
	STDIN (in particular if gpg figures that the input is a
	detached signature and no data file has been specified). Thus if you
	do not want to feed data via STDIN, you should connect STDIN to
	@file{/dev/null}.

	@item --no-tty
	@opindex no-tty
	Make sure that the TTY (terminal) is never used for any output.
	This option is needed in some cases because GnuPG sometimes prints
	warnings to the TTY even if @option{--batch} is used.

	@item --yes
	@opindex yes
	Assume "yes" on most questions.

	@item --no
	@opindex no
	Assume "no" on most questions.


	@item --list-options @code{parameters}
	@opindex list-options
	This is a space or comma delimited string that gives options used when
	listing keys and signatures (that is, @option{--list-keys},
	@option{--list-sigs}, @option{--list-public-keys},
	@option{--list-secret-keys}, and the @option{--edit-key} functions).
	Options can be prepended with a @option{no-} (after the two dashes) to
	give the opposite meaning. The options are:

	@table @asis

	@item show-photos
	@opindex list-options:show-photos
	Causes @option{--list-keys}, @option{--list-sigs},
	@option{--list-public-keys}, and @option{--list-secret-keys} to
	display any photo IDs attached to the key. Defaults to no. See also
	@option{--photo-viewer}. Does not work with @option{--with-colons}:
	see @option{--attribute-fd} for the appropriate way to get photo data
	for scripts and other frontends.

	@item show-usage
	@opindex list-options:show-usage
	Show usage information for keys and subkeys in the standard key
	listing. This is a list of letters indicating the allowed usage for a
	key (@code{E}=encryption, @code{S}=signing, @code{C}=certification,
	@code{A}=authentication). Defaults to yes.

	@item show-policy-urls
	@opindex list-options:show-policy-urls
	Show policy URLs in the @option{--list-sigs} or @option{--check-sigs}
	listings. Defaults to no.

	@item show-notations
	@itemx show-std-notations
	@itemx show-user-notations
	@opindex list-options:show-notations
	@opindex list-options:show-std-notations
	@opindex list-options:show-user-notations
	Show all, IETF standard, or user-defined signature notations in the
	@option{--list-sigs} or @option{--check-sigs} listings. Defaults to no.

	@item show-keyserver-urls
	@opindex list-options:show-keyserver-urls
	Show any preferred keyserver URL in the @option{--list-sigs} or
	@option{--check-sigs} listings. Defaults to no.

	@item show-uid-validity
	@opindex list-options:show-uid-validity
	Display the calculated validity of user IDs during key listings.
	Defaults to yes.

	@item show-unusable-uids
	@opindex list-options:show-unusable-uids
	Show revoked and expired user IDs in key listings. Defaults to no.

	@item show-unusable-subkeys
	@opindex list-options:show-unusable-subkeys
	Show revoked and expired subkeys in key listings. Defaults to no.

	@item show-keyring
	@opindex list-options:show-keyring
	Display the keyring name at the head of key listings to show which
	keyring a given key resides on. Defaults to no.

	@item show-sig-expire
	@opindex list-options:show-sig-expire
	Show signature expiration dates (if any) during @option{--list-sigs} or
	@option{--check-sigs} listings. Defaults to no.

	@item show-sig-subpackets
	@opindex list-options:show-sig-subpackets
	Include signature subpackets in the key listing. This option can take an
	optional argument list of the subpackets to list. If no argument is
	passed, list all subpackets. Defaults to no. This option is only
	meaningful when using @option{--with-colons} along with
	@option{--list-sigs} or @option{--check-sigs}.

	@end table

	@item --verify-options @code{parameters}
	@opindex verify-options
	This is a space or comma delimited string that gives options used when
	verifying signatures. Options can be prepended with a `no-' to give
	the opposite meaning. The options are:

	@table @asis

	@item show-photos
	@opindex verify-options:show-photos
	Display any photo IDs present on the key that issued the signature.
	Defaults to no. See also @option{--photo-viewer}.

	@item show-policy-urls
	@opindex verify-options:show-policy-urls
	Show policy URLs in the signature being verified. Defaults to yes.

	@item show-notations
	@itemx show-std-notations
	@itemx show-user-notations
	@opindex verify-options:show-notations
	@opindex verify-options:show-std-notations
	@opindex verify-options:show-user-notations
	Show all, IETF standard, or user-defined signature notations in the
	signature being verified. Defaults to IETF standard.

	@item show-keyserver-urls
	@opindex verify-options:show-keyserver-urls
	Show any preferred keyserver URL in the signature being verified.
	Defaults to yes.

	@item show-uid-validity
	@opindex verify-options:show-uid-validity
	Display the calculated validity of the user IDs on the key that issued
	the signature. Defaults to yes.

	@item show-unusable-uids
	@opindex verify-options:show-unusable-uids
	Show revoked and expired user IDs during signature verification.
	Defaults to no.

	@item show-primary-uid-only
	@opindex verify-options:show-primary-uid-only
	Show only the primary user ID during signature verification. That is
	all the AKA lines as well as photo Ids are not shown with the signature
	verification status.

	@item pka-lookups
	@opindex verify-options:pka-lookups
	Enable PKA lookups to verify sender addresses. Note that PKA is based
	on DNS, and so enabling this option may disclose information on when
	and what signatures are verified or to whom data is encrypted. This
	is similar to the "web bug" described for the @option{--auto-key-retrieve}
	option.

	@item pka-trust-increase
	@opindex verify-options:pka-trust-increase
	Raise the trust in a signature to full if the signature passes PKA
	validation. This option is only meaningful if pka-lookups is set.
	@end table

	@item --enable-large-rsa
	@itemx --disable-large-rsa
	@opindex enable-large-rsa
	@opindex disable-large-rsa
	With --gen-key and --batch, enable the creation of RSA secret keys as
	large as 8192 bit. Note: 8192 bit is more than is generally
	recommended. These large keys don't significantly improve security,
	but they are more expensive to use, and their signatures and
	certifications are larger. This option is only available if the
	binary was build with large-secmem support.

	@item --enable-dsa2
	@itemx --disable-dsa2
	@opindex enable-dsa2
	@opindex disable-dsa2
	Enable hash truncation for all DSA keys even for old DSA Keys up to
	1024 bit. This is also the default with @option{--openpgp}. Note
	that older versions of GnuPG also required this flag to allow the
	generation of DSA larger than 1024 bit.

	@item --photo-viewer @code{string}
	@opindex photo-viewer
	This is the command line that should be run to view a photo ID. "%i"
	will be expanded to a filename containing the photo. "%I" does the
	same, except the file will not be deleted once the viewer exits.
	Other flags are "%k" for the key ID, "%K" for the long key ID, "%f"
	for the key fingerprint, "%t" for the extension of the image type
	(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"),
	"%v" for the single-character calculated validity of the image being
	viewed (e.g. "f"), "%V" for the calculated validity as a string (e.g.
	"full"), "%U" for a base32 encoded hash of the user ID,
	and "%%" for an actual percent sign. If neither %i or %I are present,
	then the photo will be supplied to the viewer on standard input.

	The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
	STDIN". Note that if your image viewer program is not secure, then
	executing it from GnuPG does not make it secure.

	@item --exec-path @code{string}
	@opindex exec-path
	@efindex PATH
	Sets a list of directories to search for photo viewers and keyserver
	helpers. If not provided, keyserver helpers use the compiled-in
	default directory, and photo viewers use the @code{PATH} environment
	variable.
	Note, that on W32 system this value is ignored when searching for
	keyserver helpers.

	@item --keyring @code{file}
	@opindex keyring
	Add @code{file} to the current list of keyrings. If @code{file} begins
	with a tilde and a slash, these are replaced by the $HOME directory. If
	the filename does not contain a slash, it is assumed to be in the GnuPG
	home directory ("~/.gnupg" if @option{--homedir} or $GNUPGHOME is not
	used).

	Note that this adds a keyring to the current list. If the intent is to
	use the specified keyring alone, use @option{--keyring} along with
	@option{--no-default-keyring}.

	If the the option @option{--no-keyring} has been used no keyrings will
	be used at all.


	@item --secret-keyring @code{file}
	@opindex secret-keyring
	This is an obsolete option and ignored. All secret keys are stored in
	the @file{private-keys-v1.d} directory below the GnuPG home directory.

	@item --primary-keyring @code{file}
	@opindex primary-keyring
	Designate @code{file} as the primary public keyring. This means that
	newly imported keys (via @option{--import} or keyserver
	@option{--recv-from}) will go to this keyring.

	@item --trustdb-name @code{file}
	@opindex trustdb-name
	Use @code{file} instead of the default trustdb. If @code{file} begins
	with a tilde and a slash, these are replaced by the $HOME directory. If
	the filename does not contain a slash, it is assumed to be in the GnuPG
	home directory (@file{~/.gnupg} if @option{--homedir} or $GNUPGHOME is
	not used).

	@include opt-homedir.texi


	@item --display-charset @code{name}
	@opindex display-charset
	Set the name of the native character set. This is used to convert
	some informational strings like user IDs to the proper UTF-8 encoding.
	Note that this has nothing to do with the character set of data to be
	encrypted or signed; GnuPG does not recode user-supplied data. If
	this option is not used, the default character set is determined from
	the current locale. A verbosity level of 3 shows the chosen set.
	Valid values for @code{name} are:

	@table @asis

	@item iso-8859-1
	@opindex display-charset:iso-8859-1
	This is the Latin 1 set.

	@item iso-8859-2
	@opindex display-charset:iso-8859-2
	The Latin 2 set.

	@item iso-8859-15
	@opindex display-charset:iso-8859-15
	This is currently an alias for
	the Latin 1 set.

	@item koi8-r
	@opindex display-charset:koi8-r
	The usual Russian set (rfc1489).

	@item utf-8
	@opindex display-charset:utf-8
	Bypass all translations and assume
	that the OS uses native UTF-8 encoding.
	@end table

	@item --utf8-strings
	@itemx --no-utf8-strings
	@opindex utf8-strings
	Assume that command line arguments are given as UTF8 strings. The
	default (@option{--no-utf8-strings}) is to assume that arguments are
	encoded in the character set as specified by
	@option{--display-charset}. These options affect all following
	arguments. Both options may be used multiple times.

	@anchor{gpg-option --options}
	@item --options @code{file}
	@opindex options
	Read options from @code{file} and do not try to read them from the
	default options file in the homedir (see @option{--homedir}). This
	option is ignored if used in an options file.

	@item --no-options
	@opindex no-options
	Shortcut for @option{--options /dev/null}. This option is detected
	before an attempt to open an option file. Using this option will also
	prevent the creation of a @file{~/.gnupg} homedir.

	@item -z @code{n}
	@itemx --compress-level @code{n}
	@itemx --bzip2-compress-level @code{n}
	@opindex compress-level
	@opindex bzip2-compress-level
	Set compression level to @code{n} for the ZIP and ZLIB compression
	algorithms. The default is to use the default compression level of zlib
	(normally 6). @option{--bzip2-compress-level} sets the compression level
	for the BZIP2 compression algorithm (defaulting to 6 as well). This is a
	different option from @option{--compress-level} since BZIP2 uses a
	significant amount of memory for each additional compression level.
	@option{-z} sets both. A value of 0 for @code{n} disables compression.

	@item --bzip2-decompress-lowmem
	@opindex bzip2-decompress-lowmem
	Use a different decompression method for BZIP2 compressed files. This
	alternate method uses a bit more than half the memory, but also runs
	at half the speed. This is useful under extreme low memory
	circumstances when the file was originally compressed at a high
	@option{--bzip2-compress-level}.


	@item --mangle-dos-filenames
	@itemx --no-mangle-dos-filenames
	@opindex mangle-dos-filenames
	@opindex no-mangle-dos-filenames
	Older version of Windows cannot handle filenames with more than one
	dot. @option{--mangle-dos-filenames} causes GnuPG to replace (rather
	than add to) the extension of an output filename to avoid this
	problem. This option is off by default and has no effect on non-Windows
	platforms.

	@item --ask-cert-level
	@itemx --no-ask-cert-level
	@opindex ask-cert-level
	When making a key signature, prompt for a certification level. If this
	option is not specified, the certification level used is set via
	@option{--default-cert-level}. See @option{--default-cert-level} for
	information on the specific levels and how they are
	used. @option{--no-ask-cert-level} disables this option. This option
	defaults to no.

	@item --default-cert-level @code{n}
	@opindex default-cert-level
	The default to use for the check level when signing a key.

	0 means you make no particular claim as to how carefully you verified
	the key.

	1 means you believe the key is owned by the person who claims to own
	it but you could not, or did not verify the key at all. This is
	useful for a "persona" verification, where you sign the key of a
	pseudonymous user.

	2 means you did casual verification of the key. For example, this
	could mean that you verified the key fingerprint and checked the
	user ID on the key against a photo ID.

	3 means you did extensive verification of the key. For example, this
	could mean that you verified the key fingerprint with the owner of the
	key in person, and that you checked, by means of a hard to forge
	document with a photo ID (such as a passport) that the name of the key
	owner matches the name in the user ID on the key, and finally that you
	verified (by exchange of email) that the email address on the key
	belongs to the key owner.

	Note that the examples given above for levels 2 and 3 are just that:
	examples. In the end, it is up to you to decide just what "casual"
	and "extensive" mean to you.

	This option defaults to 0 (no particular claim).

	@item --min-cert-level
	@opindex min-cert-level
	When building the trust database, treat any signatures with a
	certification level below this as invalid. Defaults to 2, which
	disregards level 1 signatures. Note that level 0 "no particular
	claim" signatures are always accepted.

	@item --trusted-key @code{long key ID}
	@opindex trusted-key
	Assume that the specified key (which must be given
	as a full 8 byte key ID) is as trustworthy as one of
	your own secret keys. This option is useful if you
	don't want to keep your secret keys (or one of them)
	online but still want to be able to check the validity of a given
	recipient's or signator's key.

	@item --trust-model @code{pgp\|classic\|tofu\|tofu+pgp\|direct\|always\|auto}
	@opindex trust-model
	Set what trust model GnuPG should follow. The models are:

	@table @asis

	@item pgp
	@opindex trust-mode:pgp
	This is the Web of Trust combined with trust signatures as used in PGP
	5.x and later. This is the default trust model when creating a new
	trust database.

	@item classic
	@opindex trust-mode:classic
	This is the standard Web of Trust as introduced by PGP 2.

	@item tofu
	@opindex trust-mode:tofu
	@anchor{trust-model-tofu}
	TOFU stands for Trust On First Use. In this trust model, the first
	time a key is seen, it is memorized. If later another key is seen
	with a user id with the same email address, a warning is displayed
	indicating that there is a conflict and that the key might be a
	forgery and an attempt at a man-in-the-middle attack.

	Because a potential attacker is able to control the email address
	and thereby circumvent the conflict detection algorithm by using an
	email address that is similar in appearance to a trusted email
	address, whenever a message is verified, statistics about the number
	of messages signed with the key are shown. In this way, a user can
	easily identify attacks using fake keys for regular correspondents.

	When compared with the Web of Trust, TOFU offers significantly
	weaker security guarantees. In particular, TOFU only helps ensure
	consistency (that is, that the binding between a key and email
	address doesn't change). A major advantage of TOFU is that it
	requires little maintenance to use correctly. To use the web of
	trust properly, you need to actively sign keys and mark users as
	trusted introducers. This is a time-consuming process and anecdotal
	evidence suggests that even security-conscious users rarely take the
	time to do this thoroughly and instead rely on an ad-hoc TOFU
	process.

	In the TOFU model, policies are associated with bindings between
	keys and email addresses (which are extracted from user ids and
	normalized). There are five policies, which can be set manually
	using the @option{--tofu-policy} option. The default policy can be
	set using the @option{--tofu-default-policy} policy.

	The TOFU policies are: @code{auto}, @code{good}, @code{unknown},
	@code{bad} and @code{ask}. The @code{auto} policy is used by
	default (unless overridden by @option{--tofu-default-policy}) and
	marks a binding as marginally trusted. The @code{good},
	@code{unknown} and @code{bad} policies mark a binding as fully
	trusted, as having unknown trust or as having trust never,
	respectively. The @code{unknown} policy is useful for just using
	TOFU to detect conflicts, but to never assign positive trust to a
	binding. The final policy, @code{ask} prompts the user to indicate
	the binding's trust. If batch mode is enabled (or input is
	inappropriate in the context), then the user is not prompted and the
	@code{undefined} trust level is returned.

	@item tofu+pgp
	@opindex trust-mode:tofu+pgp
	This trust model combines TOFU with the Web of Trust. This is done
	by computing the trust level for each model and then taking the
	maximum trust level where the trust levels are ordered as follows:
	@code{unknown < undefined < marginal < fully < ultimate < expired <
	never}.

	By setting @option{--tofu-default-policy=unknown}, this model can be
	used to implement the web of trust with TOFU's conflict detection
	algorithm, but without its assignment of positive trust values,
	which some security-conscious users don't like.

	@item direct
	@opindex trust-mode:direct
	Key validity is set directly by the user and not calculated via the
	Web of Trust.

	@item always
	@opindex trust-mode:always
	Skip key validation and assume that used keys are always fully
	valid. You generally won't use this unless you are using some
	external validation scheme. This option also suppresses the
	"[uncertain]" tag printed with signature checks when there is no
	evidence that the user ID is bound to the key. Note that this
	trust model still does not allow the use of expired, revoked, or
	disabled keys.

	@item auto
	@opindex trust-mode:auto
	Select the trust model depending on whatever the internal trust
	database says. This is the default model if such a database already
	exists.
	@end table

	@item --auto-key-locate @code{parameters}
	@itemx --no-auto-key-locate
	@opindex auto-key-locate
	GnuPG can automatically locate and retrieve keys as needed using this
	option. This happens when encrypting to an email address (in the
	"user@@example.com" form), and there are no user@@example.com keys on
	the local keyring. This option takes any number of the following
	mechanisms, in the order they are to be tried:

	@table @asis

	@item cert
	Locate a key using DNS CERT, as specified in rfc4398.

	@item pka
	Locate a key using DNS PKA.

	@item dane
	Locate a key using DANE, as specified
	in draft-ietf-dane-openpgpkey-05.txt.

	@item wkd
	Locate a key using the Web Key Directory protocol.
	This is an experimental method and semantics may change.

	@item ldap
	Using DNS Service Discovery, check the domain in question for any LDAP
	keyservers to use. If this fails, attempt to locate the key using the
	PGP Universal method of checking @samp{ldap://keys.(thedomain)}.

	@item keyserver
	Locate a key using whatever keyserver is defined using the
	@option{--keyserver} option.

	@item keyserver-URL
	In addition, a keyserver URL as used in the @option{--keyserver} option
	may be used here to query that particular keyserver.

	@item local
	- Locate the key using the local keyrings. This mechanism allows to
	+ Locate the key using the local keyrings. This mechanism allows the user to
	select the order a local key lookup is done. Thus using
	@samp{--auto-key-locate local} is identical to
	@option{--no-auto-key-locate}.

	@item nodefault
	This flag disables the standard local key lookup, done before any of the
	mechanisms defined by the @option{--auto-key-locate} are tried. The
	position of this mechanism in the list does not matter. It is not
	required if @code{local} is also used.

	@item clear
	Clear all defined mechanisms. This is useful to override
	mechanisms given in a config file.

	@end table

	@item --auto-key-retrieve
	@itemx --no-auto-key-retrieve
	@opindex auto-key-retrieve
	@opindex no-auto-key-retrieve
	This option enables the automatic retrieving of keys from a keyserver
	when verifying signatures made by keys that are not on the local
	keyring.

	If the method "wkd" is included in the list of methods given to
	@option{auto-key-locate}, the Signer's User ID is part of the
	signature, and the option @option{--disable-signer-uid} is not used,
	the "wkd" method may also be used to retrieve a key.

	Note that this option makes a "web bug" like behavior possible.
	Keyserver or Web Key Directory operators can see which keys you
	request, so by sending you a message signed by a brand new key (which
	you naturally will not have on your local keyring), the operator can
	tell both your IP address and the time when you verified the
	signature.

	@item --keyid-format @code{none\|short\|0xshort\|long\|0xlong}
	@opindex keyid-format
	Select how to display key IDs. "none" does not show the key ID at all
	but shows the fingerprint in a separate line. "short" is the
	traditional 8-character key ID. "long" is the more accurate (but less
	convenient) 16-character key ID. Add an "0x" to either to include an
	"0x" at the beginning of the key ID, as in 0x99242560. Note that this
	option is ignored if the option @option{--with-colons} is used.

	@item --keyserver @code{name}
	@opindex keyserver
	This option is deprecated - please use the @option{--keyserver} in
	@file{dirmngr.conf} instead.

	Use @code{name} as your keyserver. This is the server that
	@option{--recv-keys}, @option{--send-keys}, and @option{--search-keys}
	will communicate with to receive keys from, send keys to, and search for
	keys on. The format of the @code{name} is a URI:
	`scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
	"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP
	keyservers, or "mailto" for the Graff email keyserver. Note that your
	particular installation of GnuPG may have other keyserver types
	available as well. Keyserver schemes are case-insensitive. After the
	keyserver name, optional keyserver configuration options may be
	provided. These are the same as the global @option{--keyserver-options}
	from below, but apply only to this particular keyserver.

	Most keyservers synchronize with each other, so there is generally no
	need to send keys to more than one server. The keyserver
	@code{hkp://keys.gnupg.net} uses round robin DNS to give a different
	keyserver each time you use it.

	@item --keyserver-options @code{name=value}
	@opindex keyserver-options
	This is a space or comma delimited string that gives options for the
	keyserver. Options can be prefixed with a `no-' to give the opposite
	meaning. Valid import-options or export-options may be used here as
	well to apply to importing (@option{--recv-key}) or exporting
	(@option{--send-key}) a key from a keyserver. While not all options
	are available for all keyserver types, some common options are:

	@table @asis

	@item include-revoked
	When searching for a key with @option{--search-keys}, include keys that
	are marked on the keyserver as revoked. Note that not all keyservers
	differentiate between revoked and unrevoked keys, and for such
	keyservers this option is meaningless. Note also that most keyservers do
	not have cryptographic verification of key revocations, and so turning
	this option off may result in skipping keys that are incorrectly marked
	as revoked.

	@item include-disabled
	When searching for a key with @option{--search-keys}, include keys that
	are marked on the keyserver as disabled. Note that this option is not
	used with HKP keyservers.

	@item auto-key-retrieve
	This is the same as the option @option{auto-key-retrieve}.

	@item honor-keyserver-url
	When using @option{--refresh-keys}, if the key in question has a preferred
	keyserver URL, then use that preferred keyserver to refresh the key
	from. In addition, if auto-key-retrieve is set, and the signature
	being verified has a preferred keyserver URL, then use that preferred
	keyserver to fetch the key from. Note that this option introduces a
	"web bug": The creator of the key can see when the keys is
	refreshed. Thus this option is not enabled by default.

	@item honor-pka-record
	If @option{--auto-key-retrieve} is used, and the signature being
	verified has a PKA record, then use the PKA information to fetch
	the key. Defaults to "yes".

	@item include-subkeys
	When receiving a key, include subkeys as potential targets. Note that
	this option is not used with HKP keyservers, as they do not support
	retrieving keys by subkey id.

	@item timeout
	Tell the keyserver helper program how long (in seconds) to try and
	perform a keyserver action before giving up. Note that performing
	multiple actions at the same time uses this timeout value per action.
	For example, when retrieving multiple keys via @option{--recv-keys}, the
	timeout applies separately to each key retrieval, and not to the
	@option{--recv-keys} command as a whole. Defaults to 30 seconds.

	@item http-proxy=@code{value}
	This options is deprecated.
	Set the proxy to use for HTTP and HKP keyservers.
	This overrides any proxy defined in @file{dirmngr.conf}.

	@item verbose
	This option has no more function since GnuPG 2.1. Use the
	@code{dirmngr} configuration options instead.

	@item debug
	This option has no more function since GnuPG 2.1. Use the
	@code{dirmngr} configuration options instead.

	@item check-cert
	This option has no more function since GnuPG 2.1. Use the
	@code{dirmngr} configuration options instead.

	@item ca-cert-file
	This option has no more function since GnuPG 2.1. Use the
	@code{dirmngr} configuration options instead.

	@end table

	@item --completes-needed @code{n}
	@opindex compliant-needed
	Number of completely trusted users to introduce a new
	key signer (defaults to 1).

	@item --marginals-needed @code{n}
	@opindex marginals-needed
	Number of marginally trusted users to introduce a new
	key signer (defaults to 3)

	@item --tofu-default-policy @code{auto\|good\|unknown\|bad\|ask}
	@opindex tofu-default-policy
	The default TOFU policy (defaults to @code{auto}). For more
	information about the meaning of this option, @xref{trust-model-tofu}.

	@item --tofu-db-format @code{auto\|split\|flat}
	@opindex tofu-default-policy
	The format for the TOFU DB.

	The split file format splits the data across many DBs under the
	@code{tofu.d} directory (one per email address and one per key). This
	makes it easier to automatically synchronize the data using a tool
	such as Unison (@url{https://www.cis.upenn.edu/~bcpierce/unison/}),
	since the individual files change rarely.

	The flat file format keeps all of the data in the single file
	@code{tofu.db}. This format results in better performance.

	If set to auto (which is the default), GnuPG will first check for the
	existence of @code{tofu.d} and @code{tofu.db}. If one of these
	exists, the corresponding format is used. If neither or both of these
	exist, then GnuPG defaults to the @code{split} format. In the latter
	case, a warning is emitted.

	@item --max-cert-depth @code{n}
	@opindex max-cert-depth
	Maximum depth of a certification chain (default is 5).

	@item --no-sig-cache
	@opindex no-sig-cache
	Do not cache the verification status of key signatures.
	Caching gives a much better performance in key listings. However, if
	you suspect that your public keyring is not save against write
	modifications, you can use this option to disable the caching. It
	probably does not make sense to disable it because all kind of damage
	can be done if someone else has write access to your public keyring.

	@item --auto-check-trustdb
	@itemx --no-auto-check-trustdb
	@opindex auto-check-trustdb
	If GnuPG feels that its information about the Web of Trust has to be
	updated, it automatically runs the @option{--check-trustdb} command
	internally. This may be a time consuming
	process. @option{--no-auto-check-trustdb} disables this option.

	@item --use-agent
	@itemx --no-use-agent
	@opindex use-agent
	This is dummy option. @command{@gpgname} always requires the agent.

	@item --gpg-agent-info
	@opindex gpg-agent-info
	This is dummy option. It has no effect when used with @command{@gpgname}.


	@item --agent-program @var{file}
	@opindex agent-program
	Specify an agent program to be used for secret key operations. The
	default value is determined by running @command{gpgconf} with the
	option @option{--list-dirs}. Note that the pipe symbol (@code{\|}) is
	used for a regression test suite hack and may thus not be used in the
	file name.

	@item --dirmngr-program @var{file}
	@opindex dirmngr-program
	Specify a dirmngr program to be used for keyserver access. The
	default value is @file{@value{BINDIR}/dirmngr}.

	@item --no-autostart
	@opindex no-autostart
	Do not start the gpg-agent or the dirmngr if it has not yet been
	started and its service is required. This option is mostly useful on
	machines where the connection to gpg-agent has been redirected to
	another machines. If dirmngr is required on the remote machine, it
	may be started manually using @command{gpgconf --launch dirmngr}.

	@item --lock-once
	@opindex lock-once
	Lock the databases the first time a lock is requested
	and do not release the lock until the process
	terminates.

	@item --lock-multiple
	@opindex lock-multiple
	Release the locks every time a lock is no longer
	needed. Use this to override a previous @option{--lock-once}
	from a config file.

	@item --lock-never
	@opindex lock-never
	Disable locking entirely. This option should be used only in very
	special environments, where it can be assured that only one process
	is accessing those files. A bootable floppy with a stand-alone
	encryption system will probably use this. Improper usage of this
	option may lead to data and key corruption.

	@item --exit-on-status-write-error
	@opindex exit-on-status-write-error
	This option will cause write errors on the status FD to immediately
	terminate the process. That should in fact be the default but it never
	worked this way and thus we need an option to enable this, so that the
	change won't break applications which close their end of a status fd
	connected pipe too early. Using this option along with
	@option{--enable-progress-filter} may be used to cleanly cancel long
	running gpg operations.

	@item --limit-card-insert-tries @code{n}
	@opindex limit-card-insert-tries
	With @code{n} greater than 0 the number of prompts asking to insert a
	smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
	all ask to insert a card if none has been inserted at startup. This
	option is useful in the configuration file in case an application does
	not know about the smartcard support and waits ad infinitum for an
	inserted card.

	@item --no-random-seed-file
	@opindex no-random-seed-file
	GnuPG uses a file to store its internal random pool over invocations.
	This makes random generation faster; however sometimes write operations
	are not desired. This option can be used to achieve that with the cost of
	slower random generation.

	@item --no-greeting
	@opindex no-greeting
	Suppress the initial copyright message.

	@item --no-secmem-warning
	@opindex no-secmem-warning
	Suppress the warning about "using insecure memory".

	@item --no-permission-warning
	@opindex permission-warning
	Suppress the warning about unsafe file and home directory (@option{--homedir})
	permissions. Note that the permission checks that GnuPG performs are
	not intended to be authoritative, but rather they simply warn about
	certain common permission problems. Do not assume that the lack of a
	warning means that your system is secure.

	Note that the warning for unsafe @option{--homedir} permissions cannot be
	suppressed in the gpg.conf file, as this would allow an attacker to
	place an unsafe gpg.conf file in place, and use this file to suppress
	warnings about itself. The @option{--homedir} permissions warning may only be
	suppressed on the command line.

	@item --no-mdc-warning
	@opindex no-mdc-warning
	Suppress the warning about missing MDC integrity protection.

	@item --require-secmem
	@itemx --no-require-secmem
	@opindex require-secmem
	Refuse to run if GnuPG cannot get secure memory. Defaults to no
	(i.e. run, but give a warning).


	@item --require-cross-certification
	@itemx --no-require-cross-certification
	@opindex require-cross-certification
	When verifying a signature made from a subkey, ensure that the cross
	certification "back signature" on the subkey is present and valid. This
	protects against a subtle attack against subkeys that can sign.
	Defaults to @option{--require-cross-certification} for
	@command{@gpgname}.

	@item --expert
	@itemx --no-expert
	@opindex expert
	Allow the user to do certain nonsensical or "silly" things like
	signing an expired or revoked key, or certain potentially incompatible
	things like generating unusual key types. This also disables certain
	warning messages about potentially incompatible actions. As the name
	implies, this option is for experts only. If you don't fully
	understand the implications of what it allows you to do, leave this
	off. @option{--no-expert} disables this option.

	@end table


	@c *******************************************
	@c ****** KEY RELATED OPTIONS **********
	@c *******************************************
	@node GPG Key related Options
	@subsection Key related options

	@table @gnupgtabopt

	@item --recipient @var{name}
	@itemx -r
	@opindex recipient
	Encrypt for user id @var{name}. If this option or
	@option{--hidden-recipient} is not specified, GnuPG asks for the user-id
	unless @option{--default-recipient} is given.

	@item --hidden-recipient @var{name}
	@itemx -R
	@opindex hidden-recipient
	Encrypt for user ID @var{name}, but hide the key ID of this user's
	key. This option helps to hide the receiver of the message and is a
	limited countermeasure against traffic analysis. If this option or
	@option{--recipient} is not specified, GnuPG asks for the user ID unless
	@option{--default-recipient} is given.

	@item --recipient-file @var{file}
	@itemx -f
	@opindex recipient-file
	This option is similar to @option{--recipient} except that it
	encrypts to a key stored in the given file. @var{file} must be the
	name of a file containing exactly one key. @command{gpg} assumes that
	the key in this file is fully valid.

	@item --hidden-recipient-file @var{file}
	@itemx -F
	@opindex hidden-recipient-file
	This option is similar to @option{--hidden-recipient} except that it
	encrypts to a key stored in the given file. @var{file} must be the
	name of a file containing exactly one key. @command{gpg} assumes that
	the key in this file is fully valid.

	@item --encrypt-to @code{name}
	@opindex encrypt-to
	Same as @option{--recipient} but this one is intended for use in the
	options file and may be used with your own user-id as an
	"encrypt-to-self". These keys are only used when there are other
	recipients given either by use of @option{--recipient} or by the asked
	user id. No trust checking is performed for these user ids and even
	disabled keys can be used.

	@item --hidden-encrypt-to @code{name}
	@opindex hidden-encrypt-to
	Same as @option{--hidden-recipient} but this one is intended for use in the
	options file and may be used with your own user-id as a hidden
	"encrypt-to-self". These keys are only used when there are other
	recipients given either by use of @option{--recipient} or by the asked user id.
	No trust checking is performed for these user ids and even disabled
	keys can be used.

	@item --no-encrypt-to
	@opindex no-encrypt-to
	Disable the use of all @option{--encrypt-to} and
	@option{--hidden-encrypt-to} keys.

	@item --group @code{name=value1 }
	@opindex group
	Sets up a named group, which is similar to aliases in email programs.
	Any time the group name is a recipient (@option{-r} or
	@option{--recipient}), it will be expanded to the values
	specified. Multiple groups with the same name are automatically merged
	into a single group.

	The values are @code{key IDs} or fingerprints, but any key description
	is accepted. Note that a value with spaces in it will be treated as
	two different values. Note also there is only one level of expansion
	--- you cannot make an group that points to another group. When used
	from the command line, it may be necessary to quote the argument to
	this option to prevent the shell from treating it as multiple
	arguments.

	@item --ungroup @code{name}
	@opindex ungroup
	Remove a given entry from the @option{--group} list.

	@item --no-groups
	@opindex no-groups
	Remove all entries from the @option{--group} list.

	@item --local-user @var{name}
	@itemx -u
	@opindex local-user
	Use @var{name} as the key to sign with. Note that this option overrides
	@option{--default-key}.

	@item --try-secret-key @var{name}
	@opindex try-secret-key
	For hidden recipients GPG needs to know the keys to use for trial
	decryption. The key set with @option{--default-key} is always tried
	-first, but this is often not sufficient. This option allows to set more
	+first, but this is often not sufficient. This option allows setting more
	keys to be used for trial decryption. Although any valid user-id
	specification may be used for @var{name} it makes sense to use at least
	the long keyid to avoid ambiguities. Note that gpg-agent might pop up a
	pinentry for a lot keys to do the trial decryption. If you want to stop
	all further trial decryption you may use close-window button instead of
	the cancel button.

	@item --try-all-secrets
	@opindex try-all-secrets
	Don't look at the key ID as stored in the message but try all secret
	keys in turn to find the right decryption key. This option forces the
	behaviour as used by anonymous recipients (created by using
	@option{--throw-keyids} or @option{--hidden-recipient}) and might come
	handy in case where an encrypted message contains a bogus key ID.

	@item --skip-hidden-recipients
	@itemx --no-skip-hidden-recipients
	@opindex skip-hidden-recipients
	@opindex no-skip-hidden-recipients
	During decryption skip all anonymous recipients. This option helps in
	the case that people use the hidden recipients feature to hide there
	own encrypt-to key from others. If oneself has many secret keys this
	may lead to a major annoyance because all keys are tried in turn to
	decrypt something which was not really intended for it. The drawback
	of this option is that it is currently not possible to decrypt a
	message which includes real anonymous recipients.


	@end table

	@c *******************************************
	@c ****** INPUT AND OUTPUT *************
	@c *******************************************
	@node GPG Input and Output
	@subsection Input and Output

	@table @gnupgtabopt

	@item --armor
	@itemx -a
	@opindex armor
	Create ASCII armored output. The default is to create the binary
	OpenPGP format.

	@item --no-armor
	@opindex no-armor
	Assume the input data is not in ASCII armored format.

	@item --output @var{file}
	@itemx -o @var{file}
	@opindex output
	Write output to @var{file}.

	@item --max-output @code{n}
	@opindex max-output
	This option sets a limit on the number of bytes that will be generated
	when processing a file. Since OpenPGP supports various levels of
	compression, it is possible that the plaintext of a given message may be
	significantly larger than the original OpenPGP message. While GnuPG
	works properly with such messages, there is often a desire to set a
	maximum file size that will be generated before processing is forced to
	stop by the OS limits. Defaults to 0, which means "no limit".

	@item --import-options @code{parameters}
	@opindex import-options
	This is a space or comma delimited string that gives options for
	importing keys. Options can be prepended with a `no-' to give the
	opposite meaning. The options are:

	@table @asis

	@item import-local-sigs
	Allow importing key signatures marked as "local". This is not
	generally useful unless a shared keyring scheme is being used.
	Defaults to no.

	@item keep-ownertrust
	Normally possible still existing ownertrust values of a key are
	cleared if a key is imported. This is in general desirable so that
	a formerly deleted key does not automatically gain an ownertrust
	values merely due to import. On the other hand it is sometimes
	necessary to re-import a trusted set of keys again but keeping
	already assigned ownertrust values. This can be achived by using
	this option.

	@item repair-pks-subkey-bug
	During import, attempt to repair the damage caused by the PKS keyserver
	bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note
	that this cannot completely repair the damaged key as some crucial data
	is removed by the keyserver, but it does at least give you back one
	subkey. Defaults to no for regular @option{--import} and to yes for
	keyserver @option{--recv-keys}.

	@item import-show
	Show a listing of the key as imported right before it is stored.
	This can be combined with the option @option{--dry-run} to only look
	at keys.

	@item import-export
	Run the entire import code but instead of storing the key to the
	local keyring write it to the output. The export options
	@option{export-pka} and @option{export-dane} affect the output. This
	option can be used to remove all invalid parts from a key without the
	need to store it.

	@item merge-only
	During import, allow key updates to existing keys, but do not allow
	any new keys to be imported. Defaults to no.

	@item import-clean
	After import, compact (remove all signatures except the
	self-signature) any user IDs from the new key that are not usable.
	Then, remove any signatures from the new key that are not usable.
	This includes signatures that were issued by keys that are not present
	on the keyring. This option is the same as running the @option{--edit-key}
	command "clean" after import. Defaults to no.

	@item import-minimal
	Import the smallest key possible. This removes all signatures except
	the most recent self-signature on each user ID. This option is the
	same as running the @option{--edit-key} command "minimize" after import.
	Defaults to no.
	@end table

	@item --import-filter @code{@var{name}=@var{expr}}
	@itemx --export-filter @code{@var{name}=@var{expr}}
	@opindex import-filter
	@opindex export-filter
	These options define an import/export filter which are applied to the
	imported/exported keyblock right before it will be stored/written.
	@var{name} defines the type of filter to use, @var{expr} the
	expression to evaluate. The option can be used several times which
	then appends more expression to the same @var{name}.

	@noindent
	The available filter types are:

	@table @asis

	@item keep-uid
	This filter will keep a user id packet and its dependent packets in
	the keyblock if the expression evaluates to true.

	@end table

	For the syntax of the expression see the chapter "FILTER EXPRESSIONS".
	The property names for the expressions depend on the actual filter
	type and are indicated in the following table.

	The available properties are:

	@table @asis

	@item uid
	A string with the user id. (keep-uid)

	@item mbox
	The addr-spec part of a user id with mailbox or the empty string.
	(keep-uid)

	@item primary
	Boolean indicating whether the user id is the primary one. (keep-uid)

	@end table

	@item --export-options @code{parameters}
	@opindex export-options
	This is a space or comma delimited string that gives options for
	exporting keys. Options can be prepended with a `no-' to give the
	opposite meaning. The options are:

	@table @asis

	@item export-local-sigs
	Allow exporting key signatures marked as "local". This is not
	generally useful unless a shared keyring scheme is being used.
	Defaults to no.

	@item export-attributes
	Include attribute user IDs (photo IDs) while exporting. This is
	useful to export keys if they are going to be used by an OpenPGP
	program that does not accept attribute user IDs. Defaults to yes.

	@item export-sensitive-revkeys
	Include designated revoker information that was marked as
	"sensitive". Defaults to no.

	@c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
	@c export-reset-subkey-passwd hack is not anymore justified. Such use
	@c cases may be implemented using a specialized secret key export
	@c tool.
	@c @item export-reset-subkey-passwd
	@c When using the @option{--export-secret-subkeys} command, this option resets
	@c the passphrases for all exported subkeys to empty. This is useful
	@c when the exported subkey is to be used on an unattended machine where
	@c a passphrase doesn't necessarily make sense. Defaults to no.

	@item export-clean
	Compact (remove all signatures from) user IDs on the key being
	exported if the user IDs are not usable. Also, do not export any
	signatures that are not usable. This includes signatures that were
	issued by keys that are not present on the keyring. This option is
	the same as running the @option{--edit-key} command "clean" before export
	except that the local copy of the key is not modified. Defaults to
	no.

	@item export-minimal
	Export the smallest key possible. This removes all signatures except the
	most recent self-signature on each user ID. This option is the same as
	running the @option{--edit-key} command "minimize" before export except
	that the local copy of the key is not modified. Defaults to no.

	@item export-pka
	Instead of outputting the key material output PKA records suitable
	to put into DNS zone files. An ORIGIN line is printed before each
	record to allow diverting the records to the corresponding zone file.

	@item export-dane
	Instead of outputting the key material output OpenPGP DANE records
	suitable to put into DNS zone files. An ORIGIN line is printed before
	each record to allow diverting the records to the corresponding zone
	file.

	@end table

	@item --with-colons
	@opindex with-colons
	Print key listings delimited by colons. Note that the output will be
	encoded in UTF-8 regardless of any @option{--display-charset} setting. This
	format is useful when GnuPG is called from scripts and other programs
	as it is easily machine parsed. The details of this format are
	documented in the file @file{doc/DETAILS}, which is included in the GnuPG
	source distribution.

	@item --fixed-list-mode
	@opindex fixed-list-mode
	Do not merge primary user ID and primary key in @option{--with-colon}
	listing mode and print all timestamps as seconds since 1970-01-01.
	Since GnuPG 2.0.10, this mode is always used and thus this option is
	obsolete; it does not harm to use it though.

	@item --legacy-list-mode
	@opindex legacy-list-mode
	Revert to the pre-2.1 public key list mode. This only affects the
	human readable output and not the machine interface
	(i.e. @code{--with-colons}). Note that the legacy format does not
	allow to convey suitable information for elliptic curves.

	@item --with-fingerprint
	@opindex with-fingerprint
	Same as the command @option{--fingerprint} but changes only the format
	of the output and may be used together with another command.

	@item --with-subkey-fingerprint
	@opindex with-subkey-fingerprint
	If a fingerprint is printed for the primary key, this option forces
	printing of the fingerprint for all subkeys. This could also be
	achieved by using the @option{--with-fingerprint} twice but by using
	this option along with keyid-format "none" a compact fingerprint is
	printed.

	@item --with-icao-spelling
	@opindex with-icao-spelling
	Print the ICAO spelling of the fingerprint in addition to the hex digits.

	@item --with-keygrip
	@opindex with-keygrip
	Include the keygrip in the key listings.

	@item --with-wkd-hash
	@opindex with-wkd-hash
	Print a Web Key Directory indentifier along with each user ID in key
	listings. This is an experimental feature and semantics may change.

	@item --with-secret
	@opindex with-secret
	Include info about the presence of a secret key in public key listings
	done with @code{--with-colons}.

	@end table

	@c *******************************************
	@c ****** OPENPGP OPTIONS **************
	@c *******************************************
	@node OpenPGP Options
	@subsection OpenPGP protocol specific options.

	@table @gnupgtabopt

	@item -t, --textmode
	@itemx --no-textmode
	@opindex textmode
	Treat input files as text and store them in the OpenPGP canonical text
	form with standard "CRLF" line endings. This also sets the necessary
	flags to inform the recipient that the encrypted or signed data is text
	and may need its line endings converted back to whatever the local
	system uses. This option is useful when communicating between two
	platforms that have different line ending conventions (UNIX-like to Mac,
	Mac to Windows, etc). @option{--no-textmode} disables this option, and
	is the default.

	@item --force-v3-sigs
	@itemx --no-force-v3-sigs
	@item --force-v4-certs
	@itemx --no-force-v4-certs
	These options are obsolete and have no effect since GnuPG 2.1.

	@item --force-mdc
	@opindex force-mdc
	Force the use of encryption with a modification detection code. This
	is always used with the newer ciphers (those with a blocksize greater
	than 64 bits), or if all of the recipient keys indicate MDC support in
	their feature flags.

	@item --disable-mdc
	@opindex disable-mdc
	Disable the use of the modification detection code. Note that by
	using this option, the encrypted message becomes vulnerable to a
	message modification attack.

	@item --disable-signer-uid
	@opindex disable-signer-uid
	By default the user ID of the signing key is embedded in the data
	signature. As of now this is only done if the signing key has been
	specified with @option{local-user} using a mail address. This
	information can be helpful for verifier to locate the key; see
	option @option{--auto-key-retrieve}.

	@item --personal-cipher-preferences @code{string}
	@opindex personal-cipher-preferences
	Set the list of personal cipher preferences to @code{string}. Use
	@command{@gpgname --version} to get a list of available algorithms,
	and use @code{none} to set no preference at all. This allows the user
	to safely override the algorithm chosen by the recipient key
	preferences, as GPG will only select an algorithm that is usable by
	all recipients. The most highly ranked cipher in this list is also
	used for the @option{--symmetric} encryption command.

	@item --personal-digest-preferences @code{string}
	@opindex personal-digest-preferences
	Set the list of personal digest preferences to @code{string}. Use
	@command{@gpgname --version} to get a list of available algorithms,
	and use @code{none} to set no preference at all. This allows the user
	to safely override the algorithm chosen by the recipient key
	preferences, as GPG will only select an algorithm that is usable by
	all recipients. The most highly ranked digest algorithm in this list
	is also used when signing without encryption
	(e.g. @option{--clearsign} or @option{--sign}).

	@item --personal-compress-preferences @code{string}
	@opindex personal-compress-preferences
	Set the list of personal compression preferences to @code{string}.
	Use @command{@gpgname --version} to get a list of available
	algorithms, and use @code{none} to set no preference at all. This
	allows the user to safely override the algorithm chosen by the
	recipient key preferences, as GPG will only select an algorithm that
	is usable by all recipients. The most highly ranked compression
	algorithm in this list is also used when there are no recipient keys
	to consider (e.g. @option{--symmetric}).

	@item --s2k-cipher-algo @code{name}
	@opindex s2k-cipher-algo
	Use @code{name} as the cipher algorithm for symmetric encryption with
	a passphrase if @option{--personal-cipher-preferences} and
	@option{--cipher-algo} are not given. The default is @value{GPGSYMENCALGO}.

	@item --s2k-digest-algo @code{name}
	@opindex s2k-digest-algo
	Use @code{name} as the digest algorithm used to mangle the passphrases
	for symmetric encryption. The default is SHA-1.

	@item --s2k-mode @code{n}
	@opindex s2k-mode
	Selects how passphrases for symmetric encryption are mangled. If
	@code{n} is 0 a plain passphrase (which is in general not recommended)
	will be used, a 1 adds a salt (which should not be used) to the
	passphrase and a 3 (the default) iterates the whole process a number
	of times (see @option{--s2k-count}).

	@item --s2k-count @code{n}
	@opindex s2k-count
	Specify how many times the passphrases mangling for symmetric
	encryption is repeated. This value may range between 1024 and
	65011712 inclusive. The default is inquired from gpg-agent. Note
	that not all values in the 1024-65011712 range are legal and if an
	illegal value is selected, GnuPG will round up to the nearest legal
	value. This option is only meaningful if @option{--s2k-mode} is set
	to the default of 3.


	@end table

	@c ***************************
	@c ***** Compliance ******
	@c ***************************
	@node Compliance Options
	@subsection Compliance options

	These options control what GnuPG is compliant to. Only one of these
	options may be active at a time. Note that the default setting of
	this is nearly always the correct one. See the INTEROPERABILITY WITH
	OTHER OPENPGP PROGRAMS section below before using one of these
	options.

	@table @gnupgtabopt

	@item --gnupg
	@opindex gnupg
	Use standard GnuPG behavior. This is essentially OpenPGP behavior
	(see @option{--openpgp}), but with some additional workarounds for common
	compatibility problems in different versions of PGP. This is the
	default option, so it is not generally needed, but it may be useful to
	override a different compliance option in the gpg.conf file.

	@item --openpgp
	@opindex openpgp
	Reset all packet, cipher and digest options to strict OpenPGP
	behavior. Use this option to reset all previous options like
	@option{--s2k-*}, @option{--cipher-algo}, @option{--digest-algo} and
	@option{--compress-algo} to OpenPGP compliant values. All PGP
	workarounds are disabled.

	@item --rfc4880
	@opindex rfc4880
	Reset all packet, cipher and digest options to strict RFC-4880
	behavior. Note that this is currently the same thing as
	@option{--openpgp}.

	@item --rfc4880bis
	@opindex rfc4880bis
	Enable experimental features from proposed updates to RFC-4880. This
	option can be used in addition to the other compliance options.
	Warning: The behavior may change with any GnuPG release and created
	keys or data may not be usable with future GnuPG versions.

	@item --rfc2440
	@opindex rfc2440
	Reset all packet, cipher and digest options to strict RFC-2440
	behavior.

	@item --pgp6
	@opindex pgp6
	Set up all options to be as PGP 6 compliant as possible. This
	restricts you to the ciphers IDEA (if the IDEA plugin is installed),
	3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the
	compression algorithms none and ZIP. This also disables
	--throw-keyids, and making signatures with signing subkeys as PGP 6
	does not understand signatures made by signing subkeys.

	This option implies @option{--disable-mdc --escape-from-lines}.

	@item --pgp7
	@opindex pgp7
	Set up all options to be as PGP 7 compliant as possible. This is
	identical to @option{--pgp6} except that MDCs are not disabled, and the
	list of allowable ciphers is expanded to add AES128, AES192, AES256, and
	TWOFISH.

	@item --pgp8
	@opindex pgp8
	Set up all options to be as PGP 8 compliant as possible. PGP 8 is a lot
	closer to the OpenPGP standard than previous versions of PGP, so all
	this does is disable @option{--throw-keyids} and set
	@option{--escape-from-lines}. All algorithms are allowed except for the
	SHA224, SHA384, and SHA512 digests.

	@end table


	@c *******************************************
	@c ****** ESOTERIC OPTIONS *************
	@c *******************************************
	@node GPG Esoteric Options
	@subsection Doing things one usually doesn't want to do.

	@table @gnupgtabopt

	@item -n
	@itemx --dry-run
	@opindex dry-run
	Don't make any changes (this is not completely implemented).

	@item --list-only
	@opindex list-only
	Changes the behaviour of some commands. This is like @option{--dry-run} but
	different in some cases. The semantic of this command may be extended in
	the future. Currently it only skips the actual decryption pass and
	therefore enables a fast listing of the encryption keys.

	@item -i
	@itemx --interactive
	@opindex interactive
	Prompt before overwriting any files.

	@item --debug-level @var{level}
	@opindex debug-level
	Select the debug level for investigating problems. @var{level} may be
	a numeric value or by a keyword:

	@table @code
	@item none
	No debugging at all. A value of less than 1 may be used instead of
	the keyword.
	@item basic
	Some basic debug messages. A value between 1 and 2 may be used
	instead of the keyword.
	@item advanced
	More verbose debug messages. A value between 3 and 5 may be used
	instead of the keyword.
	@item expert
	Even more detailed messages. A value between 6 and 8 may be used
	instead of the keyword.
	@item guru
	All of the debug messages you can get. A value greater than 8 may be
	used instead of the keyword. The creation of hash tracing files is
	only enabled if the keyword is used.
	@end table

	How these messages are mapped to the actual debugging flags is not
	specified and may change with newer releases of this program. They are
	however carefully selected to best aid in debugging.

	@item --debug @var{flags}
	@opindex debug
	Set debugging flags. All flags are or-ed and @var{flags} may be given
	in C syntax (e.g. 0x0042) or as a comma separated list of flag names.
	To get a list of all supported flags the single word "help" can be
	used.

	@item --debug-all
	@opindex debug-all
	Set all useful debugging flags.

	@item --debug-iolbf
	@opindex debug-iolbf
	Set stdout into line buffered mode. This option is only honored when
	given on the command line.

	@item --faked-system-time @var{epoch}
	@opindex faked-system-time
	This option is only useful for testing; it sets the system time back or
	forth to @var{epoch} which is the number of seconds elapsed since the year
	1970. Alternatively @var{epoch} may be given as a full ISO time string
	(e.g. "20070924T154812").

	@item --enable-progress-filter
	@opindex enable-progress-filter
	Enable certain PROGRESS status outputs. This option allows frontends
	to display a progress indicator while gpg is processing larger files.
	There is a slight performance overhead using it.

	@item --status-fd @code{n}
	@opindex status-fd
	Write special status strings to the file descriptor @code{n}.
	See the file DETAILS in the documentation for a listing of them.

	@item --status-file @code{file}
	@opindex status-file
	Same as @option{--status-fd}, except the status data is written to file
	@code{file}.

	@item --logger-fd @code{n}
	@opindex logger-fd
	Write log output to file descriptor @code{n} and not to STDERR.

	@item --log-file @code{file}
	@itemx --logger-file @code{file}
	@opindex log-file
	Same as @option{--logger-fd}, except the logger data is written to file
	@code{file}. Note that @option{--log-file} is only implemented for
	GnuPG-2.

	@item --attribute-fd @code{n}
	@opindex attribute-fd
	Write attribute subpackets to the file descriptor @code{n}. This is most
	useful for use with @option{--status-fd}, since the status messages are
	needed to separate out the various subpackets from the stream delivered
	to the file descriptor.

	@item --attribute-file @code{file}
	@opindex attribute-file
	Same as @option{--attribute-fd}, except the attribute data is written to
	file @code{file}.

	@item --comment @code{string}
	@itemx --no-comments
	@opindex comment
	Use @code{string} as a comment string in clear text signatures and ASCII
	armored messages or keys (see @option{--armor}). The default behavior is
	not to use a comment string. @option{--comment} may be repeated multiple
	times to get multiple comment strings. @option{--no-comments} removes
	all comments. It is a good idea to keep the length of a single comment
	below 60 characters to avoid problems with mail programs wrapping such
	lines. Note that comment lines, like all other header lines, are not
	protected by the signature.

	@item --emit-version
	@itemx --no-emit-version
	@opindex emit-version
	Force inclusion of the version string in ASCII armored output. If
	given once only the name of the program and the major number is
	emitted (default), given twice the minor is also emitted, given triple
	the micro is added, and given quad an operating system identification
	is also emitted. @option{--no-emit-version} disables the version
	line.

	@item --sig-notation @code{name=value}
	@itemx --cert-notation @code{name=value}
	@itemx -N, --set-notation @code{name=value}
	@opindex sig-notation
	@opindex cert-notation
	@opindex set-notation
	Put the name value pair into the signature as notation data.
	@code{name} must consist only of printable characters or spaces, and
	must contain a '@@' character in the form keyname@@domain.example.com
	(substituting the appropriate keyname and domain name, of course). This
	is to help prevent pollution of the IETF reserved notation
	namespace. The @option{--expert} flag overrides the '@@'
	check. @code{value} may be any printable string; it will be encoded in
	UTF8, so you should check that your @option{--display-charset} is set
	correctly. If you prefix @code{name} with an exclamation mark (!), the
	notation data will be flagged as critical
	(rfc4880:5.2.3.16). @option{--sig-notation} sets a notation for data
	signatures. @option{--cert-notation} sets a notation for key signatures
	(certifications). @option{--set-notation} sets both.

	There are special codes that may be used in notation names. "%k" will
	be expanded into the key ID of the key being signed, "%K" into the
	long key ID of the key being signed, "%f" into the fingerprint of the
	key being signed, "%s" into the key ID of the key making the
	signature, "%S" into the long key ID of the key making the signature,
	"%g" into the fingerprint of the key making the signature (which might
	be a subkey), "%p" into the fingerprint of the primary key of the key
	making the signature, "%c" into the signature count from the OpenPGP
	smartcard, and "%%" results in a single "%". %k, %K, and %f are only
	meaningful when making a key signature (certification), and %c is only
	meaningful when using the OpenPGP smartcard.

	@item --sig-policy-url @code{string}
	@itemx --cert-policy-url @code{string}
	@itemx --set-policy-url @code{string}
	@opindex sig-policy-url
	@opindex cert-policy-url
	@opindex set-policy-url
	Use @code{string} as a Policy URL for signatures (rfc4880:5.2.3.20). If
	you prefix it with an exclamation mark (!), the policy URL packet will
	be flagged as critical. @option{--sig-policy-url} sets a policy url for
	data signatures. @option{--cert-policy-url} sets a policy url for key
	signatures (certifications). @option{--set-policy-url} sets both.

	The same %-expandos used for notation data are available here as well.

	@item --sig-keyserver-url @code{string}
	@opindex sig-keyserver-url
	Use @code{string} as a preferred keyserver URL for data signatures. If
	you prefix it with an exclamation mark (!), the keyserver URL packet
	will be flagged as critical.

	The same %-expandos used for notation data are available here as well.

	@item --set-filename @code{string}
	@opindex set-filename
	Use @code{string} as the filename which is stored inside messages.
	This overrides the default, which is to use the actual filename of the
	file being encrypted. Using the empty string for @var{string}
	effectively removes the filename from the output.

	@item --for-your-eyes-only
	@itemx --no-for-your-eyes-only
	@opindex for-your-eyes-only
	Set the `for your eyes only' flag in the message. This causes GnuPG to
	refuse to save the file unless the @option{--output} option is given,
	and PGP to use a "secure viewer" with a claimed Tempest-resistant font
	to display the message. This option overrides @option{--set-filename}.
	@option{--no-for-your-eyes-only} disables this option.

	@item --use-embedded-filename
	@itemx --no-use-embedded-filename
	@opindex use-embedded-filename
	Try to create a file with a name as embedded in the data. This can be
	-a dangerous option as it allows to overwrite files. Defaults to no.
	+a dangerous option as it enables overwriting files. Defaults to no.

	@item --cipher-algo @code{name}
	@opindex cipher-algo
	Use @code{name} as cipher algorithm. Running the program with the
	command @option{--version} yields a list of supported algorithms. If
	this is not used the cipher algorithm is selected from the preferences
	stored with the key. In general, you do not want to use this option as
	it allows you to violate the OpenPGP standard.
	@option{--personal-cipher-preferences} is the safe way to accomplish the
	same thing.

	@item --digest-algo @code{name}
	@opindex digest-algo
	Use @code{name} as the message digest algorithm. Running the program
	with the command @option{--version} yields a list of supported algorithms. In
	general, you do not want to use this option as it allows you to
	violate the OpenPGP standard. @option{--personal-digest-preferences} is the
	safe way to accomplish the same thing.

	@item --compress-algo @code{name}
	@opindex compress-algo
	Use compression algorithm @code{name}. "zlib" is RFC-1950 ZLIB
	compression. "zip" is RFC-1951 ZIP compression which is used by PGP.
	"bzip2" is a more modern compression scheme that can compress some
	things better than zip or zlib, but at the cost of more memory used
	during compression and decompression. "uncompressed" or "none"
	disables compression. If this option is not used, the default
	behavior is to examine the recipient key preferences to see which
	algorithms the recipient supports. If all else fails, ZIP is used for
	maximum compatibility.

	ZLIB may give better compression results than ZIP, as the compression
	window size is not limited to 8k. BZIP2 may give even better
	compression results than that, but will use a significantly larger
	amount of memory while compressing and decompressing. This may be
	significant in low memory situations. Note, however, that PGP (all
	versions) only supports ZIP compression. Using any algorithm other
	than ZIP or "none" will make the message unreadable with PGP. In
	general, you do not want to use this option as it allows you to
	violate the OpenPGP standard. @option{--personal-compress-preferences} is the
	safe way to accomplish the same thing.

	@item --cert-digest-algo @code{name}
	@opindex cert-digest-algo
	Use @code{name} as the message digest algorithm used when signing a
	key. Running the program with the command @option{--version} yields a
	list of supported algorithms. Be aware that if you choose an algorithm
	that GnuPG supports but other OpenPGP implementations do not, then some
	users will not be able to use the key signatures you make, or quite
	possibly your entire key.

	@item --disable-cipher-algo @code{name}
	@opindex disable-cipher-algo
	Never allow the use of @code{name} as cipher algorithm.
	The given name will not be checked so that a later loaded algorithm
	will still get disabled.

	@item --disable-pubkey-algo @code{name}
	@opindex disable-pubkey-algo
	Never allow the use of @code{name} as public key algorithm.
	The given name will not be checked so that a later loaded algorithm
	will still get disabled.

	@item --throw-keyids
	@itemx --no-throw-keyids
	@opindex throw-keyids
	Do not put the recipient key IDs into encrypted messages. This helps to
	hide the receivers of the message and is a limited countermeasure
	against traffic analysis.@footnote{Using a little social engineering
	anyone who is able to decrypt the message can check whether one of the
	other recipients is the one he suspects.} On the receiving side, it may
	slow down the decryption process because all available secret keys must
	be tried. @option{--no-throw-keyids} disables this option. This option
	is essentially the same as using @option{--hidden-recipient} for all
	recipients.

	@item --not-dash-escaped
	@opindex not-dash-escaped
	This option changes the behavior of cleartext signatures
	so that they can be used for patch files. You should not
	send such an armored file via email because all spaces
	and line endings are hashed too. You can not use this
	option for data which has 5 dashes at the beginning of a
	line, patch files don't have this. A special armor header
	line tells GnuPG about this cleartext signature option.

	@item --escape-from-lines
	@itemx --no-escape-from-lines
	@opindex escape-from-lines
	Because some mailers change lines starting with "From " to ">From " it
	is good to handle such lines in a special way when creating cleartext
	signatures to prevent the mail system from breaking the signature. Note
	that all other PGP versions do it this way too. Enabled by
	default. @option{--no-escape-from-lines} disables this option.

	@item --passphrase-repeat @code{n}
	@opindex passphrase-repeat
	Specify how many times @command{@gpgname} will request a new
	passphrase be repeated. This is useful for helping memorize a
	passphrase. Defaults to 1 repetition.

	@item --passphrase-fd @code{n}
	@opindex passphrase-fd
	Read the passphrase from file descriptor @code{n}. Only the first line
	will be read from file descriptor @code{n}. If you use 0 for @code{n},
	the passphrase will be read from STDIN. This can only be used if only
	one passphrase is supplied.

	Note that this passphrase is only used if the option @option{--batch}
	has also been given. This is different from GnuPG version 1.x.

	@item --passphrase-file @code{file}
	@opindex passphrase-file
	Read the passphrase from file @code{file}. Only the first line will
	be read from file @code{file}. This can only be used if only one
	passphrase is supplied. Obviously, a passphrase stored in a file is
	of questionable security if other users can read this file. Don't use
	this option if you can avoid it.
	Note that this passphrase is only used if the option @option{--batch}
	has also been given. This is different from GnuPG version 1.x.

	@item --passphrase @code{string}
	@opindex passphrase
	Use @code{string} as the passphrase. This can only be used if only one
	passphrase is supplied. Obviously, this is of very questionable
	security on a multi-user system. Don't use this option if you can
	avoid it.
	Note that this passphrase is only used if the option @option{--batch}
	has also been given. This is different from GnuPG version 1.x.

	@item --pinentry-mode @code{mode}
	@opindex pinentry-mode
	Set the pinentry mode to @code{mode}. Allowed values for @code{mode}
	are:
	@table @asis
	@item default
	Use the default of the agent, which is @code{ask}.
	@item ask
	Force the use of the Pinentry.
	@item cancel
	Emulate use of Pinentry's cancel button.
	@item error
	Return a Pinentry error (``No Pinentry'').
	@item loopback
	Redirect Pinentry queries to the caller. Note that in contrast to
	Pinentry the user is not prompted again if he enters a bad password.
	@end table

	@item --command-fd @code{n}
	@opindex command-fd
	This is a replacement for the deprecated shared-memory IPC mode.
	If this option is enabled, user input on questions is not expected
	from the TTY but from the given file descriptor. It should be used
	together with @option{--status-fd}. See the file doc/DETAILS in the source
	distribution for details on how to use it.

	@item --command-file @code{file}
	@opindex command-file
	Same as @option{--command-fd}, except the commands are read out of file
	@code{file}

	@item --allow-non-selfsigned-uid
	@itemx --no-allow-non-selfsigned-uid
	@opindex allow-non-selfsigned-uid
	Allow the import and use of keys with user IDs which are not
	self-signed. This is not recommended, as a non self-signed user ID is
	trivial to forge. @option{--no-allow-non-selfsigned-uid} disables.

	@item --allow-freeform-uid
	@opindex allow-freeform-uid
	Disable all checks on the form of the user ID while generating a new
	one. This option should only be used in very special environments as
	it does not ensure the de-facto standard format of user IDs.

	@item --ignore-time-conflict
	@opindex ignore-time-conflict
	GnuPG normally checks that the timestamps associated with keys and
	signatures have plausible values. However, sometimes a signature
	seems to be older than the key due to clock problems. This option
	makes these checks just a warning. See also @option{--ignore-valid-from} for
	timestamp issues on subkeys.

	@item --ignore-valid-from
	@opindex ignore-valid-from
	GnuPG normally does not select and use subkeys created in the future.
	This option allows the use of such keys and thus exhibits the
	pre-1.0.7 behaviour. You should not use this option unless there
	is some clock problem. See also @option{--ignore-time-conflict} for timestamp
	issues with signatures.

	@item --ignore-crc-error
	@opindex ignore-crc-error
	The ASCII armor used by OpenPGP is protected by a CRC checksum against
	transmission errors. Occasionally the CRC gets mangled somewhere on
	the transmission channel but the actual content (which is protected by
	the OpenPGP protocol anyway) is still okay. This option allows GnuPG
	to ignore CRC errors.

	@item --ignore-mdc-error
	@opindex ignore-mdc-error
	This option changes a MDC integrity protection failure into a warning.
	This can be useful if a message is partially corrupt, but it is
	necessary to get as much data as possible out of the corrupt message.
	However, be aware that a MDC protection failure may also mean that the
	message was tampered with intentionally by an attacker.

	@item --allow-weak-digest-algos
	@opindex allow-weak-digest-algos
	Signatures made with known-weak digest algorithms are normally
	rejected with an ``invalid digest algorithm'' message. This option
	allows the verification of signatures made with such weak algorithms.
	MD5 is the only digest algorithm considered weak by default. See also
	@option{--weak-digest} to reject other digest algorithms.

	@item --weak-digest @code{name}
	@opindex weak-digest
	Treat the specified digest algorithm as weak. Signatures made over
	weak digests algorithms are normally rejected. This option can be
	supplied multiple times if multiple algorithms should be considered
	weak. See also @option{--allow-weak-digest-algos} to disable
	rejection of weak digests. MD5 is always considered weak, and does
	not need to be listed explicitly.

	@item --no-default-keyring
	@opindex no-default-keyring
	Do not add the default keyrings to the list of keyrings. Note that
	GnuPG will not operate without any keyrings, so if you use this option
	and do not provide alternate keyrings via @option{--keyring} or
	@option{--secret-keyring}, then GnuPG will still use the default public or
	secret keyrings.

	@item --no-keyring
	@opindex no-keyring
	Do not add use any keyrings even if specified as options.

	@item --skip-verify
	@opindex skip-verify
	Skip the signature verification step. This may be
	used to make the decryption faster if the signature
	verification is not needed.

	@item --with-key-data
	@opindex with-key-data
	Print key listings delimited by colons (like @option{--with-colons}) and
	print the public key data.

	@item --fast-list-mode
	@opindex fast-list-mode
	Changes the output of the list commands to work faster; this is achieved
	by leaving some parts empty. Some applications don't need the user ID
	and the trust information given in the listings. By using this options
	they can get a faster listing. The exact behaviour of this option may
	change in future versions. If you are missing some information, don't
	use this option.

	@item --no-literal
	@opindex no-literal
	This is not for normal use. Use the source to see for what it might be useful.

	@item --set-filesize
	@opindex set-filesize
	This is not for normal use. Use the source to see for what it might be useful.

	@item --show-session-key
	@opindex show-session-key
	Display the session key used for one message. See
	@option{--override-session-key} for the counterpart of this option.

	We think that Key Escrow is a Bad Thing; however the user should have
	the freedom to decide whether to go to prison or to reveal the content
	of one specific message without compromising all messages ever
	encrypted for one secret key.

	You can also use this option if you receive an encrypted message which
	is abusive or offensive, to prove to the administrators of the
	messaging system that the ciphertext transmitted corresponds to an
	inappropriate plaintext so they can take action against the offending
	user.

	@item --override-session-key @code{string}
	@opindex override-session-key
	Don't use the public key but the session key @code{string}. The format
	of this string is the same as the one printed by
	@option{--show-session-key}. This option is normally not used but comes
	handy in case someone forces you to reveal the content of an encrypted
	message; using this option you can do this without handing out the
	secret key.

	@item --ask-sig-expire
	@itemx --no-ask-sig-expire
	@opindex ask-sig-expire
	When making a data signature, prompt for an expiration time. If this
	option is not specified, the expiration time set via
	@option{--default-sig-expire} is used. @option{--no-ask-sig-expire}
	disables this option.

	@item --default-sig-expire
	@opindex default-sig-expire
	The default expiration time to use for signature expiration. Valid
	values are "0" for no expiration, a number followed by the letter d
	(for days), w (for weeks), m (for months), or y (for years) (for
	example "2m" for two months, or "5y" for five years), or an absolute
	date in the form YYYY-MM-DD. Defaults to "0".

	@item --ask-cert-expire
	@itemx --no-ask-cert-expire
	@opindex ask-cert-expire
	When making a key signature, prompt for an expiration time. If this
	option is not specified, the expiration time set via
	@option{--default-cert-expire} is used. @option{--no-ask-cert-expire}
	disables this option.

	@item --default-cert-expire
	@opindex default-cert-expire
	The default expiration time to use for key signature expiration.
	Valid values are "0" for no expiration, a number followed by the
	letter d (for days), w (for weeks), m (for months), or y (for years)
	(for example "2m" for two months, or "5y" for five years), or an
	absolute date in the form YYYY-MM-DD. Defaults to "0".

	@item --allow-secret-key-import
	@opindex allow-secret-key-import
	This is an obsolete option and is not used anywhere.

	@item --allow-multiple-messages
	@item --no-allow-multiple-messages
	@opindex allow-multiple-messages
	Allow processing of multiple OpenPGP messages contained in a single file
	or stream. Some programs that call GPG are not prepared to deal with
	multiple messages being processed together, so this option defaults to
	no. Note that versions of GPG prior to 1.4.7 always allowed multiple
	messages.

	Warning: Do not use this option unless you need it as a temporary
	workaround!


	@item --enable-special-filenames
	@opindex enable-special-filenames
	This options enables a mode in which filenames of the form
	@file{-&n}, where n is a non-negative decimal number,
	refer to the file descriptor n and not to a file with that name.

	@item --no-expensive-trust-checks
	@opindex no-expensive-trust-checks
	Experimental use only.

	@item --preserve-permissions
	@opindex preserve-permissions
	Don't change the permissions of a secret keyring back to user
	read/write only. Use this option only if you really know what you are doing.

	@item --default-preference-list @code{string}
	@opindex default-preference-list
	Set the list of default preferences to @code{string}. This preference
	list is used for new keys and becomes the default for "setpref" in the
	edit menu.

	@item --default-keyserver-url @code{name}
	@opindex default-keyserver-url
	Set the default keyserver URL to @code{name}. This keyserver will be
	used as the keyserver URL when writing a new self-signature on a key,
	which includes key generation and changing preferences.

	@item --list-config
	@opindex list-config
	Display various internal configuration parameters of GnuPG. This option
	is intended for external programs that call GnuPG to perform tasks, and
	is thus not generally useful. See the file @file{doc/DETAILS} in the
	source distribution for the details of which configuration items may be
	listed. @option{--list-config} is only usable with
	@option{--with-colons} set.

	@item --list-gcrypt-config
	@opindex list-gcrypt-config
	Display various internal configuration parameters of Libgcrypt.

	@item --gpgconf-list
	@opindex gpgconf-list
	This command is similar to @option{--list-config} but in general only
	internally used by the @command{gpgconf} tool.

	@item --gpgconf-test
	@opindex gpgconf-test
	This is more or less dummy action. However it parses the configuration
	file and returns with failure if the configuration file would prevent
	@command{gpg} from startup. Thus it may be used to run a syntax check
	on the configuration file.

	@end table

	@c *******************************
	@c ***** Deprecated **********
	@c *******************************
	@node Deprecated Options
	@subsection Deprecated options

	@table @gnupgtabopt

	@item --show-photos
	@itemx --no-show-photos
	@opindex show-photos
	Causes @option{--list-keys}, @option{--list-sigs},
	@option{--list-public-keys}, @option{--list-secret-keys}, and verifying
	a signature to also display the photo ID attached to the key, if
	any. See also @option{--photo-viewer}. These options are deprecated. Use
	@option{--list-options [no-]show-photos} and/or @option{--verify-options
	[no-]show-photos} instead.

	@item --show-keyring
	@opindex show-keyring
	Display the keyring name at the head of key listings to show which
	keyring a given key resides on. This option is deprecated: use
	@option{--list-options [no-]show-keyring} instead.

	@item --always-trust
	@opindex always-trust
	Identical to @option{--trust-model always}. This option is deprecated.

	@item --show-notation
	@itemx --no-show-notation
	@opindex show-notation
	Show signature notations in the @option{--list-sigs} or @option{--check-sigs} listings
	as well as when verifying a signature with a notation in it. These
	options are deprecated. Use @option{--list-options [no-]show-notation}
	and/or @option{--verify-options [no-]show-notation} instead.

	@item --show-policy-url
	@itemx --no-show-policy-url
	@opindex show-policy-url
	Show policy URLs in the @option{--list-sigs} or @option{--check-sigs}
	listings as well as when verifying a signature with a policy URL in
	it. These options are deprecated. Use @option{--list-options
	[no-]show-policy-url} and/or @option{--verify-options
	[no-]show-policy-url} instead.


	@end table


	@c *******************************************
	@c ************* **************
	@c ************* FILES **************
	@c ************* **************
	@c *******************************************
	@mansect files
	@node GPG Configuration
	@section Configuration files

	There are a few configuration files to control certain aspects of
	@command{@gpgname}'s operation. Unless noted, they are expected in the
	current home directory (@pxref{option --homedir}).

	@table @file

	@item gpg.conf
	@efindex gpg.conf
	This is the standard configuration file read by @command{@gpgname} on
	startup. It may contain any valid long option; the leading two dashes
	may not be entered and the option may not be abbreviated. This default
	name may be changed on the command line (@pxref{gpg-option --options}).
	You should backup this file.

	@end table

	Note that on larger installations, it is useful to put predefined files
	into the directory @file{@value{SYSCONFSKELDIR}} so that
	newly created users start up with a working configuration.
	For existing users a small
	helper script is provided to create these files (@pxref{addgnupghome}).

	For internal purposes @command{@gpgname} creates and maintains a few other
	files; They all live in in the current home directory (@pxref{option
	--homedir}). Only the @command{@gpgname} program may modify these files.


	@table @file
	@item ~/.gnupg
	@efindex ~/.gnupg
	This is the default home directory which is used if neither the
	environment variable @code{GNUPGHOME} nor the option
	@option{--homedir} is given.

	@item ~/.gnupg/pubring.gpg
	@efindex pubring.gpg
	The public keyring. You should backup this file.

	@item ~/.gnupg/pubring.gpg.lock
	The lock file for the public keyring.

	@item ~/.gnupg/pubring.kbx
	@efindex pubring.kbx
	The public keyring using a different format. This file is sharred
	with @command{gpgsm}. You should backup this file.

	@item ~/.gnupg/pubring.kbx.lock
	The lock file for @file{pubring.kbx}.

	@item ~/.gnupg/secring.gpg
	@efindex secring.gpg
	A secret keyring as used by GnuPG versions before 2.1. It is not
	used by GnuPG 2.1 and later.

	@item ~/.gnupg/secring.gpg.lock
	The lock file for the secret keyring.

	@item ~/.gnupg/.gpg-v21-migrated
	@efindex .gpg-v21-migrated
	File indicating that a migration to GnuPG 2.1 has been done.

	@item ~/.gnupg/trustdb.gpg
	@efindex trustdb.gpg
	The trust database. There is no need to backup this file; it is better
	to backup the ownertrust values (@pxref{option --export-ownertrust}).

	@item ~/.gnupg/trustdb.gpg.lock
	The lock file for the trust database.

	@item ~/.gnupg/random_seed
	@efindex random_seed
	A file used to preserve the state of the internal random pool.

	@item ~/.gnupg/openpgp-revocs.d/
	@efindex openpgp-revocs.d
	This is the directory where gpg stores pre-generated revocation
	certificates. The file name corresponds to the OpenPGP fingerprint of
	the respective key. It is suggested to backup those certificates and
	if the primary private key is not stored on the disk to move them to
	an external storage device. Anyone who can access theses files is
	able to revoke the corresponding key. You may want to print them out.
	You should backup all files in this directory and take care to keep
	this backup closed away.

	@item @value{DATADIR}/options.skel
	@efindex options.skel
	The skeleton options file.

	@end table

	Operation is further controlled by a few environment variables:

	@table @asis

	@item HOME
	@efindex HOME
	Used to locate the default home directory.

	@item GNUPGHOME
	@efindex GNUPGHOME
	If set directory used instead of "~/.gnupg".

	@item GPG_AGENT_INFO
	This variable is obsolete; it was used by GnuPG versions before 2.1.

	@item PINENTRY_USER_DATA
	@efindex PINENTRY_USER_DATA
	This value is passed via gpg-agent to pinentry. It is useful to convey
	extra information to a custom pinentry.

	@item COLUMNS
	@itemx LINES
	@efindex COLUMNS
	@efindex LINES
	Used to size some displays to the full size of the screen.

	@item LANGUAGE
	@efindex LANGUAGE
	Apart from its use by GNU, it is used in the W32 version to override the
	language selection done through the Registry. If used and set to a
	valid and available language name (@var{langid}), the file with the
	translation is loaded from

	@code{@var{gpgdir}/gnupg.nls/@var{langid}.mo}. Here @var{gpgdir} is the
	directory out of which the gpg binary has been loaded. If it can't be
	loaded the Registry is tried and as last resort the native Windows
	locale system is used.

	@end table


	@c *******************************************
	@c ************* **************
	@c ************* EXAMPLES **************
	@c ************* **************
	@c *******************************************
	@mansect examples
	@node GPG Examples
	@section Examples

	@table @asis

	@item gpg -se -r @code{Bob} @code{file}
	sign and encrypt for user Bob

	@item gpg --clearsign @code{file}
	make a clear text signature

	@item gpg -sb @code{file}
	make a detached signature

	@item gpg -u 0x12345678 -sb @code{file}
	make a detached signature with the key 0x12345678

	@item gpg --list-keys @code{user_ID}
	show keys

	@item gpg --fingerprint @code{user_ID}
	show fingerprint

	@item gpg --verify @code{pgpfile}
	@itemx gpg --verify @code{sigfile}
	Verify the signature of the file but do not output the data. The
	second form is used for detached signatures, where @code{sigfile}
	is the detached signature (either ASCII armored or binary) and
	are the signed data; if this is not given, the name of
	the file holding the signed data is constructed by cutting off the
	extension (".asc" or ".sig") of @code{sigfile} or by asking the
	user for the filename.
	@end table


	@c *******************************************
	@c ************* **************
	@c ************* USER ID **************
	@c ************* **************
	@c *******************************************
	@mansect how to specify a user id
	@ifset isman
	@include specify-user-id.texi
	@end ifset

	@mansect filter expressions
	@chapheading FILTER EXPRESSIONS

	The options @option{--import-filter} and @option{--export-filter} use
	expressions with this syntax (square brackets indicate an optional
	part and curly braces a repetition, white space between the elements
	are allowed):

	@c man:.RS
	@example
	[lc] @{[@{flag@}] PROPNAME op VALUE [lc]@}
	@end example
	@c man:.RE

	The name of a property (@var{PROPNAME}) may only consist of letters,
	digits and underscores. The description for the filter type
	describes which properties are defined. If an undefined property is
	used it evaluates to the empty string. Unless otherwise noted, the
	@var{VALUE} must always be given and may not be the empty string. No
	quoting is defined for the value, thus the value may not contain the
	strings @code{&&} or @code{\|\|}, which are used as logical connection
	operators. The flag @code{--} can be used to remove this restriction.

	Numerical values are computed as long int; standard C notation
	applies. @var{lc} is the logical connection operator; either
	@code{&&} for a conjunction or @code{\|\|} for a disjunction. A
	conjunction is assumed at the begin of an expression. Conjunctions
	have higher precedence than disjunctions. If @var{VALUE} starts with
	one of the characters used in any @var{op} a space after the
	@var{op} is required.

	@noindent
	The supported operators (@var{op}) are:

	@table @asis

	@item =~
	Substring must match.

	@item !~
	Substring must not match.

	@item =
	The full string must match.

	@item <>
	The full string must not match.

	@item ==
	The numerical value must match.

	@item !=
	The numerical value must not match.

	@item <=
	The numerical value of the field must be LE than the value.

	@item <
	The numerical value of the field must be LT than the value.

	@item >=
	The numerical value of the field must be GT than the value.

	@item >=
	The numerical value of the field must be GE than the value.

	@item -n
	True if value is not empty (no value allowed).

	@item -z
	True if value is empty (no value allowed).

	@item -t
	Alias for "PROPNAME != 0" (no value allowed).

	@item -f
	Alias for "PROPNAME == 0" (no value allowed).

	@end table

	@noindent
	Values for @var{flag} must be space separated. The supported flags
	are:

	@table @asis
	@item --
	@var{VALUE} spans to the end of the expression.
	@item -c
	The string match in this part is done case-sensitive.
	@end table

	The filter options concatenate several specifications for a filter of
	the same type. For example the four options in this example:

	@c man:.RS
	@example
	--import-option keep-uid="uid =~ Alfa"
	--import-option keep-uid="&& uid !~ Test"
	--import-option keep-uid="\|\| uid =~ Alpha"
	--import-option keep-uid="uid !~ Test"
	@end example
	@c man:.RE

	@noindent
	which is equivalent to

	@c man:.RS
	@example
	--import-option \
	keep-uid="uid =~ Alfa" && uid !~ Test" \|\| uid =~ Alpha" && "uid !~ Test"
	@end example
	@c man:.RE

	imports only the user ids of a key containing the strings "Alfa"
	or "Alpha" but not the string "test".


	@mansect return value
	@chapheading RETURN VALUE

	The program returns 0 if everything was fine, 1 if at least
	a signature was bad, and other error codes for fatal errors.

	@mansect warnings
	@chapheading WARNINGS

	Use a good password for your user account and a good passphrase
	to protect your secret key. This passphrase is the weakest part of the
	whole system. Programs to do dictionary attacks on your secret keyring
	are very easy to write and so you should protect your "~/.gnupg/"
	directory very well.

	Keep in mind that, if this program is used over a network (telnet), it
	is very easy to spy out your passphrase!

	If you are going to verify detached signatures, make sure that the
	program knows about it; either give both filenames on the command line
	or use @samp{-} to specify STDIN.

	@mansect interoperability
	@chapheading INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS

	GnuPG tries to be a very flexible implementation of the OpenPGP
	standard. In particular, GnuPG implements many of the optional parts
	of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2
	compression algorithms. It is important to be aware that not all
	OpenPGP programs implement these optional algorithms and that by
	forcing their use via the @option{--cipher-algo},
	@option{--digest-algo}, @option{--cert-digest-algo}, or
	@option{--compress-algo} options in GnuPG, it is possible to create a
	perfectly valid OpenPGP message, but one that cannot be read by the
	intended recipient.

	There are dozens of variations of OpenPGP programs available, and each
	supports a slightly different subset of these optional algorithms.
	For example, until recently, no (unhacked) version of PGP supported
	the BLOWFISH cipher algorithm. A message using BLOWFISH simply could
	not be read by a PGP user. By default, GnuPG uses the standard
	OpenPGP preferences system that will always do the right thing and
	create messages that are usable by all recipients, regardless of which
	OpenPGP program they use. Only override this safe default if you
	really know what you are doing.

	If you absolutely must override the safe default, or if the preferences
	on a given key are invalid for some reason, you are far better off using
	the @option{--pgp6}, @option{--pgp7}, or @option{--pgp8} options. These
	options are safe as they do not force any particular algorithms in
	violation of OpenPGP, but rather reduce the available algorithms to a
	"PGP-safe" list.

	@mansect bugs
	@chapheading BUGS

	On older systems this program should be installed as setuid(root). This
	is necessary to lock memory pages. Locking memory pages prevents the
	operating system from writing memory pages (which may contain
	passphrases or other sensitive material) to disk. If you get no
	warning message about insecure memory your operating system supports
	locking without being root. The program drops root privileges as soon
	as locked memory is allocated.

	Note also that some systems (especially laptops) have the ability to
	``suspend to disk'' (also known as ``safe sleep'' or ``hibernate'').
	This writes all memory to disk before going into a low power or even
	powered off mode. Unless measures are taken in the operating system
	to protect the saved memory, passphrases or other sensitive material
	may be recoverable from it later.

	Before you report a bug you should first search the mailing list
	archives for similar problems and second check whether such a bug has
	already been reported to our bug tracker at http://bugs.gnupg.org .

	@c *******************************************
	@c ************* ************
	@c ************* UNATTENDED ************
	@c ************* ************
	@c *******************************************
	@manpause
	@node Unattended Usage of GPG
	@section Unattended Usage

	@command{gpg} is often used as a backend engine by other software. To help
	with this a machine interface has been defined to have an unambiguous
	way to do this. The options @option{--status-fd} and @option{--batch}
	are almost always required for this.

	@menu
	* Unattended GPG key generation:: Unattended key generation
	@end menu


	@node Unattended GPG key generation
	@subsection Unattended key generation

	The command @option{--gen-key} may be used along with the option
	@option{--batch} for unattended key generation. The parameters are
	either read from stdin or given as a file on the command line.
	The format of the parameter file is as follows:

	@itemize @bullet
	@item Text only, line length is limited to about 1000 characters.
	@item UTF-8 encoding must be used to specify non-ASCII characters.
	@item Empty lines are ignored.
	@item Leading and trailing while space is ignored.
	@item A hash sign as the first non white space character indicates
	a comment line.
	@item Control statements are indicated by a leading percent sign, the
	arguments are separated by white space from the keyword.
	@item Parameters are specified by a keyword, followed by a colon. Arguments
	are separated by white space.
	@item
	The first parameter must be @samp{Key-Type}; control statements may be
	placed anywhere.
	@item
	The order of the parameters does not matter except for @samp{Key-Type}
	which must be the first parameter. The parameters are only used for
	the generated keyblock (primary and subkeys); parameters from previous
	sets are not used. Some syntactically checks may be performed.
	@item
	Key generation takes place when either the end of the parameter file
	is reached, the next @samp{Key-Type} parameter is encountered or at the
	control statement @samp{%commit} is encountered.
	@end itemize

	@noindent
	Control statements:

	@table @asis

	@item %echo @var{text}
	Print @var{text} as diagnostic.

	@item %dry-run
	Suppress actual key generation (useful for syntax checking).

	@item %commit
	Perform the key generation. Note that an implicit commit is done at
	the next @asis{Key-Type} parameter.

	@item %pubring @var{filename}
	@itemx %secring @var{filename}
	Do not write the key to the default or commandline given keyring but
	to @var{filename}. This must be given before the first commit to take
	place, duplicate specification of the same filename is ignored, the
	last filename before a commit is used. The filename is used until a
	new filename is used (at commit points) and all keys are written to
	that file. If a new filename is given, this file is created (and
	overwrites an existing one). For GnuPG versions prior to 2.1, both
	control statements must be given. For GnuPG 2.1 and later
	@samp{%secring} is a no-op.

	@item %ask-passphrase
	@itemx %no-ask-passphrase
	This option is a no-op for GnuPG 2.1 and later.

	@item %no-protection
	Using this option allows the creation of keys without any passphrase
	protection. This option is mainly intended for regression tests.

	@item %transient-key
	If given the keys are created using a faster and a somewhat less
	secure random number generator. This option may be used for keys
	which are only used for a short time and do not require full
	cryptographic strength. It takes only effect if used together with
	the control statement @samp{%no-protection}.

	@end table

	@noindent
	General Parameters:

	@table @asis

	@item Key-Type: @var{algo}
	Starts a new parameter block by giving the type of the primary
	key. The algorithm must be capable of signing. This is a required
	parameter. @var{algo} may either be an OpenPGP algorithm number or a
	string with the algorithm name. The special value @samp{default} may
	be used for @var{algo} to create the default key type; in this case a
	@samp{Key-Usage} shall not be given and @samp{default} also be used
	for @samp{Subkey-Type}.

	@item Key-Length: @var{nbits}
	The requested length of the generated key in bits. The default is
	returned by running the command @samp{@gpgname --gpgconf-list}.

	@item Key-Grip: @var{hexstring}
	This is optional and used to generate a CSR or certificate for an
	already existing key. Key-Length will be ignored when given.

	@item Key-Usage: @var{usage-list}
	Space or comma delimited list of key usages. Allowed values are
	@samp{encrypt}, @samp{sign}, and @samp{auth}. This is used to
	generate the key flags. Please make sure that the algorithm is
	capable of this usage. Note that OpenPGP requires that all primary
	keys are capable of certification, so no matter what usage is given
	here, the @samp{cert} flag will be on. If no @samp{Key-Usage} is
	specified and the @samp{Key-Type} is not @samp{default}, all allowed
	usages for that particular algorithm are used; if it is not given but
	@samp{default} is used the usage will be @samp{sign}.

	@item Subkey-Type: @var{algo}
	This generates a secondary key (subkey). Currently only one subkey
	can be handled. See also @samp{Key-Type} above.

	@item Subkey-Length: @var{nbits}
	Length of the secondary key (subkey) in bits. The default is returned
	by running the command @samp{@gpgname --gpgconf-list}".

	@item Subkey-Usage: @var{usage-list}
	Key usage lists for a subkey; similar to @samp{Key-Usage}.

	@item Passphrase: @var{string}
	If you want to specify a passphrase for the secret key, enter it here.
	Default is to use the Pinentry dialog to ask for a passphrase.

	@item Name-Real: @var{name}
	@itemx Name-Comment: @var{comment}
	@itemx Name-Email: @var{email}
	The three parts of a user name. Remember to use UTF-8 encoding here.
	If you don't give any of them, no user ID is created.

	@item Expire-Date: @var{iso-date}\|(@var{number}[d\|w\|m\|y])
	Set the expiration date for the key (and the subkey). It may either
	be entered in ISO date format (e.g. "20000815T145012") or as number of
	days, weeks, month or years after the creation date. The special
	notation "seconds=N" is also allowed to specify a number of seconds
	since creation. Without a letter days are assumed. Note that there
	is no check done on the overflow of the type used by OpenPGP for
	timestamps. Thus you better make sure that the given value make
	sense. Although OpenPGP works with time intervals, GnuPG uses an
	absolute value internally and thus the last year we can represent is
	2105.

	@item Creation-Date: @var{iso-date}
	Set the creation date of the key as stored in the key information and
	which is also part of the fingerprint calculation. Either a date like
	"1986-04-26" or a full timestamp like "19860426T042640" may be used.
	The time is considered to be UTC. The special notation "seconds=N"
	may be used to directly specify a the number of seconds since Epoch
	(Unix time). If it is not given the current time is used.

	@item Preferences: @var{string}
	Set the cipher, hash, and compression preference values for this key.
	This expects the same type of string as the sub-command @samp{setpref}
	in the @option{--edit-key} menu.

	@item Revoker: @var{algo}:@var{fpr} [sensitive]
	Add a designated revoker to the generated key. Algo is the public key
	algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)
	@var{fpr} is the fingerprint of the designated revoker. The optional
	@samp{sensitive} flag marks the designated revoker as sensitive
	information. Only v4 keys may be designated revokers.

	@item Keyserver: @var{string}
	This is an optional parameter that specifies the preferred keyserver
	URL for the key.

	@item Handle: @var{string}
	This is an optional parameter only used with the status lines
	KEY_CREATED and KEY_NOT_CREATED. @var{string} may be up to 100
	characters and should not contain spaces. It is useful for batch key
	generation to associate a key parameter block with a status line.

	@end table

	@noindent
	Here is an example on how to create a key:
	@smallexample
	$ cat >foo <<EOF
	%echo Generating a basic OpenPGP key
	Key-Type: DSA
	Key-Length: 1024
	Subkey-Type: ELG-E
	Subkey-Length: 1024
	Name-Real: Joe Tester
	Name-Comment: with stupid passphrase
	Name-Email: joe@@foo.bar
	Expire-Date: 0
	Passphrase: abc
	%pubring foo.pub
	%secring foo.sec
	# Do a commit here, so that we can later print "done" :-)
	%commit
	%echo done
	EOF
	$ @gpgname --batch --gen-key foo
	[...]
	$ @gpgname --no-default-keyring --secret-keyring ./foo.sec \
	--keyring ./foo.pub --list-secret-keys
	/home/wk/work/gnupg-stable/scratch/foo.sec
	------------------------------------------
	sec 1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe@@foo.bar>
	ssb 1024g/8F70E2C0 2000-03-09
	@end smallexample


	@noindent
	If you want to create a key with the default algorithms you would use
	these parameters:
	@smallexample
	%echo Generating a default key
	Key-Type: default
	Subkey-Type: default
	Name-Real: Joe Tester
	Name-Comment: with stupid passphrase
	Name-Email: joe@@foo.bar
	Expire-Date: 0
	Passphrase: abc
	%pubring foo.pub
	%secring foo.sec
	# Do a commit here, so that we can later print "done" :-)
	%commit
	%echo done
	@end smallexample




	@mansect see also
	@ifset isman
	@command{gpgv}(1),
	@command{gpgsm}(1),
	@command{gpg-agent}(1)
	@end ifset
	@include see-also-note.texi
	diff --git a/doc/tools.texi b/doc/tools.texi
	index 577df8ea1..e52d6a70b 100644
	--- a/doc/tools.texi
	+++ b/doc/tools.texi
	@@ -1,1908 +1,1908 @@
	@c Copyright (C) 2004, 2008 Free Software Foundation, Inc.
	@c This is part of the GnuPG manual.
	@c For copying conditions, see the file GnuPG.texi.

	@include defs.inc

	@node Helper Tools
	@chapter Helper Tools

	GnuPG comes with a couple of smaller tools:

	@menu
	* watchgnupg:: Read logs from a socket.
	* gpgv:: Verify OpenPGP signatures.
	* addgnupghome:: Create .gnupg home directories.
	* gpgconf:: Modify .gnupg home directories.
	* applygnupgdefaults:: Run gpgconf for all users.
	* gpg-preset-passphrase:: Put a passphrase into the cache.
	* gpg-connect-agent:: Communicate with a running agent.
	* dirmngr-client:: How to use the Dirmngr client tool.
	* gpgparsemail:: Parse a mail message into an annotated format
	* symcryptrun:: Call a simple symmetric encryption tool.
	* gpg-zip:: Encrypt or sign files into an archive.
	@end menu

	@c
	@c WATCHGNUPG
	@c
	@manpage watchgnupg.1
	@node watchgnupg
	@section Read logs from a socket
	@ifset manverb
	.B watchgnupg
	\- Read and print logs from a socket
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B watchgnupg
	.RB [ \-\-force ]
	.RB [ \-\-verbose ]
	.I socketname
	@end ifset

	@mansect description
	Most of the main utilities are able to write their log files to a Unix
	Domain socket if configured that way. @command{watchgnupg} is a simple
	listener for such a socket. It ameliorates the output with a time stamp
	and makes sure that long lines are not interspersed with log output from
	other utilities. This tool is not available for Windows.


	@noindent
	@command{watchgnupg} is commonly invoked as

	@example
	watchgnupg --force ~/.gnupg/S.log
	@end example
	@manpause

	@noindent
	This starts it on the current terminal for listening on the socket
	@file{~/.gnupg/S.log}.

	@mansect options
	@noindent
	@command{watchgnupg} understands these options:

	@table @gnupgtabopt

	@item --force
	@opindex force
	Delete an already existing socket file.

	@anchor{option watchgnupg --tcp}
	@item --tcp @var{n}
	Instead of reading from a local socket, listen for connects on TCP port
	@var{n}.

	@item --verbose
	@opindex verbose
	Enable extra informational output.

	@item --version
	@opindex version
	Print version of the program and exit.

	@item --help
	@opindex help
	Display a brief help page and exit.

	@end table

	@noindent
	@mansect examples
	@chapheading Examples

	@example
	$ watchgnupg --force /home/foo/.gnupg/S.log
	@end example

	This waits for connections on the local socket
	@file{/home/foo/.gnupg/S.log} and shows all log entries. To make this
	work the option @option{log-file} needs to be used with all modules
	which logs are to be shown. The value for that option must be given
	with a special prefix (e.g. in the conf file):

	@example
	log-file socket:///home/foo/.gnupg/S.log
	@end example

	For debugging purposes it is also possible to do remote logging. Take
	care if you use this feature because the information is send in the
	clear over the network. Use this syntax in the conf files:

	@example
	log-file tcp://192.168.1.1:4711
	@end example

	You may use any port and not just 4711 as shown above; only IP addresses
	are supported (v4 and v6) and no host names. You need to start
	@command{watchgnupg} with the @option{tcp} option. Note that under
	Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
	can be used to change the default log output from @code{stderr} to
	whatever is given by that entry. However the only useful entry is a TCP
	name for remote debugging.


	@mansect see also
	@ifset isman
	@command{gpg}(1),
	@command{gpgsm}(1),
	@command{gpg-agent}(1),
	@command{scdaemon}(1)
	@end ifset
	@include see-also-note.texi


	@c
	@c GPGV
	@c
	@include gpgv.texi


	@c
	@c ADDGNUPGHOME
	@c
	@manpage addgnupghome.8
	@node addgnupghome
	@section Create .gnupg home directories.
	@ifset manverb
	.B addgnupghome
	\- Create .gnupg home directories
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B addgnupghome
	.I account_1
	.IR account_2 ... account_n
	@end ifset

	@mansect description
	If GnuPG is installed on a system with existing user accounts, it is
	sometimes required to populate the GnuPG home directory with existing
	files. Especially a @file{trustlist.txt} and a keybox with some
	initial certificates are often desired. This scripts help to do this
	by copying all files from @file{/etc/skel/.gnupg} to the home
	directories of the accounts given on the command line. It takes care
	not to overwrite existing GnuPG home directories.

	@noindent
	@command{addgnupghome} is invoked by root as:

	@example
	addgnupghome account1 account2 ... accountn
	@end example


	@c
	@c GPGCONF
	@c
	@manpage gpgconf.1
	@node gpgconf
	@section Modify .gnupg home directories.
	@ifset manverb
	.B gpgconf
	\- Modify .gnupg home directories
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpgconf
	.RI [ options ]
	.B \-\-list-components
	.br
	.B gpgconf
	.RI [ options ]
	.B \-\-list-options
	.I component
	.br
	.B gpgconf
	.RI [ options ]
	.B \-\-change-options
	.I component
	@end ifset


	@mansect description
	The @command{gpgconf} is a utility to automatically and reasonable
	safely query and modify configuration files in the @file{.gnupg} home
	directory. It is designed not to be invoked manually by the user, but
	automatically by graphical user interfaces (GUI).@footnote{Please note
	that currently no locking is done, so concurrent access should be
	avoided. There are some precautions to avoid corruption with
	concurrent usage, but results may be inconsistent and some changes may
	get lost. The stateless design makes it difficult to provide more
	guarantees.}

	@command{gpgconf} provides access to the configuration of one or more
	components of the GnuPG system. These components correspond more or
	less to the programs that exist in the GnuPG framework, like GnuPG,
	GPGSM, DirMngr, etc. But this is not a strict one-to-one
	relationship. Not all configuration options are available through
	@command{gpgconf}. @command{gpgconf} provides a generic and abstract
	method to access the most important configuration options that can
	feasibly be controlled via such a mechanism.

	@command{gpgconf} can be used to gather and change the options
	available in each component, and can also provide their default
	values. @command{gpgconf} will give detailed type information that
	can be used to restrict the user's input without making an attempt to
	commit the changes.

	@command{gpgconf} provides the backend of a configuration editor. The
	configuration editor would usually be a graphical user interface
	program, that allows to display the current options, their default
	values, and allows the user to make changes to the options. These
	changes can then be made active with @command{gpgconf} again. Such a
	program that uses @command{gpgconf} in this way will be called GUI
	throughout this section.

	@menu
	* Invoking gpgconf:: List of all commands and options.
	* Format conventions:: Formatting conventions relevant for all commands.
	* Listing components:: List all gpgconf components.
	* Checking programs:: Check all programs know to gpgconf.
	* Listing options:: List all options of a component.
	* Changing options:: Changing options of a component.
	* Listing global options:: List all global options.
	* Files used by gpgconf:: What files are used by gpgconf.
	@end menu

	@manpause
	@node Invoking gpgconf
	@subsection Invoking gpgconf

	@mansect commands
	One of the following commands must be given:

	@table @gnupgtabopt

	@item --list-components
	List all components. This is the default command used if none is
	specified.

	@item --check-programs
	List all available backend programs and test whether they are runnable.

	@item --list-options @var{component}
	List all options of the component @var{component}.

	@item --change-options @var{component}
	Change the options of the component @var{component}.

	@item --check-options @var{component}
	Check the options for the component @var{component}.

	@item --apply-defaults
	Update all configuration files with values taken from the global
	configuration file (usually @file{/etc/gnupg/gpgconf.conf}).

	@item --list-dirs [@var{names}]
	Lists the directories used by @command{gpgconf}. One directory is
	listed per line, and each line consists of a colon-separated list where
	the first field names the directory type (for example @code{sysconfdir})
	and the second field contains the percent-escaped directory. Although
	they are not directories, the socket file names used by
	@command{gpg-agent} and @command{dirmngr} are printed as well. Note
	that the socket file names and the @code{homedir} lines are the default
	names and they may be overridden by command line switches. If
	@var{names} are given only the directories or file names specified by
	the list names are printed without any escaping.

	@item --list-config [@var{filename}]
	List the global configuration file in a colon separated format. If
	@var{filename} is given, check that file instead.

	@item --check-config [@var{filename}]
	Run a syntax check on the global configuration file. If @var{filename}
	is given, check that file instead.

	@item --reload [@var{component}]
	@opindex reload
	Reload all or the given component. This is basically the same as sending
	a SIGHUP to the component. Components which don't support reloading are
	ignored.

	@item --launch [@var{component}]
	@opindex launch
	If the @var{component} is not already running, start it.
	@command{component} must be a daemon. This is in general not required
	because the system starts these daemons as needed. However, external
	software making direct use of @command{gpg-agent} or @command{dirmngr}
	may use this command to ensure that they are started.

	@item --kill [@var{component}]
	@opindex kill
	Kill the given component. Components which support killing are
	gpg-agent and scdaemon. Components which don't support reloading are
	ignored. Note that as of now reload and kill have the same effect for
	scdaemon.

	@item --create-socketdir
	@opindex create-socketdir
	Create a directory for sockets below /run/user or /var/run/user. This
	is command is only required if a non default home directory is used
	and the /run based sockets shall be used. For the default home
	directory GnUPG creates a directory on the fly.

	@item --remove-socketdir
	@opindex remove-socketdir
	Remove a directory created with command @option{--create-socketdir}.

	@end table


	@mansect options

	The following options may be used:

	@table @gnupgtabopt

	@item -o @var{file}
	@itemx --output @var{file}
	Write output to @var{file}. Default is to write to stdout.

	@item -v
	@itemx --verbose
	Outputs additional information while running. Specifically, this
	extends numerical field values by human-readable descriptions.

	@item -q
	@itemx --quiet
	@opindex quiet
	Try to be as quiet as possible.

	@item -n
	@itemx --dry-run
	Do not actually change anything. This is currently only implemented
	for @code{--change-options} and can be used for testing purposes.

	@item -r
	@itemx --runtime
	Only used together with @code{--change-options}. If one of the
	modified options can be changed in a running daemon process, signal
	the running daemon to ask it to reparse its configuration file after
	changing.

	This means that the changes will take effect at run-time, as far as
	this is possible. Otherwise, they will take effect at the next start
	of the respective backend programs.
	@manpause
	@end table


	@node Format conventions
	@subsection Format conventions

	Some lines in the output of @command{gpgconf} contain a list of
	colon-separated fields. The following conventions apply:

	@itemize @bullet
	@item
	The GUI program is required to strip off trailing newline and/or
	carriage return characters from the output.

	@item
	@command{gpgconf} will never leave out fields. If a certain version
	provides a certain field, this field will always be present in all
	@command{gpgconf} versions from that time on.

	@item
	Future versions of @command{gpgconf} might append fields to the list.
	New fields will always be separated from the previously last field by
	a colon separator. The GUI should be prepared to parse the last field
	it knows about up until a colon or end of line.

	@item
	Not all fields are defined under all conditions. You are required to
	ignore the content of undefined fields.
	@end itemize

	There are several standard types for the content of a field:

	@table @asis
	@item verbatim
	Some fields contain strings that are not escaped in any way. Such
	fields are described to be used @emph{verbatim}. These fields will
	never contain a colon character (for obvious reasons). No de-escaping
	or other formatting is required to use the field content. This is for
	easy parsing of the output, when it is known that the content can
	never contain any special characters.

	@item percent-escaped
	Some fields contain strings that are described to be
	@emph{percent-escaped}. Such strings need to be de-escaped before
	their content can be presented to the user. A percent-escaped string
	is de-escaped by replacing all occurrences of @code{%XY} by the byte
	that has the hexadecimal value @code{XY}. @code{X} and @code{Y} are
	from the set @code{0-9a-f}.

	@item localised
	Some fields contain strings that are described to be @emph{localised}.
	Such strings are translated to the active language and formatted in
	the active character set.

	@item @w{unsigned number}
	Some fields contain an @emph{unsigned number}. This number will
	always fit into a 32-bit unsigned integer variable. The number may be
	followed by a space, followed by a human readable description of that
	value (if the verbose option is used). You should ignore everything
	in the field that follows the number.

	@item @w{signed number}
	Some fields contain a @emph{signed number}. This number will always
	fit into a 32-bit signed integer variable. The number may be followed
	by a space, followed by a human readable description of that value (if
	the verbose option is used). You should ignore everything in the
	field that follows the number.

	@item @w{boolean value}
	Some fields contain a @emph{boolean value}. This is a number with
	either the value 0 or 1. The number may be followed by a space,
	followed by a human readable description of that value (if the verbose
	option is used). You should ignore everything in the field that follows
	the number; checking just the first character is sufficient in this
	case.

	@item option
	Some fields contain an @emph{option} argument. The format of an
	option argument depends on the type of the option and on some flags:

	@table @asis
	@item no argument
	The simplest case is that the option does not take an argument at all
	(@var{type} @code{0}). Then the option argument is an unsigned number
	that specifies how often the option occurs. If the @code{list} flag
	is not set, then the only valid number is @code{1}. Options that do
	not take an argument never have the @code{default} or @code{optional
	arg} flag set.

	@item number
	If the option takes a number argument (@var{alt-type} is @code{2} or
	@code{3}), and it can only occur once (@code{list} flag is not set),
	then the option argument is either empty (only allowed if the argument
	is optional), or it is a number. A number is a string that begins
	with an optional minus character, followed by one or more digits. The
	number must fit into an integer variable (unsigned or signed,
	depending on @var{alt-type}).

	@item number list
	If the option takes a number argument and it can occur more than once,
	then the option argument is either empty, or it is a comma-separated
	list of numbers as described above.

	@item string
	If the option takes a string argument (@var{alt-type} is 1), and it
	can only occur once (@code{list} flag is not set) then the option
	argument is either empty (only allowed if the argument is optional),
	or it starts with a double quote character (@code{"}) followed by a
	percent-escaped string that is the argument value. Note that there is
	only a leading double quote character, no trailing one. The double
	quote character is only needed to be able to differentiate between no
	value and the empty string as value.

	@item string list
	If the option takes a number argument and it can occur more than once,
	then the option argument is either empty, or it is a comma-separated
	list of string arguments as described above.
	@end table
	@end table

	The active language and character set are currently determined from
	the locale environment of the @command{gpgconf} program.

	@c FIXME: Document the active language and active character set. Allow
	@c to change it via the command line?


	@mansect usage
	@node Listing components
	@subsection Listing components

	The command @code{--list-components} will list all components that can
	be configured with @command{gpgconf}. Usually, one component will
	correspond to one GnuPG-related program and contain the options of
	that programs configuration file that can be modified using
	@command{gpgconf}. However, this is not necessarily the case. A
	component might also be a group of selected options from several
	programs, or contain entirely virtual options that have a special
	effect rather than changing exactly one option in one configuration
	file.

	A component is a set of configuration options that semantically belong
	together. Furthermore, several changes to a component can be made in
	an atomic way with a single operation. The GUI could for example
	provide a menu with one entry for each component, or a window with one
	tabulator sheet per component.

	The command argument @code{--list-components} lists all available
	components, one per line. The format of each line is:

	@code{@var{name}:@var{description}:@var{pgmname}:}

	@table @var
	@item name
	This field contains a name tag of the component. The name tag is used
	to specify the component in all communication with @command{gpgconf}.
	The name tag is to be used @emph{verbatim}. It is thus not in any
	escaped format.

	@item description
	The @emph{string} in this field contains a human-readable description
	of the component. It can be displayed to the user of the GUI for
	informational purposes. It is @emph{percent-escaped} and
	@emph{localized}.

	@item pgmname
	The @emph{string} in this field contains the absolute name of the
	program's file. It can be used to unambiguously invoke that program.
	It is @emph{percent-escaped}.
	@end table

	Example:
	@example
	$ gpgconf --list-components
	gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
	gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
	scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
	gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
	dirmngr:Directory Manager:/usr/local/bin/dirmngr:
	@end example



	@node Checking programs
	@subsection Checking programs

	The command @code{--check-programs} is similar to
	@code{--list-components} but works on backend programs and not on
	components. It runs each program to test whether it is installed and
	runnable. This also includes a syntax check of all config file options
	of the program.

	The command argument @code{--check-programs} lists all available
	programs, one per line. The format of each line is:

	@code{@var{name}:@var{description}:@var{pgmname}:@var{avail}:@var{okay}:@var{cfgfile}:@var{line}:@var{error}:}

	@table @var
	@item name
	This field contains a name tag of the program which is identical to the
	name of the component. The name tag is to be used @emph{verbatim}. It
	is thus not in any escaped format. This field may be empty to indicate
	a continuation of error descriptions for the last name. The description
	and pgmname fields are then also empty.

	@item description
	The @emph{string} in this field contains a human-readable description
	of the component. It can be displayed to the user of the GUI for
	informational purposes. It is @emph{percent-escaped} and
	@emph{localized}.

	@item pgmname
	The @emph{string} in this field contains the absolute name of the
	program's file. It can be used to unambiguously invoke that program.
	It is @emph{percent-escaped}.

	@item avail
	The @emph{boolean value} in this field indicates whether the program is
	installed and runnable.

	@item okay
	The @emph{boolean value} in this field indicates whether the program's
	config file is syntactically okay.

	@item cfgfile
	If an error occurred in the configuration file (as indicated by a false
	value in the field @code{okay}), this field has the name of the failing
	configuration file. It is @emph{percent-escaped}.

	@item line
	If an error occurred in the configuration file, this field has the line
	number of the failing statement in the configuration file.
	It is an @emph{unsigned number}.

	@item error
	If an error occurred in the configuration file, this field has the error
	text of the failing statement in the configuration file. It is
	@emph{percent-escaped} and @emph{localized}.

	@end table

	@noindent
	In the following example the @command{dirmngr} is not runnable and the
	configuration file of @command{scdaemon} is not okay.

	@example
	$ gpgconf --check-programs
	gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
	gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
	scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
	gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
	dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
	@end example

	@noindent
	The command @w{@code{--check-options @var{component}}} will verify the
	configuration file in the same manner as @code{--check-programs}, but
	only for the component @var{component}.


	@node Listing options
	@subsection Listing options

	Every component contains one or more options. Options may be gathered
	into option groups to allow the GUI to give visual hints to the user
	about which options are related.

	The command argument @code{@w{--list-options @var{component}}} lists
	all options (and the groups they belong to) in the component
	@var{component}, one per line. @var{component} must be the string in
	the field @var{name} in the output of the @code{--list-components}
	command.

	There is one line for each option and each group. First come all
	options that are not in any group. Then comes a line describing a
	group. Then come all options that belong into each group. Then comes
	the next group and so on. There does not need to be any group (and in
	this case the output will stop after the last non-grouped option).

	The format of each line is:

	@code{@var{name}:@var{flags}:@var{level}:@var{description}:@var{type}:@var{alt-type}:@var{argname}:@var{default}:@var{argdef}:@var{value}}

	@table @var
	@item name
	This field contains a name tag for the group or option. The name tag
	is used to specify the group or option in all communication with
	@command{gpgconf}. The name tag is to be used @emph{verbatim}. It is
	thus not in any escaped format.

	@item flags
	The flags field contains an @emph{unsigned number}. Its value is the
	OR-wise combination of the following flag values:

	@table @code
	@item group (1)
	If this flag is set, this is a line describing a group and not an
	option.
	@end table

	The following flag values are only defined for options (that is, if
	the @code{group} flag is not used).

	@table @code
	@item optional arg (2)
	If this flag is set, the argument is optional. This is never set for
	@var{type} @code{0} (none) options.

	@item list (4)
	If this flag is set, the option can be given multiple times.

	@item runtime (8)
	If this flag is set, the option can be changed at runtime.

	@item default (16)
	If this flag is set, a default value is available.

	@item default desc (32)
	If this flag is set, a (runtime) default is available. This and the
	@code{default} flag are mutually exclusive.

	@item no arg desc (64)
	If this flag is set, and the @code{optional arg} flag is set, then the
	option has a special meaning if no argument is given.

	@item no change (128)
	If this flag is set, gpgconf ignores requests to change the value. GUI
	frontends should grey out this option. Note, that manual changes of the
	configuration files are still possible.
	@end table

	@item level
	This field is defined for options and for groups. It contains an
	@emph{unsigned number} that specifies the expert level under which
	this group or option should be displayed. The following expert levels
	are defined for options (they have analogous meaning for groups):

	@table @code
	@item basic (0)
	This option should always be offered to the user.

	@item advanced (1)
	This option may be offered to advanced users.

	@item expert (2)
	This option should only be offered to expert users.

	@item invisible (3)
	This option should normally never be displayed, not even to expert
	users.

	@item internal (4)
	This option is for internal use only. Ignore it.
	@end table

	The level of a group will always be the lowest level of all options it
	contains.

	@item description
	This field is defined for options and groups. The @emph{string} in
	this field contains a human-readable description of the option or
	group. It can be displayed to the user of the GUI for informational
	purposes. It is @emph{percent-escaped} and @emph{localized}.

	@item type
	This field is only defined for options. It contains an @emph{unsigned
	number} that specifies the type of the option's argument, if any. The
	following types are defined:

	Basic types:

	@table @code
	@item none (0)
	No argument allowed.

	@item string (1)
	An @emph{unformatted string}.

	@item int32 (2)
	A @emph{signed number}.

	@item uint32 (3)
	An @emph{unsigned number}.
	@end table

	Complex types:

	@table @code
	@item pathname (32)
	A @emph{string} that describes the pathname of a file. The file does
	not necessarily need to exist.

	@item ldap server (33)
	A @emph{string} that describes an LDAP server in the format:

	@code{@var{hostname}:@var{port}:@var{username}:@var{password}:@var{base_dn}}

	@item key fingerprint (34)
	A @emph{string} with a 40 digit fingerprint specifying a certificate.

	@item pub key (35)
	A @emph{string} that describes a certificate by user ID, key ID or
	fingerprint.

	@item sec key (36)
	A @emph{string} that describes a certificate with a key by user ID,
	key ID or fingerprint.

	@item alias list (37)
	A @emph{string} that describes an alias list, like the one used with
	gpg's group option. The list consists of a key, an equal sign and space
	separated values.
	@end table

	More types will be added in the future. Please see the @var{alt-type}
	field for information on how to cope with unknown types.

	@item alt-type
	This field is identical to @var{type}, except that only the types
	@code{0} to @code{31} are allowed. The GUI is expected to present the
	user the option in the format specified by @var{type}. But if the
	argument type @var{type} is not supported by the GUI, it can still
	display the option in the more generic basic type @var{alt-type}. The
	GUI must support all the defined basic types to be able to display all
	options. More basic types may be added in future versions. If the
	GUI encounters a basic type it doesn't support, it should report an
	error and abort the operation.

	@item argname
	This field is only defined for options with an argument type
	@var{type} that is not @code{0}. In this case it may contain a
	@emph{percent-escaped} and @emph{localised string} that gives a short
	name for the argument. The field may also be empty, though, in which
	case a short name is not known.

	@item default
	This field is defined only for options for which the @code{default} or
	@code{default desc} flag is set. If the @code{default} flag is set,
	its format is that of an @emph{option argument} (@xref{Format
	conventions}, for details). If the default value is empty, then no
	default is known. Otherwise, the value specifies the default value
	for this option. If the @code{default desc} flag is set, the field is
	either empty or contains a description of the effect if the option is
	not given.

	@item argdef
	This field is defined only for options for which the @code{optional
	arg} flag is set. If the @code{no arg desc} flag is not set, its
	format is that of an @emph{option argument} (@xref{Format
	conventions}, for details). If the default value is empty, then no
	default is known. Otherwise, the value specifies the default argument
	for this option. If the @code{no arg desc} flag is set, the field is
	either empty or contains a description of the effect of this option if
	no argument is given.

	@item value
	This field is defined only for options. Its format is that of an
	@emph{option argument}. If it is empty, then the option is not
	explicitly set in the current configuration, and the default applies
	(if any). Otherwise, it contains the current value of the option.
	Note that this field is also meaningful if the option itself does not
	take a real argument (in this case, it contains the number of times
	the option appears).
	@end table


	@node Changing options
	@subsection Changing options

	The command @w{@code{--change-options @var{component}}} will attempt
	to change the options of the component @var{component} to the
	specified values. @var{component} must be the string in the field
	@var{name} in the output of the @code{--list-components} command. You
	have to provide the options that shall be changed in the following
	format on standard input:

	@code{@var{name}:@var{flags}:@var{new-value}}

	@table @var
	@item name
	This is the name of the option to change. @var{name} must be the
	string in the field @var{name} in the output of the
	@code{--list-options} command.

	@item flags
	The flags field contains an @emph{unsigned number}. Its value is the
	OR-wise combination of the following flag values:

	@table @code
	@item default (16)
	If this flag is set, the option is deleted and the default value is
	used instead (if applicable).
	@end table

	@item new-value
	The new value for the option. This field is only defined if the
	@code{default} flag is not set. The format is that of an @emph{option
	argument}. If it is empty (or the field is omitted), the default
	argument is used (only allowed if the argument is optional for this
	option). Otherwise, the option will be set to the specified value.
	@end table

	@noindent
	The output of the command is the same as that of
	@code{--check-options} for the modified configuration file.

	Examples:

	To set the force option, which is of basic type @code{none (0)}:

	@example
	$ echo 'force:0:1' \| gpgconf --change-options dirmngr
	@end example

	To delete the force option:

	@example
	$ echo 'force:16:' \| gpgconf --change-options dirmngr
	@end example

	The @code{--runtime} option can influence when the changes take
	effect.


	@node Listing global options
	@subsection Listing global options

	Sometimes it is useful for applications to look at the global options
	file @file{gpgconf.conf}.
	The colon separated listing format is record oriented and uses the first
	field to identify the record type:

	@table @code
	@item k
	This describes a key record to start the definition of a new ruleset for
	a user/group. The format of a key record is:

	@code{k:@var{user}:@var{group}:}

	@table @var
	@item user
	This is the user field of the key. It is percent escaped. See the
	definition of the gpgconf.conf format for details.

	@item group
	This is the group field of the key. It is percent escaped.
	@end table

	@item r
	This describes a rule record. All rule records up to the next key record
	make up a rule set for that key. The format of a rule record is:

	@code{r:::@var{component}:@var{option}:@var{flags}:@var{value}:}

	@table @var
	@item component
	This is the component part of a rule. It is a plain string.

	@item option
	This is the option part of a rule. It is a plain string.

	@item flag
	This is the flags part of a rule. There may be only one flag per rule
	but by using the same component and option, several flags may be
	assigned to an option. It is a plain string.

	@item value
	This is the optional value for the option. It is a percent escaped
	string with a single quotation mark to indicate a string. The quotation
	mark is only required to distinguish between no value specified and an
	empty string.
	@end table

	@end table

	@noindent
	Unknown record types should be ignored. Note that there is intentionally
	no feature to change the global option file through @command{gpgconf}.



	@mansect files
	@node Files used by gpgconf
	@subsection Files used by gpgconf

	@table @file

	@item /etc/gnupg/gpgconf.conf
	@cindex gpgconf.conf
	If this file exists, it is processed as a global configuration file.
	A commented example can be found in the @file{examples} directory of
	the distribution.
	@end table


	@mansect see also
	@ifset isman
	@command{gpg}(1),
	@command{gpgsm}(1),
	@command{gpg-agent}(1),
	@command{scdaemon}(1),
	@command{dirmngr}(1)
	@end ifset
	@include see-also-note.texi



	@c
	@c APPLYGNUPGDEFAULTS
	@c
	@manpage applygnupgdefaults.8
	@node applygnupgdefaults
	@section Run gpgconf for all users.
	@ifset manverb
	.B applygnupgdefaults
	\- Run gpgconf --apply-defaults for all users.
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B applygnupgdefaults
	@end ifset

	@mansect description
	This script is a wrapper around @command{gpgconf} to run it with the
	command @code{--apply-defaults} for all real users with an existing
	GnuPG home directory. Admins might want to use this script to update he
	GnuPG configuration files for all users after
	@file{/etc/gnupg/gpgconf.conf} has been changed. This allows to enforce
	certain policies for all users. Note, that this is not a bulletproof of
	forcing a user to use certain options. A user may always directly edit
	the configuration files and bypass gpgconf.

	@noindent
	@command{applygnupgdefaults} is invoked by root as:

	@example
	applygnupgdefaults
	@end example


	@c
	@c GPG-PRESET-PASSPHRASE
	@c
	@node gpg-preset-passphrase
	@section Put a passphrase into the cache.
	@manpage gpg-preset-passphrase.1
	@ifset manverb
	.B gpg-preset-passphrase
	\- Put a passphrase into gpg-agent's cache
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpg-preset-passphrase
	.RI [ options ]
	.RI [ command ]
	.I cache-id
	@end ifset

	@mansect description
	The @command{gpg-preset-passphrase} is a utility to seed the internal
	cache of a running @command{gpg-agent} with passphrases. It is mainly
	useful for unattended machines, where the usual @command{pinentry} tool
	may not be used and the passphrases for the to be used keys are given at
	machine startup.

	Passphrases set with this utility don't expire unless the
	@option{--forget} option is used to explicitly clear them from the
	cache --- or @command{gpg-agent} is either restarted or reloaded (by
	sending a SIGHUP to it). Note that the maximum cache time as set with
	@option{--max-cache-ttl} is still honored. It is necessary to allow
	this passphrase presetting by starting @command{gpg-agent} with the
	@option{--allow-preset-passphrase}.

	@menu
	* Invoking gpg-preset-passphrase:: List of all commands and options.
	@end menu

	@manpause
	@node Invoking gpg-preset-passphrase
	@subsection List of all commands and options.
	@mancont

	@noindent
	@command{gpg-preset-passphrase} is invoked this way:

	@example
	gpg-preset-passphrase [options] [command] @var{cacheid}
	@end example

	@var{cacheid} is either a 40 character keygrip of hexadecimal
	characters identifying the key for which the passphrase should be set
	or cleared. The keygrip is listed along with the key when running the
	command: @code{gpgsm --dump-secret-keys}. Alternatively an arbitrary
	string may be used to identify a passphrase; it is suggested that such
	a string is prefixed with the name of the application (e.g
	@code{foo:12346}).

	@noindent
	One of the following command options must be given:

	@table @gnupgtabopt
	@item --preset
	@opindex preset
	Preset a passphrase. This is what you usually will
	use. @command{gpg-preset-passphrase} will then read the passphrase from
	@code{stdin}.

	@item --forget
	@opindex forget
	Flush the passphrase for the given cache ID from the cache.

	@end table

	@noindent
	The following additional options may be used:

	@table @gnupgtabopt
	@item -v
	@itemx --verbose
	@opindex verbose
	Output additional information while running.

	@item -P @var{string}
	@itemx --passphrase @var{string}
	@opindex passphrase
	Instead of reading the passphrase from @code{stdin}, use the supplied
	@var{string} as passphrase. Note that this makes the passphrase visible
	for other users.
	@end table

	@mansect see also
	@ifset isman
	@command{gpg}(1),
	@command{gpgsm}(1),
	@command{gpg-agent}(1),
	@command{scdaemon}(1)
	@end ifset
	@include see-also-note.texi




	@c
	@c GPG-CONNECT-AGENT
	@c
	@node gpg-connect-agent
	@section Communicate with a running agent.
	@manpage gpg-connect-agent.1
	@ifset manverb
	.B gpg-connect-agent
	\- Communicate with a running agent
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpg-connect-agent
	.RI [ options ] [commands]
	@end ifset

	@mansect description
	The @command{gpg-connect-agent} is a utility to communicate with a
	running @command{gpg-agent}. It is useful to check out the commands
	gpg-agent provides using the Assuan interface. It might also be useful
	for scripting simple applications. Input is expected at stdin and out
	put gets printed to stdout.

	It is very similar to running @command{gpg-agent} in server mode; but
	here we connect to a running instance.

	@menu
	* Invoking gpg-connect-agent:: List of all options.
	* Controlling gpg-connect-agent:: Control commands.
	@end menu

	@manpause
	@node Invoking gpg-connect-agent
	@subsection List of all options.

	@noindent
	@command{gpg-connect-agent} is invoked this way:

	@example
	gpg-connect-agent [options] [commands]
	@end example
	@mancont

	@noindent
	The following options may be used:

	@table @gnupgtabopt
	@item -v
	@itemx --verbose
	@opindex verbose
	Output additional information while running.

	@item -q
	@item --quiet
	@opindex q
	@opindex quiet
	Try to be as quiet as possible.

	@include opt-homedir.texi

	@item --agent-program @var{file}
	@opindex agent-program
	Specify the agent program to be started if none is running. The
	default value is determined by running @command{gpgconf} with the
	option @option{--list-dirs}. Note that the pipe symbol (@code{\|}) is
	used for a regression test suite hack and may thus not be used in the
	file name.

	@item --dirmngr-program @var{file}
	@opindex dirmngr-program
	Specify the directory manager (keyserver client) program to be started
	if none is running. This has only an effect if used together with the
	option @option{--dirmngr}.

	@item --dirmngr
	@opindex dirmngr
	Connect to a running directory manager (keyserver client) instead of
	to the gpg-agent. If a dirmngr is not running, start it.

	@item -S
	@itemx --raw-socket @var{name}
	@opindex raw-socket
	Connect to socket @var{name} assuming this is an Assuan style server.
	Do not run any special initializations or environment checks. This may
	be used to directly connect to any Assuan style socket server.

	@item -E
	@itemx --exec
	@opindex exec
	Take the rest of the command line as a program and it's arguments and
	execute it as an assuan server. Here is how you would run @command{gpgsm}:
	@smallexample
	gpg-connect-agent --exec gpgsm --server
	@end smallexample
	Note that you may not use options on the command line in this case.

	@item --no-ext-connect
	@opindex no-ext-connect
	When using @option{-S} or @option{--exec}, @command{gpg-connect-agent}
	connects to the assuan server in extended mode to allow descriptor
	passing. This option makes it use the old mode.

	@item --no-autostart
	@opindex no-autostart
	Do not start the gpg-agent or the dirmngr if it has not yet been
	started.

	@item -r @var{file}
	@itemx --run @var{file}
	@opindex run
	Run the commands from @var{file} at startup and then continue with the
	regular input method. Note, that commands given on the command line are
	executed after this file.

	@item -s
	@itemx --subst
	@opindex subst
	Run the command @code{/subst} at startup.

	@item --hex
	@opindex hex
	Print data lines in a hex format and the ASCII representation of
	non-control characters.

	@item --decode
	@opindex decode
	Decode data lines. That is to remove percent escapes but make sure that
	a new line always starts with a D and a space.

	@end table

	@mansect control commands
	@node Controlling gpg-connect-agent
	@subsection Control commands.

	While reading Assuan commands, gpg-agent also allows a few special
	commands to control its operation. These control commands all start
	with a slash (@code{/}).

	@table @code

	@item /echo @var{args}
	Just print @var{args}.

	@item /let @var{name} @var{value}
	Set the variable @var{name} to @var{value}. Variables are only
	substituted on the input if the @command{/subst} has been used.
	Variables are referenced by prefixing the name with a dollar sign and
	optionally include the name in curly braces. The rules for a valid name
	are identically to those of the standard bourne shell. This is not yet
	enforced but may be in the future. When used with curly braces no
	leading or trailing white space is allowed.

	If a variable is not found, it is searched in the environment and if
	found copied to the table of variables.

	Variable functions are available: The name of the function must be
	followed by at least one space and the at least one argument. The
	following functions are available:

	@table @code
	@item get
	Return a value described by the argument. Available arguments are:

	@table @code
	@item cwd
	The current working directory.
	@item homedir
	The gnupg homedir.
	@item sysconfdir
	GnuPG's system configuration directory.
	@item bindir
	GnuPG's binary directory.
	@item libdir
	GnuPG's library directory.
	@item libexecdir
	GnuPG's library directory for executable files.
	@item datadir
	GnuPG's data directory.
	@item serverpid
	The PID of the current server. Command @command{/serverpid} must
	have been given to return a useful value.
	@end table

	@item unescape @var{args}
	Remove C-style escapes from @var{args}. Note that @code{\0} and
	@code{\x00} terminate the returned string implicitly. The string to be
	converted are the entire arguments right behind the delimiting space of
	the function name.

	@item unpercent @var{args}
	@itemx unpercent+ @var{args}
	Remove percent style escaping from @var{args}. Note that @code{%00}
	terminates the string implicitly. The string to be converted are the
	entire arguments right behind the delimiting space of the function
	name. @code{unpercent+} also maps plus signs to a spaces.

	@item percent @var{args}
	@itemx percent+ @var{args}
	Escape the @var{args} using percent style escaping. Tabs, formfeeds,
	linefeeds, carriage returns and colons are escaped. @code{percent+} also
	maps spaces to plus signs.

	@item errcode @var{arg}
	@itemx errsource @var{arg}
	@itemx errstring @var{arg}
	Assume @var{arg} is an integer and evaluate it using @code{strtol}. Return
	the gpg-error error code, error source or a formatted string with the
	error code and error source.


	@item +
	@itemx -
	@itemx *
	@itemx /
	@itemx %
	Evaluate all arguments as long integers using @code{strtol} and apply
	this operator. A division by zero yields an empty string.

	@item !
	@itemx \|
	@itemx &
	Evaluate all arguments as long integers using @code{strtol} and apply
	the logical operators NOT, OR or AND. The NOT operator works on the
	last argument only.


	@end table


	@item /definq @var{name} @var{var}
	Use content of the variable @var{var} for inquiries with @var{name}.
	@var{name} may be an asterisk (@code{*}) to match any inquiry.


	@item /definqfile @var{name} @var{file}
	Use content of @var{file} for inquiries with @var{name}.
	@var{name} may be an asterisk (@code{*}) to match any inquiry.

	@item /definqprog @var{name} @var{prog}
	Run @var{prog} for inquiries matching @var{name} and pass the
	entire line to it as command line arguments.

	@item /datafile @var{name}
	Write all data lines from the server to the file @var{name}. The file
	is opened for writing and created if it does not exists. An existing
	file is first truncated to 0. The data written to the file fully
	decoded. Using a single dash for @var{name} writes to stdout. The
	file is kept open until a new file is set using this command or this
	command is used without an argument.

	@item /showdef
	Print all definitions

	@item /cleardef
	Delete all definitions

	@item /sendfd @var{file} @var{mode}
	Open @var{file} in @var{mode} (which needs to be a valid @code{fopen}
	mode string) and send the file descriptor to the server. This is
	usually followed by a command like @code{INPUT FD} to set the
	input source for other commands.

	@item /recvfd
	Not yet implemented.

	@item /open @var{var} @var{file} [@var{mode}]
	Open @var{file} and assign the file descriptor to @var{var}. Warning:
	This command is experimental and might change in future versions.

	@item /close @var{fd}
	Close the file descriptor @var{fd}. Warning: This command is
	experimental and might change in future versions.

	@item /showopen
	Show a list of open files.

	@item /serverpid
	Send the Assuan command @command{GETINFO pid} to the server and store
	the returned PID for internal purposes.

	@item /sleep
	Sleep for a second.

	@item /hex
	@itemx /nohex
	Same as the command line option @option{--hex}.

	@item /decode
	@itemx /nodecode
	Same as the command line option @option{--decode}.

	@item /subst
	@itemx /nosubst
	Enable and disable variable substitution. It defaults to disabled
	unless the command line option @option{--subst} has been used.
	If /subst as been enabled once, leading whitespace is removed from
	input lines which makes scripts easier to read.

	@item /while @var{condition}
	@itemx /end
	These commands provide a way for executing loops. All lines between
	the @code{while} and the corresponding @code{end} are executed as long
	as the evaluation of @var{condition} yields a non-zero value or is the
	string @code{true} or @code{yes}. The evaluation is done by passing
	@var{condition} to the @code{strtol} function. Example:

	@smallexample
	/subst
	/let i 3
	/while $i
	/echo loop couter is $i
	/let i $@{- $i 1@}
	/end
	@end smallexample

	@item /if @var{condition}
	@itemx /end
	These commands provide a way for conditional execution. All lines between
	the @code{if} and the corresponding @code{end} are executed only if
	the evaluation of @var{condition} yields a non-zero value or is the
	string @code{true} or @code{yes}. The evaluation is done by passing
	@var{condition} to the @code{strtol} function.

	@item /run @var{file}
	Run commands from @var{file}.

	@item /bye
	Terminate the connection and the program

	@item /help
	Print a list of available control commands.

	@end table


	@ifset isman
	@mansect see also
	@command{gpg-agent}(1),
	@command{scdaemon}(1)
	@include see-also-note.texi
	@end ifset

	@c
	@c DIRMNGR-CLIENT
	@c
	@node dirmngr-client
	@section The Dirmngr Client Tool

	@manpage dirmngr-client.1
	@ifset manverb
	.B dirmngr-client
	\- Tool to access the Dirmngr services
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B dirmngr-client
	.RI [ options ]
	.RI [ certfile \| pattern ]
	@end ifset

	@mansect description
	The @command{dirmngr-client} is a simple tool to contact a running
	dirmngr and test whether a certificate has been revoked --- either by
	being listed in the corresponding CRL or by running the OCSP protocol.
	If no dirmngr is running, a new instances will be started but this is
	in general not a good idea due to the huge performance overhead.

	@noindent
	The usual way to run this tool is either:

	@example
	dirmngr-client @var{acert}
	@end example

	@noindent
	or

	@example
	dirmngr-client <@var{acert}
	@end example

	Where @var{acert} is one DER encoded (binary) X.509 certificates to be
	tested.
	@ifclear isman
	The return value of this command is
	@end ifclear

	@mansect return value
	@ifset isman
	@command{dirmngr-client} returns these values:
	@end ifset
	@table @code

	@item 0
	The certificate under question is valid; i.e. there is a valid CRL
	available and it is not listed there or the OCSP request returned that
	that certificate is valid.

	@item 1
	The certificate has been revoked

	@item 2 (and other values)
	There was a problem checking the revocation state of the certificate.
	A message to stderr has given more detailed information. Most likely
	this is due to a missing or expired CRL or due to a network problem.

	@end table

	@mansect options
	@noindent
	@command{dirmngr-client} may be called with the following options:


	@table @gnupgtabopt
	@item --version
	@opindex version
	Print the program version and licensing information. Note that you cannot
	abbreviate this command.

	@item --help, -h
	@opindex help
	Print a usage message summarizing the most useful command-line options.
	Note that you cannot abbreviate this command.

	@item --quiet, -q
	@opindex quiet
	Make the output extra brief by suppressing any informational messages.

	@item -v
	@item --verbose
	@opindex v
	@opindex verbose
	Outputs additional information while running.
	You can increase the verbosity by giving several
	verbose commands to @sc{dirmngr}, such as @samp{-vv}.

	@item --pem
	@opindex pem
	Assume that the given certificate is in PEM (armored) format.

	@item --ocsp
	@opindex ocsp
	Do the check using the OCSP protocol and ignore any CRLs.

	@item --force-default-responder
	@opindex force-default-responder
	When checking using the OCSP protocl, force the use of the default OCSP
	responder. That is not to use the Reponder as given by the certificate.

	@item --ping
	@opindex ping
	Check whether the dirmngr daemon is up and running.

	@item --cache-cert
	@opindex cache-cert
	Put the given certificate into the cache of a running dirmngr. This is
	mainly useful for debugging.

	@item --validate
	@opindex validate
	Validate the given certificate using dirmngr's internal validation code.
	This is mainly useful for debugging.

	@item --load-crl
	@opindex load-crl
	This command expects a list of filenames with DER encoded CRL files.
	With the option @option{--url} URLs are expected in place of filenames
	and they are loaded directly from the given location. All CRLs will be
	validated and then loaded into dirmngr's cache.

	@item --lookup
	@opindex lookup
	Take the remaining arguments and run a lookup command on each of them.
	The results are Base-64 encoded outputs (without header lines). This
	may be used to retrieve certificates from a server. However the output
	format is not very well suited if more than one certificate is returned.

	@item --url
	@itemx -u
	@opindex url
	Modify the @command{lookup} and @command{load-crl} commands to take an URL.

	@item --local
	@itemx -l
	@opindex url
	Let the @command{lookup} command only search the local cache.

	@item --squid-mode
	@opindex squid-mode
	Run @sc{dirmngr-client} in a mode suitable as a helper program for
	Squid's @option{external_acl_type} option.


	@end table

	@ifset isman
	@mansect see also
	@command{dirmngr}(8),
	@command{gpgsm}(1)
	@include see-also-note.texi
	@end ifset


	@c
	@c GPGPARSEMAIL
	@c
	@node gpgparsemail
	@section Parse a mail message into an annotated format

	@manpage gpgparsemail.1
	@ifset manverb
	.B gpgparsemail
	\- Parse a mail message into an annotated format
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpgparsemail
	.RI [ options ]
	.RI [ file ]
	@end ifset

	@mansect description
	The @command{gpgparsemail} is a utility currently only useful for
	debugging. Run it with @code{--help} for usage information.



	@c
	@c SYMCRYPTRUN
	@c
	@node symcryptrun
	@section Call a simple symmetric encryption tool.
	@manpage symcryptrun.1
	@ifset manverb
	.B symcryptrun
	\- Call a simple symmetric encryption tool
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B symcryptrun
	.B \-\-class
	.I class
	.B \-\-program
	.I program
	.B \-\-keyfile
	.I keyfile
	.RB [ --decrypt \| --encrypt ]
	.RI [ inputfile ]
	@end ifset

	@mansect description
	Sometimes simple encryption tools are already in use for a long time and
	there might be a desire to integrate them into the GnuPG framework. The
	protocols and encryption methods might be non-standard or not even
	properly documented, so that a full-fledged encryption tool with an
	interface like gpg is not doable. @command{symcryptrun} provides a
	solution: It operates by calling the external encryption/decryption
	module and provides a passphrase for a key using the standard
	@command{pinentry} based mechanism through @command{gpg-agent}.

	Note, that @command{symcryptrun} is only available if GnuPG has been
	configured with @samp{--enable-symcryptrun} at build time.

	@menu
	* Invoking symcryptrun:: List of all commands and options.
	@end menu

	@manpause
	@node Invoking symcryptrun
	@subsection List of all commands and options.

	@noindent
	@command{symcryptrun} is invoked this way:

	@example
	symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE
	[--decrypt \| --encrypt] [inputfile]
	@end example
	@mancont

	For encryption, the plain text must be provided on STDIN or as the
	argument @var{inputfile}, and the ciphertext will be output to STDOUT.
	For decryption vice versa.

	@var{CLASS} describes the calling conventions of the external tool.
	Currently it must be given as @samp{confucius}. @var{PROGRAM} is
	the full filename of that external tool.

	For the class @samp{confucius} the option @option{--keyfile} is
	required; @var{keyfile} is the name of a file containing the secret key,
	which may be protected by a passphrase. For detailed calling
	conventions, see the source code.

	@noindent
	Note, that @command{gpg-agent} must be running before starting
	@command{symcryptrun}.

	@noindent
	The following additional options may be used:

	@table @gnupgtabopt
	@item -v
	@itemx --verbose
	@opindex verbose
	Output additional information while running.

	@item -q
	@item --quiet
	@opindex q
	@opindex quiet
	Try to be as quiet as possible.

	@include opt-homedir.texi


	@item --log-file @var{file}
	@opindex log-file
	Append all logging output to @var{file}. Default is to write logging
	information to STDERR.

	@end table

	@noindent
	The possible exit status codes of @command{symcryptrun} are:

	@table @code
	@item 0
	Success.
	@item 1
	- Some error occured.
	+ Some error occurred.
	@item 2
	No valid passphrase was provided.
	@item 3
	The operation was canceled by the user.

	@end table

	@mansect see also
	@ifset isman
	@command{gpg}(1),
	@command{gpgsm}(1),
	@command{gpg-agent}(1),
	@end ifset
	@include see-also-note.texi


	@c
	@c GPG-ZIP
	@c
	@c The original manpage on which this section is based was written
	@c by Colin Tuckley <colin@tuckley.org> and Daniel Leidert
	@c <daniel.leidert@wgdd.de> for the Debian distribution (but may be used by
	@c others).
	@manpage gpg-zip.1
	@node gpg-zip
	@section Encrypt or sign files into an archive
	@ifset manverb
	.B gpg-zip \- Encrypt or sign files into an archive
	@end ifset

	@mansect synopsis
	@ifset manverb
	.B gpg-zip
	.RI [ options ]
	.I filename1
	.I [ filename2, ... ]
	.I directory1
	.I [ directory2, ... ]
	@end ifset

	@mansect description
	@command{gpg-zip} encrypts or signs files into an archive. It is an
	gpg-ized tar using the same format as used by PGP's PGP Zip.

	@manpause
	@noindent
	@command{gpg-zip} is invoked this way:

	@example
	gpg-zip [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...]
	@end example

	@mansect options
	@noindent
	@command{gpg-zip} understands these options:

	@table @gnupgtabopt

	@item --encrypt
	@itemx -e
	@opindex encrypt
	Encrypt data. This option may be combined with @option{--symmetric} (for output that may be decrypted via a secret key or a passphrase).

	@item --decrypt
	@itemx -d
	@opindex decrypt
	Decrypt data.

	@item --symmetric
	@itemx -c
	Encrypt with a symmetric cipher using a passphrase. The default
	symmetric cipher used is CAST5, but may be chosen with the
	@option{--cipher-algo} option to @command{gpg}.

	@item --sign
	@itemx -s
	Make a signature. See @command{gpg}.

	@item --recipient @var{user}
	@itemx -r @var{user}
	@opindex recipient
	Encrypt for user id @var{user}. See @command{gpg}.

	@item --local-user @var{user}
	@itemx -u @var{user}
	@opindex local-user
	Use @var{user} as the key to sign with. See @command{gpg}.

	@item --list-archive
	@opindex list-archive
	List the contents of the specified archive.

	@item --output @var{file}
	@itemx -o @var{file}
	@opindex output
	Write output to specified file @var{file}.

	@item --gpg @var{gpgcmd}
	@opindex gpg
	Use the specified command @var{gpgcmd} instead of @command{gpg}.

	@item --gpg-args @var{args}
	@opindex gpg-args
	Pass the specified options to @command{gpg}.

	@item --tar @var{tarcmd}
	@opindex tar
	Use the specified command @var{tarcmd} instead of @command{tar}.

	@item --tar-args @var{args}
	@opindex tar-args
	Pass the specified options to @command{tar}.

	@item --version
	@opindex version
	Print version of the program and exit.

	@item --help
	@opindex help
	Display a brief help page and exit.

	@end table

	@mansect diagnostics
	@noindent
	The program returns 0 if everything was fine, 1 otherwise.


	@mansect examples
	@ifclear isman
	@noindent
	Some examples:

	@end ifclear
	@noindent
	Encrypt the contents of directory @file{mydocs} for user Bob to file
	@file{test1}:

	@example
	gpg-zip --encrypt --output test1 --gpg-args -r Bob mydocs
	@end example

	@noindent
	List the contents of archive @file{test1}:

	@example
	gpg-zip --list-archive test1
	@end example


	@mansect see also
	@ifset isman
	@command{gpg}(1),
	@command{tar}(1),
	@end ifset
	@include see-also-note.texi
	diff --git a/g10/gpgcompose.c b/g10/gpgcompose.c
	index cd5346fb0..e3bb01317 100644
	--- a/g10/gpgcompose.c
	+++ b/g10/gpgcompose.c
	@@ -1,3034 +1,3034 @@
	/* gpgcompose.c - Maintainer tool to create OpenPGP messages by hand.
	* Copyright (C) 2016 g10 Code GmbH
	*
	* This file is part of GnuPG.
	*
	* GnuPG is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License as published by
	* the Free Software Foundation; either version 3 of the License, or
	* (at your option) any later version.
	*
	* GnuPG is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with this program; if not, see <http://www.gnu.org/licenses/>.
	*/

	#include <config.h>
	#include <errno.h>

	#include "gpg.h"
	#include "packet.h"
	#include "keydb.h"
	#include "main.h"
	#include "options.h"

	static int do_debug;
	#define debug(fmt, ...) \
	do { if (do_debug) log_debug (fmt, ##__VA_ARGS__); } while (0)

	/* --encryption, for instance, adds a filter in front of out. There
	is an operator (--encryption-pop) to end this. We use the
	following infrastructure to make it easy to pop the state. */
	struct filter
	{
	void *func;
	void *context;
	int pkttype;
	int partial_block_mode;
	struct filter *next;
	};

	static struct filter *filters;

	static void
	filter_push (iobuf_t out, void func, void context,
	int type, int partial_block_mode)
	{
	gpg_error_t err;
	struct filter f = xmalloc_clear (sizeof (f));
	f->next = filters;
	f->func = func;
	f->context = context;
	f->pkttype = type;
	f->partial_block_mode = partial_block_mode;

	filters = f;

	err = iobuf_push_filter (out, func, context);
	if (err)
	log_fatal ("Adding filter: %s\n", gpg_strerror (err));
	}

	static void
	filter_pop (iobuf_t out, int expected_type)
	{
	gpg_error_t err;
	struct filter *f = filters;

	log_assert (f);

	if (f->pkttype != expected_type)
	log_fatal ("Attempted to pop a %s container, "
	"but current container is a %s container.\n",
	pkttype_str (f->pkttype), pkttype_str (expected_type));

	if (f->pkttype == PKT_ENCRYPTED \|\| f->pkttype == PKT_ENCRYPTED_MDC)
	{
	err = iobuf_pop_filter (out, f->func, f->context);
	if (err)
	log_fatal ("Popping encryption filter: %s\n", gpg_strerror (err));
	}
	else
	log_fatal ("FILTERS appears to be corrupted.\n");

	if (f->partial_block_mode)
	iobuf_set_partial_body_length_mode (out, 0);

	filters = f->next;
	xfree (f);
	}

	/* Return if CIPHER_ID is a valid cipher. */
	static int
	valid_cipher (int cipher_id)
	{
	return (cipher_id == CIPHER_ALGO_IDEA
	\|\| cipher_id == CIPHER_ALGO_3DES
	\|\| cipher_id == CIPHER_ALGO_CAST5
	\|\| cipher_id == CIPHER_ALGO_BLOWFISH
	\|\| cipher_id == CIPHER_ALGO_AES
	\|\| cipher_id == CIPHER_ALGO_AES192
	\|\| cipher_id == CIPHER_ALGO_AES256
	\|\| cipher_id == CIPHER_ALGO_TWOFISH
	\|\| cipher_id == CIPHER_ALGO_CAMELLIA128
	\|\| cipher_id == CIPHER_ALGO_CAMELLIA192
	\|\| cipher_id == CIPHER_ALGO_CAMELLIA256);
	}

	/* Parse a session key encoded as a string of the form x:HEXDIGITS
	where x is the algorithm id. (This is the format emitted by gpg
	--show-session-key.) */
	struct session_key
	{
	int algo;
	int keylen;
	char *key;
	};

	static struct session_key
	parse_session_key (const char option, char p, int require_algo)
	{
	char *tail;
	struct session_key sk;

	memset (&sk, 0, sizeof (sk));

	/* Check for the optional "cipher-id:" at the start of the
	string. */
	errno = 0;
	sk.algo = strtol (p, &tail, 10);
	if (! errno && tail && *tail == ':')
	{
	if (! valid_cipher (sk.algo))
	log_info ("%s: %d is not a known cipher (but using anyways)\n",
	option, sk.algo);
	p = tail + 1;
	}
	else if (require_algo)
	log_fatal ("%s: Session key must have the form algo:HEXCHARACTERS.\n",
	option);
	else
	sk.algo = 0;

	/* Ignore a leading 0x. */
	if (p[0] == '0' && p[1] == 'x')
	p += 2;

	if (strlen (p) % 2 != 0)
	log_fatal ("%s: session key must consist of an even number of hexadecimal characters.\n",
	option);

	sk.keylen = strlen (p) / 2;
	sk.key = xmalloc (sk.keylen);

	if (hex2bin (p, sk.key, sk.keylen) == -1)
	log_fatal ("%s: Session key must only contain hexadecimal characters\n",
	option);

	return sk;
	}

	/* A callback.

	OPTION_STR is the option that was matched. ARGC is the number of
	arguments following the option and ARGV are those arguments.
	(Thus, argv[0] is the first string following the option and
	argv[-1] is the option.)

	COOKIE is the opaque value passed to process_options. */
	typedef int (option_prcessor_t) (const char option_str,
	int argc, char *argv[],
	void *cookie);

	struct option
	{
	/* The option that this matches. This must start with "--" or be
	the empty string. The empty string matches bare arguments. */
	const char *option;
	/* The function to call to process this option. */
	option_prcessor_t func;
	/* Documentation. */
	const char *help;
	};

	/* Merge two lists of options. Note: this makes a shallow copy! The
	caller must xfree() the result. */
	static struct option *
	merge_options (struct option a[], struct option b[])
	{
	int i, j;
	struct option *c;

	for (i = 0; a[i].option; i ++)
	;
	for (j = 0; b[j].option; j ++)
	;

	c = xmalloc ((i + j + 1) * sizeof (struct option));
	memcpy (c, a, i * sizeof (struct option));
	memcpy (&c[i], b, j * sizeof (struct option));
	c[i + j].option = NULL;

	if (a[i].help && b[j].help)
	c[i + j].help = xasprintf ("%s\n\n%s", a[i].help, b[j].help);
	else if (a[i].help)
	c[i + j].help = a[i].help;
	else if (b[j].help)
	c[i + j].help = b[j].help;

	return c;
	}

	/* Returns whether ARG is an option. All options start with --. */
	static int
	is_option (const char *arg)
	{
	return arg[0] == '-' && arg[1] == '-';
	}

	/* OPTIONS is a NULL terminated array of struct option:s. Finds the
	entry that is the same as ARG. Returns -1 if no entry is found.
	The empty string option matches bare arguments. */
	static int
	match_option (const struct option options[], const char *arg)
	{
	int i;
	int bare_arg = ! is_option (arg);

	for (i = 0; options[i].option; i ++)
	if ((! bare_arg && strcmp (options[i].option, arg) == 0)
	/* Non-options match the empty string. */
	\|\| (bare_arg && options[i].option[0] == '\0'))
	return i;

	return -1;
	}

	static void
	show_help (struct option options[])
	{
	int i;
	int max_length = 0;
	int space;

	for (i = 0; options[i].option; i ++)
	{
	const char *option = options[i].option[0] ? options[i].option : "ARG";
	int l = strlen (option);
	if (l > max_length)
	max_length = l;
	}

	space = 72 - (max_length + 2);
	if (space < 40)
	space = 40;

	for (i = 0; ; i ++)
	{
	const char *option = options[i].option;
	const char *help = options[i].help;

	int l;
	int j;
	char *tmp;
	char *formatted;
	char *p;
	char *newline;

	if (! option && ! help)
	break;

	if (option)
	{
	const char *o = option[0] ? option : "ARG";
	l = strlen (o);
	fprintf (stderr, "%s", o);
	}

	if (! help)
	{
	fputc ('\n', stderr);
	continue;
	}

	if (option)
	for (j = l; j < max_length + 2; j ++)
	fputc (' ', stderr);

	#define BOLD_START "\033[1m"
	#define NORMAL_RESTORE "\033[0m"
	#define BOLD(x) BOLD_START x NORMAL_RESTORE

	if (! option \|\| options[i].func)
	tmp = (char *) help;
	else
	tmp = xasprintf ("%s " BOLD("(Unimplemented.)"), help);

	if (! option)
	space = 72;
	formatted = format_text (tmp, 0, space, space + 4);

	if (tmp != help)
	xfree (tmp);

	if (! option)
	{
	fprintf (stderr, "\n%s\n", formatted);
	break;
	}

	for (p = formatted;
	p && *p;
	p = (*newline == '\0') ? newline : newline + 1)
	{
	newline = strchr (p, '\n');
	if (! newline)
	newline = &p[strlen (p)];

	l = (size_t) newline - (size_t) p;

	if (p != formatted)
	for (j = 0; j < max_length + 2; j ++)
	fputc (' ', stderr);

	fwrite (p, l, 1, stderr);
	fputc ('\n', stderr);
	}

	xfree (formatted);
	}
	}

	/* Return value is number of consumed argv elements. */
	static int
	process_options (const char *parent_option,
	struct option break_options[],
	struct option local_options[], void *lcookie,
	struct option global_options[], void *gcookie,
	int argc, char *argv[])
	{
	int i;
	for (i = 0; i < argc; i ++)
	{
	int j;
	struct option *option;
	void *cookie;
	int bare_arg;
	option_prcessor_t func;
	int consumed;

	if (break_options)
	{
	j = match_option (break_options, argv[i]);
	if (j != -1)
	/* Match. Break out. */
	return i;
	}

	j = match_option (local_options, argv[i]);
	if (j == -1)
	{
	if (global_options)
	j = match_option (global_options, argv[i]);
	if (j == -1)
	{
	if (strcmp (argv[i], "--help") == 0)
	{
	if (! global_options)
	show_help (local_options);
	else
	{
	struct option *combined
	= merge_options (local_options, global_options);
	show_help (combined);
	xfree (combined);
	}
	g10_exit (0);
	}

	if (parent_option)
	log_fatal ("%s: Unknown option: %s\n", parent_option, argv[i]);
	else
	log_fatal ("Unknown option: %s\n", argv[i]);
	}

	option = &global_options[j];
	cookie = gcookie;
	}
	else
	{
	option = &local_options[j];
	cookie = lcookie;
	}

	bare_arg = strcmp (option->option, "") == 0;

	func = option->func;
	if (! func)
	{
	if (bare_arg)
	log_fatal ("Bare arguments unimplemented.\n");
	else
	log_fatal ("Unimplemented option: %s\n",
	option->option);
	}

	consumed = func (bare_arg ? parent_option : argv[i],
	argc - i - !bare_arg, &argv[i + !bare_arg],
	cookie);
	i += consumed;
	if (bare_arg)
	i --;
	}

	return i;
	}

	/* The keys, subkeys, user ids and user attributes in the order that
	they were added. */
	PACKET components[20];
	/* The number of components. */
	int ncomponents;

	static int
	add_component (int pkttype, void *component)
	{
	int i = ncomponents ++;

	log_assert (i < sizeof (components) / sizeof (components[0]));
	log_assert (pkttype == PKT_PUBLIC_KEY
	\|\| pkttype == PKT_PUBLIC_SUBKEY
	\|\| pkttype == PKT_SECRET_KEY
	\|\| pkttype == PKT_SECRET_SUBKEY
	\|\| pkttype == PKT_USER_ID
	\|\| pkttype == PKT_ATTRIBUTE);

	components[i].pkttype = pkttype;
	components[i].pkt.generic = component;

	return i;
	}

	static void
	dump_component (PACKET *pkt)
	{
	struct kbnode_struct kbnode;

	if (! do_debug)
	return;

	memset (&kbnode, 0, sizeof (kbnode));
	kbnode.pkt = pkt;
	dump_kbnode (&kbnode);
	}

	/* Returns the first primary key in COMPONENTS or NULL if there is
	none. */
	static PKT_public_key *
	primary_key (void)
	{
	int i;
	for (i = 0; i < ncomponents; i ++)
	if (components[i].pkttype == PKT_PUBLIC_KEY)
	return components[i].pkt.public_key;
	return NULL;
	}

	/* The last session key (updated when adding a SK-ESK, PK-ESK or SED
	packet. */
	static DEK session_key;

	static int user_id (const char option, int argc, char argv[],
	void *cookie);
	static int public_key (const char option, int argc, char argv[],
	void *cookie);
	static int sk_esk (const char option, int argc, char argv[],
	void *cookie);
	static int pk_esk (const char option, int argc, char argv[],
	void *cookie);
	static int encrypted (const char option, int argc, char argv[],
	void *cookie);
	static int encrypted_pop (const char option, int argc, char argv[],
	void *cookie);
	static int literal (const char option, int argc, char argv[],
	void *cookie);
	static int signature (const char option, int argc, char argv[],
	void *cookie);
	static int copy (const char option, int argc, char argv[],
	void *cookie);

	static struct option major_options[] = {
	{ "--user-id", user_id, "Create a user id packet." },
	{ "--public-key", public_key, "Create a public key packet." },
	{ "--private-key", NULL, "Create a private key packet." },
	{ "--public-subkey", public_key, "Create a subkey packet." },
	{ "--private-subkey", NULL, "Create a private subkey packet." },
	{ "--sk-esk", sk_esk,
	"Create a symmetric-key encrypted session key packet." },
	{ "--pk-esk", pk_esk,
	"Create a public-key encrypted session key packet." },
	{ "--encrypted", encrypted, "Create a symmetrically encrypted data packet." },
	{ "--encrypted-mdc", encrypted,
	"Create a symmetrically encrypted and integrity protected data packet." },
	{ "--encrypted-pop", encrypted_pop,
	"Pop an encryption container." },
	{ "--compressed", NULL, "Create a compressed data packet." },
	{ "--literal", literal, "Create a literal (plaintext) data packet." },
	{ "--signature", signature, "Create a signature packet." },
	{ "--onepass-sig", NULL, "Create a one-pass signature packet." },
	{ "--copy", copy, "Copy the specified file." },
	{ NULL, NULL,
	"To get more information about a given command, use:\n\n"
	" $ gpgcompose --command --help to list a command's options."},
	};

	static struct option global_options[] = {
	{ NULL, NULL, NULL },
	};

	/* Make our lives easier and use a static limit for the user name.
	10k is way more than enough anyways... */
	const int user_id_max_len = 10 * 1024;

	static int
	user_id_name (const char option, int argc, char argv[], void *cookie)
	{
	PKT_user_id *uid = cookie;
	int l;

	if (argc == 0)
	log_fatal ("Usage: %s USER_ID\n", option);

	if (uid->len)
	log_fatal ("Attempt to set user id multiple times.\n");

	l = strlen (argv[0]);
	if (l > user_id_max_len)
	log_fatal ("user id too long (max: %d)\n", user_id_max_len);

	memcpy (uid->name, argv[0], l);
	uid->name[l] = 0;
	uid->len = l;

	return 1;
	}

	static struct option user_id_options[] = {
	{ "", user_id_name,
	"Set the user id. This is usually in the format "
	"\"Name (comment) <email@example.org>\"" },
	{ NULL, NULL,
	"Example:\n\n"
	" $ gpgcompose --user-id \"USERID\" \| " GPG_NAME " --list-packets" }
	};

	static int
	user_id (const char option, int argc, char argv[], void *cookie)
	{
	iobuf_t out = cookie;
	gpg_error_t err;
	PKT_user_id uid = xmalloc_clear (sizeof (uid) + user_id_max_len);
	int c = add_component (PKT_USER_ID, uid);
	int processed;

	processed = process_options (option,
	major_options,
	user_id_options, uid,
	global_options, NULL,
	argc, argv);

	if (! uid->len)
	log_fatal ("%s: user id not given", option);

	err = build_packet (out, &components[c]);
	if (err)
	log_fatal ("Serializing user id packet: %s\n", gpg_strerror (err));

	debug ("Wrote user id packet:\n");
	dump_component (&components[c]);

	return processed;
	}

	static int
	pk_search_terms (const char option, int argc, char argv[], void *cookie)
	{
	gpg_error_t err;
	KEYDB_HANDLE hd;
	KEYDB_SEARCH_DESC desc;
	kbnode_t kb;
	PKT_public_key *pk = cookie;
	PKT_public_key *pk_ref;
	int i;

	if (argc == 0)
	log_fatal ("Usage: %s KEYID\n", option);

	if (pk->pubkey_algo)
	log_fatal ("%s: multiple keys provided\n", option);

	err = classify_user_id (argv[0], &desc, 0);
	if (err)
	log_fatal ("search terms '%s': %s\n", argv[0], gpg_strerror (err));

	hd = keydb_new ();

	err = keydb_search (hd, &desc, 1, NULL);
	if (err)
	log_fatal ("looking up '%s': %s\n", argv[0], gpg_strerror (err));

	err = keydb_get_keyblock (hd, &kb);
	if (err)
	log_fatal ("retrieving keyblock for '%s': %s\n",
	argv[0], gpg_strerror (err));

	keydb_release (hd);

	pk_ref = kb->pkt->pkt.public_key;

	/* Copy the timestamp (if not already set), algo and public key
	parameters. */
	if (! pk->timestamp)
	pk->timestamp = pk_ref->timestamp;
	pk->pubkey_algo = pk_ref->pubkey_algo;
	for (i = 0; i < pubkey_get_npkey (pk->pubkey_algo); i ++)
	pk->pkey[i] = gcry_mpi_copy (pk_ref->pkey[i]);

	release_kbnode (kb);

	return 1;
	}

	static int
	pk_timestamp (const char option, int argc, char argv[], void *cookie)
	{
	PKT_public_key *pk = cookie;
	char *tail = NULL;

	if (argc == 0)
	log_fatal ("Usage: %s TIMESTAMP\n", option);

	errno = 0;
	pk->timestamp = parse_timestamp (argv[0], &tail);
	if (errno \|\| (tail && *tail))
	log_fatal ("Invalid value passed to %s (%s)\n", option, argv[0]);

	return 1;
	}

	#define TIMESTAMP_HELP \
	"Either as seconds since the epoch or as an ISO 8601 formatted " \
	"string (yyyymmddThhmmss, where the T is a literal)."

	static struct option pk_options[] = {
	{ "--timestamp", pk_timestamp,
	"The creation time. " TIMESTAMP_HELP },
	{ "", pk_search_terms,
	"The key to copy the creation time and public key parameters from." },
	{ NULL, NULL,
	"Example:\n\n"
	" $ gpgcompose --public-key $KEYID --user-id \"USERID\" \\\n"
	" \| " GPG_NAME " --list-packets" }
	};

	static int
	public_key (const char option, int argc, char argv[], void *cookie)
	{
	gpg_error_t err;
	iobuf_t out = cookie;
	PKT_public_key *pk;
	int c;
	int processed;
	int t = (strcmp (option, "--public-key") == 0
	? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY);

	(void) option;

	pk = xmalloc_clear (sizeof (*pk));
	pk->version = 4;

	c = add_component (t, pk);

	processed = process_options (option,
	major_options,
	pk_options, pk,
	global_options, NULL,
	argc, argv);

	if (! pk->pubkey_algo)
	log_fatal ("%s: key to extract public key parameters from not given",
	option);

	/* Clear the keyid in case we updated one of the relevant fields
	after accessing it. */
	pk->keyid[0] = pk->keyid[1] = 0;

	err = build_packet (out, &components[c]);
	if (err)
	log_fatal ("serializing %s packet: %s\n",
	t == PKT_PUBLIC_KEY ? "public key" : "subkey",
	gpg_strerror (err));

	debug ("Wrote %s packet:\n",
	t == PKT_PUBLIC_KEY ? "public key" : "subkey");
	dump_component (&components[c]);

	return processed;
	}

	struct siginfo
	{
	/* Key with which to sign. */
	kbnode_t issuer_kb;
	PKT_public_key *issuer_pk;

	/* Overrides the issuer's key id. */
	u32 issuer_keyid[2];
	/* Sets the issuer's keyid to the primary key's key id. */
	int issuer_keyid_self;

	/* Key to sign. */
	PKT_public_key *pk;
	/* Subkey to sign. */
	PKT_public_key *sk;
	/* User id to sign. */
	PKT_user_id *uid;

	int class;
	int digest_algo;
	u32 timestamp;
	u32 key_expiration;

	byte *cipher_algorithms;
	int cipher_algorithms_len;
	byte *digest_algorithms;
	int digest_algorithms_len;
	byte *compress_algorithms;
	int compress_algorithms_len;

	u32 expiration;

	int exportable_set;
	int exportable;

	int revocable_set;
	int revocable;

	int trust_level_set;
	byte trust_args[2];

	char *trust_scope;

	struct revocation_key *revocation_key;
	int nrevocation_keys;

	struct notation *notations;

	byte *key_server_preferences;
	int key_server_preferences_len;

	char *key_server;

	int primary_user_id_set;
	int primary_user_id;

	char *policy_uri;

	byte *key_flags;
	int key_flags_len;

	char *signers_user_id;

	byte reason_for_revocation_code;
	char *reason_for_revocation;

	byte *features;
	int features_len;

	/* Whether to corrupt the signature. */
	int corrupt;
	};

	static int
	sig_issuer (const char option, int argc, char argv[], void *cookie)
	{
	gpg_error_t err;
	KEYDB_HANDLE hd;
	KEYDB_SEARCH_DESC desc;
	struct siginfo *si = cookie;

	if (argc == 0)
	log_fatal ("Usage: %s KEYID\n", option);

	if (si->issuer_pk)
	log_fatal ("%s: multiple keys provided\n", option);

	err = classify_user_id (argv[0], &desc, 0);
	if (err)
	log_fatal ("search terms '%s': %s\n", argv[0], gpg_strerror (err));

	hd = keydb_new ();

	err = keydb_search (hd, &desc, 1, NULL);
	if (err)
	log_fatal ("looking up '%s': %s\n", argv[0], gpg_strerror (err));

	err = keydb_get_keyblock (hd, &si->issuer_kb);
	if (err)
	log_fatal ("retrieving keyblock for '%s': %s\n",
	argv[0], gpg_strerror (err));

	keydb_release (hd);

	si->issuer_pk = si->issuer_kb->pkt->pkt.public_key;

	return 1;
	}

	static int
	sig_issuer_keyid (const char option, int argc, char argv[], void *cookie)
	{
	gpg_error_t err;
	KEYDB_SEARCH_DESC desc;
	struct siginfo *si = cookie;

	if (argc == 0)
	log_fatal ("Usage: %s KEYID\|self\n", option);

	if (si->issuer_keyid[0] \|\| si->issuer_keyid[1] \|\| si->issuer_keyid_self)
	log_fatal ("%s given multiple times.\n", option);

	if (strcasecmp (argv[0], "self") == 0)
	{
	si->issuer_keyid_self = 1;
	return 1;
	}

	err = classify_user_id (argv[0], &desc, 0);
	if (err)
	log_fatal ("search terms '%s': %s\n", argv[0], gpg_strerror (err));

	if (desc.mode != KEYDB_SEARCH_MODE_LONG_KID)
	log_fatal ("%s is not a valid long key id.\n", argv[0]);

	keyid_copy (si->issuer_keyid, desc.u.kid);

	return 1;
	}

	static int
	sig_pk (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int i;
	char *tail = NULL;

	if (argc == 0)
	log_fatal ("Usage: %s COMPONENT_INDEX\n", option);

	errno = 0;
	i = strtoul (argv[0], &tail, 10);
	if (errno \|\| (tail && *tail))
	log_fatal ("Invalid value passed to %s (%s)\n", option, argv[0]);

	if (i >= ncomponents)
	log_fatal ("%d: No such component (have %d components so far)\n",
	i, ncomponents);
	if (! (components[i].pkttype == PKT_PUBLIC_KEY
	\|\| components[i].pkttype == PKT_PUBLIC_SUBKEY))
	log_fatal ("Component %d is not a public key or a subkey.", i);

	if (strcmp (option, "--pk") == 0)
	{
	if (si->pk)
	log_fatal ("%s already given.\n", option);
	si->pk = components[i].pkt.public_key;
	}
	else if (strcmp (option, "--sk") == 0)
	{
	if (si->sk)
	log_fatal ("%s already given.\n", option);
	si->sk = components[i].pkt.public_key;
	}
	else
	log_fatal ("Cannot handle %s\n", option);

	return 1;
	}

	static int
	sig_user_id (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int i;
	char *tail = NULL;

	if (argc == 0)
	log_fatal ("Usage: %s COMPONENT_INDEX\n", option);
	if (si->uid)
	log_fatal ("%s already given.\n", option);

	errno = 0;
	i = strtoul (argv[0], &tail, 10);
	if (errno \|\| (tail && *tail))
	log_fatal ("Invalid value passed to %s (%s)\n", option, argv[0]);

	if (i >= ncomponents)
	log_fatal ("%d: No such component (have %d components so far)\n",
	i, ncomponents);
	if (! (components[i].pkttype != PKT_USER_ID
	\|\| components[i].pkttype == PKT_ATTRIBUTE))
	log_fatal ("Component %d is not a public key or a subkey.", i);

	si->uid = components[i].pkt.user_id;

	return 1;
	}

	static int
	sig_class (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int i;
	char *tail = NULL;

	if (argc == 0)
	log_fatal ("Usage: %s CLASS\n", option);

	errno = 0;
	i = strtoul (argv[0], &tail, 0);
	if (errno \|\| (tail && *tail))
	log_fatal ("Invalid value passed to %s (%s)\n", option, argv[0]);

	si->class = i;

	return 1;
	}

	static int
	sig_digest (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int i;
	char *tail = NULL;

	if (argc == 0)
	log_fatal ("Usage: %s DIGEST_ALGO\n", option);

	errno = 0;
	i = strtoul (argv[0], &tail, 10);
	if (errno \|\| (tail && *tail))
	log_fatal ("Invalid value passed to %s (%s)\n", option, argv[0]);

	si->digest_algo = i;

	return 1;
	}

	static int
	sig_timestamp (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	char *tail = NULL;

	if (argc == 0)
	log_fatal ("Usage: %s TIMESTAMP\n", option);

	errno = 0;
	si->timestamp = parse_timestamp (argv[0], &tail);
	if (errno \|\| (tail && *tail))
	log_fatal ("Invalid value passed to %s (%s)\n", option, argv[0]);

	return 1;
	}

	static int
	sig_expiration (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int is_expiration = strcmp (option, "--expiration") == 0;
	u32 *i = is_expiration ? &si->expiration : &si->key_expiration;

	if (! is_expiration)
	log_assert (strcmp (option, "--key-expiration") == 0);

	if (argc == 0)
	log_fatal ("Usage: %s DURATION\n", option);

	*i = parse_expire_string (argv[0]);
	if (*i == (u32)-1)
	log_fatal ("Invalid value passed to %s (%s)\n", option, argv[0]);

	return 1;
	}

	static int
	sig_int_list (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int nvalues = 1;
	char values = xmalloc (nvalues sizeof (values[0]));
	char *tail = argv[0];
	int i;
	byte **a;
	int *n;

	if (argc == 0)
	log_fatal ("Usage: %s VALUE[,VALUE...]\n", option);

	for (i = 0; tail && *tail; i ++)
	{
	int v;
	char *old_tail = tail;

	errno = 0;
	v = strtol (tail, &tail, 0);
	if (errno \|\| old_tail == tail \|\| (tail && !(tail == ',' \|\| tail == 0)))
	log_fatal ("Invalid value passed to %s (%s). "
	"Expected a list of comma separated numbers\n",
	option, argv[0]);

	if (! (0 <= v && v <= 255))
	log_fatal ("%s: %d is out of range (Expected: 0-255)\n", option, v);

	if (i == nvalues)
	{
	nvalues *= 2;
	values = xrealloc (values, nvalues * sizeof (values[0]));
	}

	values[i] = v;

	if (*tail == ',')
	tail ++;
	else
	log_assert (*tail == 0);
	}

	if (strcmp ("--cipher-algos", option) == 0)
	{
	a = &si->cipher_algorithms;
	n = &si->cipher_algorithms_len;
	}
	else if (strcmp ("--digest-algos", option) == 0)
	{
	a = &si->digest_algorithms;
	n = &si->digest_algorithms_len;
	}
	else if (strcmp ("--compress-algos", option) == 0)
	{
	a = &si->compress_algorithms;
	n = &si->compress_algorithms_len;
	}
	else
	log_fatal ("Cannot handle %s\n", option);

	if (*a)
	log_fatal ("Option %s given multiple times.\n", option);

	*a = values;
	*n = i;

	return 1;
	}

	static int
	sig_flag (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int range[2] = {0, 255};
	char *tail;
	int v;

	if (strcmp (option, "--primary-user-id") == 0)
	range[1] = 1;

	if (argc <= 1)
	{
	if (range[0] == 0 && range[1] == 1)
	log_fatal ("Usage: %s 0\|1\n", option);
	else
	log_fatal ("Usage: %s %d-%d\n", option, range[0], range[1]);
	}

	errno = 0;
	v = strtol (argv[0], &tail, 0);
	if (errno \|\| (tail && *tail) \|\| !(range[0] <= v && v <= range[1]))
	log_fatal ("Invalid value passed to %s (%s). Expected %d-%d\n",
	option, argv[0], range[0], range[1]);

	if (strcmp (option, "--exportable") == 0)
	{
	si->exportable_set = 1;
	si->exportable = v;
	}
	else if (strcmp (option, "--revocable") == 0)
	{
	si->revocable_set = 1;
	si->revocable = v;
	}
	else if (strcmp (option, "--primary-user-id") == 0)
	{
	si->primary_user_id_set = 1;
	si->primary_user_id = v;
	}
	else
	log_fatal ("Cannot handle %s\n", option);

	return 1;
	}

	static int
	sig_trust_level (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int i;
	char *tail;

	if (argc <= 1)
	log_fatal ("Usage: %s DEPTH TRUST_AMOUNT\n", option);

	for (i = 0; i < sizeof (si->trust_args) / sizeof (si->trust_args[0]); i ++)
	{
	int v;

	errno = 0;
	v = strtol (argv[i], &tail, 0);
	if (errno \|\| (tail && *tail) \|\| !(0 <= v && v <= 255))
	log_fatal ("Invalid value passed to %s (%s). Expected 0-255\n",
	option, argv[i]);

	si->trust_args[i] = v;
	}

	si->trust_level_set = 1;

	return 2;
	}

	static int
	sig_string_arg (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	char *p = argv[0];
	char **s;

	if (argc == 0)
	log_fatal ("Usage: %s STRING\n", option);

	if (strcmp (option, "--trust-scope") == 0)
	s = &si->trust_scope;
	else if (strcmp (option, "--key-server") == 0)
	s = &si->key_server;
	else if (strcmp (option, "--signers-user-id") == 0)
	s = &si->signers_user_id;
	else if (strcmp (option, "--policy-uri") == 0)
	s = &si->policy_uri;
	else
	log_fatal ("Cannot handle %s\n", option);

	if (*s)
	log_fatal ("%s already given.\n", option);

	*s = xstrdup (p);

	return 1;
	}

	static int
	sig_revocation_key (const char option, int argc, char argv[], void *cookie)
	{
	gpg_error_t err;
	struct siginfo *si = cookie;
	int v;
	char *tail;
	PKT_public_key pk;
	struct revocation_key *revkey;

	if (argc < 2)
	log_fatal ("Usage: %s CLASS KEYID\n", option);

	memset (&pk, 0, sizeof (pk));

	errno = 0;
	v = strtol (argv[0], &tail, 16);
	if (errno \|\| (tail && *tail) \|\| !(0 <= v && v <= 255))
	log_fatal ("%s: Invalid class value (%s). Expected 0-255\n",
	option, argv[0]);

	pk.req_usage = PUBKEY_USAGE_SIG;
	err = get_pubkey_byname (NULL, NULL, &pk, argv[1], NULL, NULL, 1, 1);
	if (err)
	log_fatal ("looking up key %s: %s\n", argv[1], gpg_strerror (err));

	si->nrevocation_keys ++;
	si->revocation_key = xrealloc (si->revocation_key,
	si->nrevocation_keys
	* sizeof (*si->revocation_key));
	revkey = &si->revocation_key[si->nrevocation_keys - 1];

	revkey->class = v;
	revkey->algid = pk.pubkey_algo;
	fingerprint_from_pk (&pk, revkey->fpr, NULL);

	release_public_key_parts (&pk);

	return 2;
	}

	static int
	sig_notation (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int is_blob = strcmp (option, "--notation") != 0;
	struct notation *notation;
	char *p = argv[0];
	int p_free = 0;
	char *data;
	int data_size;
	int data_len;

	if (argc == 0)
	log_fatal ("Usage: %s [!<]name=value\n", option);

	if ((p[0] == '!' && p[1] == '<') \|\| p[0] == '<')
	/* Read from a file. */
	{
	char *filename = NULL;
	iobuf_t in;
	int prefix;

	if (p[0] == '<')
	p ++;
	else
	{
	/* Remove the '<', which string_to_notation does not
	understand, and preserve the '!'. */
	p = xstrdup (&p[1]);
	p_free = 1;
	p[0] = '!';
	}

	filename = strchr (p, '=');
	if (! filename)
	log_fatal ("No value specified. Usage: %s [!<]name=value\n",
	option);
	filename ++;

	prefix = (size_t) filename - (size_t) p;

	errno = 0;
	in = iobuf_open (filename);
	if (! in)
	log_fatal ("Opening '%s': %s\n",
	filename, errno ? strerror (errno): "unknown error");

	/* A notation can be at most about a few dozen bytes short of
	64k. Since this is relatively small, we just allocate that
	much instead of trying to dynamically size a buffer. */
	data_size = 64 * 1024;
	data = xmalloc (data_size);
	log_assert (prefix <= data_size);
	memcpy (data, p, prefix);

	data_len = iobuf_read (in, &data[prefix], data_size - prefix - 1);
	if (data_len == -1)
	/* EOF => 0 bytes read. */
	data_len = 0;

	if (data_len == data_size - prefix - 1)
	/* Technically, we should do another read and check for EOF,
	but what's one byte more or less? */
	log_fatal ("Notation data doesn't fit in the packet.\n");

	iobuf_close (in);

	/* NUL terminate it. */
	data[prefix + data_len] = 0;

	if (p_free)
	xfree (p);
	p = data;
	p_free = 1;
	data = &p[prefix];

	if (is_blob)
	p[prefix - 1] = 0;
	}
	else if (is_blob)
	{
	data = strchr (p, '=');
	if (! data)
	{
	data = p;
	data_len = 0;
	}
	else
	{
	p = xstrdup (p);
	p_free = 1;

	data = strchr (p, '=');
	log_assert (data);

	/* NUL terminate the name. */
	*data = 0;
	data ++;
	data_len = strlen (data);
	}
	}

	if (is_blob)
	notation = blob_to_notation (p, data, data_len);
	else
	notation = string_to_notation (p, 1);
	if (! notation)
	- log_fatal ("creating notation: an unknown error occured.\n");
	+ log_fatal ("creating notation: an unknown error occurred.\n");
	notation->next = si->notations;
	si->notations = notation;

	if (p_free)
	xfree (p);

	return 1;
	}

	static int
	sig_big_endian_arg (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	char *p = argv[0];
	int i;
	int l;
	char *bytes;

	if (argc == 0)
	log_fatal ("Usage: %s HEXDIGITS\n", option);

	/* Skip a leading "0x". */
	if (p[0] == '0' && p[1] == 'x')
	p += 2;

	for (i = 0; i < strlen (p); i ++)
	if (!hexdigitp (&p[i]))
	log_fatal ("%s: argument ('%s') must consist of hex digits.\n",
	option, p);
	if (strlen (p) % 2 != 0)
	log_fatal ("%s: argument ('%s') must contain an even number of hex digits.\n",
	option, p);

	l = strlen (p) / 2;
	bytes = xmalloc (l);
	hex2bin (p, bytes, l);

	if (strcmp (option, "--key-server-preferences") == 0)
	{
	if (si->key_server_preferences)
	log_fatal ("%s given multiple times.\n", option);
	si->key_server_preferences = bytes;
	si->key_server_preferences_len = l;
	}
	else if (strcmp (option, "--key-flags") == 0)
	{
	if (si->key_flags)
	log_fatal ("%s given multiple times.\n", option);
	si->key_flags = bytes;
	si->key_flags_len = l;
	}
	else if (strcmp (option, "--features") == 0)
	{
	if (si->features)
	log_fatal ("%s given multiple times.\n", option);
	si->features = bytes;
	si->features_len = l;
	}
	else
	log_fatal ("Cannot handle %s\n", option);

	return 1;
	}

	static int
	sig_reason_for_revocation (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;
	int v;
	char *tail;

	if (argc < 2)
	log_fatal ("Usage: %s REASON_CODE REASON_STRING\n", option);

	errno = 0;
	v = strtol (argv[0], &tail, 16);
	if (errno \|\| (tail && *tail) \|\| !(0 <= v && v <= 255))
	log_fatal ("%s: Invalid reason code (%s). Expected 0-255\n",
	option, argv[0]);

	if (si->reason_for_revocation)
	log_fatal ("%s given multiple times.\n", option);

	si->reason_for_revocation_code = v;
	si->reason_for_revocation = xstrdup (argv[1]);

	return 2;
	}

	static int
	sig_corrupt (const char option, int argc, char argv[], void *cookie)
	{
	struct siginfo *si = cookie;

	(void) option;
	(void) argc;
	(void) argv;
	(void) cookie;

	si->corrupt = 1;

	return 0;
	}

	static struct option sig_options[] = {
	{ "--issuer", sig_issuer,
	"The key to use to generate the signature."},
	{ "--issuer-keyid", sig_issuer_keyid,
	"Set the issuer's key id. This is useful for creating a "
	"self-signature. As a special case, the value \"self\" refers "
	"to the primary key's key id. "
	"(RFC 4880, Section 5.2.3.5)" },
	{ "--pk", sig_pk,
	"The primary keyas an index into the components (keys and uids) "
	"created so far where the first component has the index 0." },
	{ "--sk", sig_pk,
	"The subkey as an index into the components (keys and uids) created "
	"so far where the first component has the index 0. Only needed for "
	"0x18, 0x19, and 0x28 signatures." },
	{ "--user-id", sig_user_id,
	"The user id as an index into the components (keys and uids) created "
	"so far where the first component has the index 0. Only needed for "
	"0x10-0x13 and 0x30 signatures." },
	{ "--class", sig_class,
	"The signature's class. Valid values are "
	"0x10-0x13 (user id and primary-key certification), "
	"0x18 (subkey binding), "
	"0x19 (primary key binding), "
	"0x1f (direct primary key signature), "
	"0x20 (key revocation), "
	"0x28 (subkey revocation), and "
	"0x30 (certification revocation)."
	},
	{ "--digest", sig_digest, "The digest algorithm" },
	{ "--timestamp", sig_timestamp,
	"The signature's creation time. " TIMESTAMP_HELP " 0 means now. "
	"(RFC 4880, Section 5.2.3.4)" },
	{ "--key-expiration", sig_expiration,
	"The number of days until the associated key expires. To specify "
	"seconds, prefix the value with \"seconds=\". It is also possible "
	"to use 'y', 'm' and 'w' as simple multipliers. For instance, 2y "
	"means 2 years, etc. "
	"(RFC 4880, Section 5.2.3.6)" },
	{ "--cipher-algos", sig_int_list,
	"A comma separated list of the preferred cipher algorithms (identified by "
	"their number, see RFC 4880, Section 9). "
	"(RFC 4880, Section 5.2.3.7)" },
	{ "--digest-algos", sig_int_list,
	"A comma separated list of the preferred algorithms (identified by "
	"their number, see RFC 4880, Section 9). "
	"(RFC 4880, Section 5.2.3.8)" },
	{ "--compress-algos", sig_int_list,
	"A comma separated list of the preferred algorithms (identified by "
	"their number, see RFC 4880, Section 9)."
	"(RFC 4880, Section 5.2.3.9)" },
	{ "--expiration", sig_expiration,
	"The number of days until the signature expires. To specify seconds, "
	"prefix the value with \"seconds=\". It is also possible to use 'y', "
	"'m' and 'w' as simple multipliers. For instance, 2y means 2 years, "
	"etc. "
	"(RFC 4880, Section 5.2.3.10)" },
	{ "--exportable", sig_flag,
	"Mark this signature as exportable (1) or local (0). "
	"(RFC 4880, Section 5.2.3.11)" },
	{ "--revocable", sig_flag,
	"Mark this signature as revocable (1, revocations are ignored) "
	"or non-revocable (0). "
	"(RFC 4880, Section 5.2.3.12)" },
	{ "--trust-level", sig_trust_level,
	"Set the trust level. This takes two integer arguments (0-255): "
	"the trusted-introducer level and the degree of trust. "
	"(RFC 4880, Section 5.2.3.13.)" },
	{ "--trust-scope", sig_string_arg,
	"A regular expression that limits the scope of --trust-level. "
	"(RFC 4880, Section 5.2.3.14.)" },
	{ "--revocation-key", sig_revocation_key,
	"Specify a designated revoker. Takes two arguments: the class "
	"(normally 0x80 or 0xC0 (sensitive)) and the key id of the "
	"designatured revoker. May be given multiple times. "
	"(RFC 4880, Section 5.2.3.15)" },
	{ "--notation", sig_notation,
	"Add a human-readable notation of the form \"[!<]name=value\" where "
	"\"!\" means that the critical flag should be set and \"<\" means "
	"that VALUE is a file to read the data from. "
	"(RFC 4880, Section 5.2.3.16)" },
	{ "--notation-binary", sig_notation,
	"Add a binary notation of the form \"[!<]name=value\" where "
	"\"!\" means that the critical flag should be set and \"<\" means "
	"that VALUE is a file to read the data from. "
	"(RFC 4880, Section 5.2.3.16)" },
	{ "--key-server-preferences", sig_big_endian_arg,
	"Big-endian number encoding the keyserver preferences. "
	"(RFC 4880, Section 5.2.3.17)" },
	{ "--key-server", sig_string_arg,
	"The preferred keyserver. (RFC 4880, Section 5.2.3.18)" },
	{ "--primary-user-id", sig_flag,
	"Sets the primary user id flag. (RFC 4880, Section 5.2.3.19)" },
	{ "--policy-uri", sig_string_arg,
	"URI of a document that describes the issuer's signing policy. "
	"(RFC 4880, Section 5.2.3.20)" },
	{ "--key-flags", sig_big_endian_arg,
	"Big-endian number encoding the key flags. "
	"(RFC 4880, Section 5.2.3.21)" },
	{ "--signers-user-id", sig_string_arg,
	"The user id (as a string) responsible for the signing. "
	"(RFC 4880, Section 5.2.3.22)" },
	{ "--reason-for-revocation", sig_reason_for_revocation,
	"Takes two arguments: a reason for revocation code and a "
	"user-provided string. "
	"(RFC 4880, Section 5.2.3.23)" },
	{ "--features", sig_big_endian_arg,
	"Big-endian number encoding the feature flags. "
	"(RFC 4880, Section 5.2.3.24)" },
	{ "--signature-target", NULL,
	"Takes three arguments: the target signature's public key algorithm "
	" (as an integer), the hash algorithm (as an integer) and the hash "
	" (as a hexadecimal string). "
	"(RFC 4880, Section 5.2.3.25)" },
	{ "--embedded-signature", NULL,
	"An embedded signature. This must be immediately followed by a "
	"signature packet (created using --signature ...) or a filename "
	"containing the packet."
	"(RFC 4880, Section 5.2.3.26)" },
	{ "--hashed", NULL,
	"The following attributes will be placed in the hashed area of "
	"the signature. (This is the default and it reset at the end of"
	"each signature.)" },
	{ "--unhashed", NULL,
	"The following attributes will be placed in the unhashed area of "
	"the signature (and thus not integrity protected)." },
	{ "--corrupt", sig_corrupt,
	"Corrupt the signature." },
	{ NULL, NULL,
	"Example:\n\n"
	" $ gpgcompose --public-key $KEYID --user-id USERID \\\n"
	" --signature --class 0x10 --issuer $KEYID --issuer-keyid self \\\n"
	" \| " GPG_NAME " --list-packets"}
	};

	static int
	mksubpkt_callback (PKT_signature sig, void cookie)
	{
	struct siginfo *si = cookie;
	int i;

	if (si->key_expiration)
	{
	char buf[4];
	buf[0] = (si->key_expiration >> 24) & 0xff;
	buf[1] = (si->key_expiration >> 16) & 0xff;
	buf[2] = (si->key_expiration >> 8) & 0xff;
	buf[3] = si->key_expiration & 0xff;
	build_sig_subpkt (sig, SIGSUBPKT_KEY_EXPIRE, buf, 4);
	}

	if (si->cipher_algorithms)
	build_sig_subpkt (sig, SIGSUBPKT_PREF_SYM,
	si->cipher_algorithms,
	si->cipher_algorithms_len);

	if (si->digest_algorithms)
	build_sig_subpkt (sig, SIGSUBPKT_PREF_HASH,
	si->digest_algorithms,
	si->digest_algorithms_len);

	if (si->compress_algorithms)
	build_sig_subpkt (sig, SIGSUBPKT_PREF_COMPR,
	si->compress_algorithms,
	si->compress_algorithms_len);

	if (si->exportable_set)
	{
	char buf = si->exportable;
	build_sig_subpkt (sig, SIGSUBPKT_EXPORTABLE, &buf, 1);
	}

	if (si->trust_level_set)
	build_sig_subpkt (sig, SIGSUBPKT_TRUST,
	si->trust_args, sizeof (si->trust_args));

	if (si->trust_scope)
	build_sig_subpkt (sig, SIGSUBPKT_REGEXP,
	si->trust_scope, strlen (si->trust_scope));

	for (i = 0; i < si->nrevocation_keys; i ++)
	{
	struct revocation_key *revkey = &si->revocation_key[i];
	gpg_error_t err = keygen_add_revkey (sig, revkey);
	if (err)
	{
	u32 keyid[2];
	keyid_from_fingerprint (revkey->fpr, 20, keyid);
	log_fatal ("adding revocation key %s: %s\n",
	keystr (keyid), gpg_strerror (err));
	}
	}

	/* keygen_add_revkey sets revocable=0 so be sure to do this after
	adding the rev keys. */
	if (si->revocable_set)
	{
	char buf = si->revocable;
	build_sig_subpkt (sig, SIGSUBPKT_REVOCABLE, &buf, 1);
	}

	keygen_add_notations (sig, si->notations);

	if (si->key_server_preferences)
	build_sig_subpkt (sig, SIGSUBPKT_KS_FLAGS,
	si->key_server_preferences,
	si->key_server_preferences_len);

	if (si->key_server)
	build_sig_subpkt (sig, SIGSUBPKT_PREF_KS,
	si->key_server, strlen (si->key_server));

	if (si->primary_user_id_set)
	{
	char buf = si->primary_user_id;
	build_sig_subpkt (sig, SIGSUBPKT_PRIMARY_UID, &buf, 1);
	}

	if (si->policy_uri)
	build_sig_subpkt (sig, SIGSUBPKT_POLICY,
	si->policy_uri, strlen (si->policy_uri));

	if (si->key_flags)
	build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS,
	si->key_flags, si->key_flags_len);

	if (si->signers_user_id)
	build_sig_subpkt (sig, SIGSUBPKT_SIGNERS_UID,
	si->signers_user_id, strlen (si->signers_user_id));

	if (si->reason_for_revocation)
	{
	int l = 1 + strlen (si->reason_for_revocation);
	char buf[l];

	buf[0] = si->reason_for_revocation_code;
	memcpy (&buf[1], si->reason_for_revocation, l - 1);

	build_sig_subpkt (sig, SIGSUBPKT_REVOC_REASON, buf, l);
	}

	if (si->features)
	build_sig_subpkt (sig, SIGSUBPKT_FEATURES,
	si->features, si->features_len);

	return 0;
	}

	static int
	signature (const char option, int argc, char argv[], void *cookie)
	{
	gpg_error_t err;
	iobuf_t out = cookie;
	struct siginfo si;
	int processed;
	PKT_public_key *pk;
	PKT_signature *sig;
	PACKET pkt;
	u32 keyid_orig[2], keyid[2];

	(void) option;

	memset (&si, 0, sizeof (si));
	memset (&pkt, 0, sizeof (pkt));

	processed = process_options (option,
	major_options,
	sig_options, &si,
	global_options, NULL,
	argc, argv);

	if (ncomponents)
	{
	int pkttype = components[ncomponents - 1].pkttype;

	if (pkttype == PKT_PUBLIC_KEY)
	{
	if (! si.class)
	/* Direct key sig. */
	si.class = 0x1F;
	}
	else if (pkttype == PKT_PUBLIC_SUBKEY)
	{
	if (! si.sk)
	si.sk = components[ncomponents - 1].pkt.public_key;
	if (! si.class)
	/* Subkey binding sig. */
	si.class = 0x18;
	}
	else if (pkttype == PKT_USER_ID)
	{
	if (! si.uid)
	si.uid = components[ncomponents - 1].pkt.user_id;
	if (! si.class)
	/* Certification of a user id and public key packet. */
	si.class = 0x10;
	}
	}

	pk = NULL;
	if (! si.pk \|\| ! si.issuer_pk)
	/* No primary key specified. Default to the first one that we
	find. */
	{
	int i;
	for (i = 0; i < ncomponents; i ++)
	if (components[i].pkttype == PKT_PUBLIC_KEY)
	{
	pk = components[i].pkt.public_key;
	break;
	}
	}

	if (! si.pk)
	{
	if (! pk)
	log_fatal ("%s: no primary key given and no primary key available",
	"--pk");
	si.pk = pk;
	}
	if (! si.issuer_pk)
	{
	if (! pk)
	log_fatal ("%s: no issuer key given and no primary key available",
	"--issuer");
	si.issuer_pk = pk;
	}

	if (si.class == 0x18 \|\| si.class == 0x19 \|\| si.class == 0x28)
	/* Requires the primary key and a subkey. */
	{
	if (! si.sk)
	log_fatal ("sig class 0x%x requires a subkey (--sk)\n", si.class);
	}
	else if (si.class == 0x10
	\|\| si.class == 0x11
	\|\| si.class == 0x12
	\|\| si.class == 0x13
	\|\| si.class == 0x30)
	/* Requires the primary key and a user id. */
	{
	if (! si.uid)
	log_fatal ("sig class 0x%x requires a uid (--uid)\n", si.class);
	}
	else if (si.class == 0x1F \|\| si.class == 0x20)
	/* Just requires the primary key. */
	;
	else
	log_fatal ("Unsupported signature class: 0x%x\n", si.class);

	sig = xmalloc_clear (sizeof (*sig));

	/* Save SI.ISSUER_PK->KEYID. */
	keyid_copy (keyid_orig, pk_keyid (si.issuer_pk));
	if (si.issuer_keyid[0] \|\| si.issuer_keyid[1])
	keyid_copy (si.issuer_pk->keyid, si.issuer_keyid);
	else if (si.issuer_keyid_self)
	{
	PKT_public_key *pripk = primary_key();
	if (! pripk)
	log_fatal ("--issuer-keyid self given, but no primary key available.\n");
	keyid_copy (si.issuer_pk->keyid, pk_keyid (pripk));
	}

	/* Changing the issuer's key id is fragile. Check to make sure
	make_keysig_packet didn't recompute the keyid. */
	keyid_copy (keyid, si.issuer_pk->keyid);
	err = make_keysig_packet (&sig, si.pk, si.uid, si.sk, si.issuer_pk,
	si.class, si.digest_algo,
	si.timestamp, si.expiration,
	mksubpkt_callback, &si, NULL);
	log_assert (keyid_cmp (keyid, si.issuer_pk->keyid) == 0);
	if (err)
	log_fatal ("Generating signature: %s\n", gpg_strerror (err));

	/* Restore SI.PK->KEYID. */
	keyid_copy (si.issuer_pk->keyid, keyid_orig);

	if (si.corrupt)
	{
	/* Set the top 32-bits to 0xBAD0DEAD. */
	int bits = gcry_mpi_get_nbits (sig->data[0]);
	gcry_mpi_t x = gcry_mpi_new (0);
	gcry_mpi_add_ui (x, x, 0xBAD0DEAD);
	gcry_mpi_lshift (x, x, bits > 32 ? bits - 32 : bits);
	gcry_mpi_clear_highbit (sig->data[0], bits > 32 ? bits - 32 : 0);
	gcry_mpi_add (sig->data[0], sig->data[0], x);
	gcry_mpi_release (x);
	}

	pkt.pkttype = PKT_SIGNATURE;
	pkt.pkt.signature = sig;

	err = build_packet (out, &pkt);
	if (err)
	log_fatal ("serializing public key packet: %s\n", gpg_strerror (err));

	debug ("Wrote signature packet:\n");
	dump_component (&pkt);

	xfree (sig);
	release_kbnode (si.issuer_kb);
	xfree (si.revocation_key);

	return processed;
	}

	struct sk_esk_info
	{
	/* The cipher used for encrypting the session key (when a session
	key is used). */
	int cipher;
	/* The cipher used for encryping the SED packet. */
	int sed_cipher;

	/* S2K related data. */
	int hash;
	int mode;
	int mode_set;
	byte salt[8];
	int salt_set;
	int iterations;

	/* If applying the S2K function to the passphrase is the session key
	or if it is the decryption key for the session key. */
	int s2k_is_session_key;
	/* Generate a new, random session key. */
	int new_session_key;

	/* The unencrypted session key. */
	int session_key_len;
	char *session_key;

	char *password;
	};

	static int
	sk_esk_cipher (const char option, int argc, char argv[], void *cookie)
	{
	struct sk_esk_info *si = cookie;
	char *usage = "integer\|IDEA\|3DES\|CAST5\|BLOWFISH\|AES\|AES192\|AES256\|CAMELLIA128\|CAMELLIA192\|CAMELLIA256";
	int cipher;

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	if (strcasecmp (argv[0], "IDEA") == 0)
	cipher = CIPHER_ALGO_IDEA;
	else if (strcasecmp (argv[0], "3DES") == 0)
	cipher = CIPHER_ALGO_3DES;
	else if (strcasecmp (argv[0], "CAST5") == 0)
	cipher = CIPHER_ALGO_CAST5;
	else if (strcasecmp (argv[0], "BLOWFISH") == 0)
	cipher = CIPHER_ALGO_BLOWFISH;
	else if (strcasecmp (argv[0], "AES") == 0)
	cipher = CIPHER_ALGO_AES;
	else if (strcasecmp (argv[0], "AES192") == 0)
	cipher = CIPHER_ALGO_AES192;
	else if (strcasecmp (argv[0], "TWOFISH") == 0)
	cipher = CIPHER_ALGO_TWOFISH;
	else if (strcasecmp (argv[0], "CAMELLIA128") == 0)
	cipher = CIPHER_ALGO_CAMELLIA128;
	else if (strcasecmp (argv[0], "CAMELLIA192") == 0)
	cipher = CIPHER_ALGO_CAMELLIA192;
	else if (strcasecmp (argv[0], "CAMELLIA256") == 0)
	cipher = CIPHER_ALGO_CAMELLIA256;
	else
	{
	char *tail;
	int v;

	errno = 0;
	v = strtol (argv[0], &tail, 0);
	if (errno \|\| (tail && *tail) \|\| ! valid_cipher (v))
	log_fatal ("Invalid or unsupported value. Usage: %s %s\n",
	option, usage);

	cipher = v;
	}

	if (strcmp (option, "--cipher") == 0)
	{
	if (si->cipher)
	log_fatal ("%s given multiple times.", option);
	si->cipher = cipher;
	}
	else if (strcmp (option, "--sed-cipher") == 0)
	{
	if (si->sed_cipher)
	log_fatal ("%s given multiple times.", option);
	si->sed_cipher = cipher;
	}

	return 1;
	}

	static int
	sk_esk_mode (const char option, int argc, char argv[], void *cookie)
	{
	struct sk_esk_info *si = cookie;
	char *usage = "integer\|simple\|salted\|iterated";

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	if (si->mode)
	log_fatal ("%s given multiple times.", option);

	if (strcasecmp (argv[0], "simple") == 0)
	si->mode = 0;
	else if (strcasecmp (argv[0], "salted") == 0)
	si->mode = 1;
	else if (strcasecmp (argv[0], "iterated") == 0)
	si->mode = 3;
	else
	{
	char *tail;
	int v;

	errno = 0;
	v = strtol (argv[0], &tail, 0);
	if (errno \|\| (tail && *tail) \|\| ! (v == 0 \|\| v == 1 \|\| v == 3))
	log_fatal ("Invalid or unsupported value. Usage: %s %s\n",
	option, usage);

	si->mode = v;
	}

	si->mode_set = 1;

	return 1;
	}

	static int
	sk_esk_hash_algorithm (const char option, int argc, char argv[], void *cookie)
	{
	struct sk_esk_info *si = cookie;
	char *usage = "integer\|MD5\|SHA1\|RMD160\|SHA256\|SHA384\|SHA512\|SHA224";

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	if (si->hash)
	log_fatal ("%s given multiple times.", option);

	if (strcasecmp (argv[0], "MD5") == 0)
	si->hash = DIGEST_ALGO_MD5;
	else if (strcasecmp (argv[0], "SHA1") == 0)
	si->hash = DIGEST_ALGO_SHA1;
	else if (strcasecmp (argv[0], "RMD160") == 0)
	si->hash = DIGEST_ALGO_RMD160;
	else if (strcasecmp (argv[0], "SHA256") == 0)
	si->hash = DIGEST_ALGO_SHA256;
	else if (strcasecmp (argv[0], "SHA384") == 0)
	si->hash = DIGEST_ALGO_SHA384;
	else if (strcasecmp (argv[0], "SHA512") == 0)
	si->hash = DIGEST_ALGO_SHA512;
	else if (strcasecmp (argv[0], "SHA224") == 0)
	si->hash = DIGEST_ALGO_SHA224;
	else
	{
	char *tail;
	int v;

	errno = 0;
	v = strtol (argv[0], &tail, 0);
	if (errno \|\| (tail && *tail)
	\|\| ! (v == DIGEST_ALGO_MD5
	\|\| v == DIGEST_ALGO_SHA1
	\|\| v == DIGEST_ALGO_RMD160
	\|\| v == DIGEST_ALGO_SHA256
	\|\| v == DIGEST_ALGO_SHA384
	\|\| v == DIGEST_ALGO_SHA512
	\|\| v == DIGEST_ALGO_SHA224))
	log_fatal ("Invalid or unsupported value. Usage: %s %s\n",
	option, usage);

	si->hash = v;
	}

	return 1;
	}

	static int
	sk_esk_salt (const char option, int argc, char argv[], void *cookie)
	{
	struct sk_esk_info *si = cookie;
	char *usage = "16-HEX-CHARACTERS";
	char *p = argv[0];

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	if (si->salt_set)
	log_fatal ("%s given multiple times.", option);

	if (p[0] == '0' && p[1] == 'x')
	p += 2;

	if (strlen (p) != 16)
	log_fatal ("%s: Salt must be exactly 16 hexadecimal characters (have: %zd)\n",
	option, strlen (p));

	if (hex2bin (p, si->salt, sizeof (si->salt)) == -1)
	log_fatal ("%s: Salt must only contain hexadecimal characters\n",
	option);

	si->salt_set = 1;

	return 1;
	}

	static int
	sk_esk_iterations (const char option, int argc, char argv[], void *cookie)
	{
	struct sk_esk_info *si = cookie;
	char *usage = "ITERATION-COUNT";
	char *tail;
	int v;

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	errno = 0;
	v = strtol (argv[0], &tail, 0);
	if (errno \|\| (tail && *tail) \|\| v < 0)
	log_fatal ("%s: Non-negative integer expected.\n", option);

	si->iterations = v;

	return 1;
	}

	static int
	sk_esk_session_key (const char option, int argc, char argv[], void *cookie)
	{
	struct sk_esk_info *si = cookie;
	char *usage = "HEX-CHARACTERS\|auto\|none";
	char *p = argv[0];
	struct session_key sk;

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	if (si->session_key \|\| si->s2k_is_session_key
	\|\| si->new_session_key)
	log_fatal ("%s given multiple times.", option);

	if (strcasecmp (p, "none") == 0)
	{
	si->s2k_is_session_key = 1;
	return 1;
	}
	if (strcasecmp (p, "new") == 0)
	{
	si->new_session_key = 1;
	return 1;
	}
	if (strcasecmp (p, "auto") == 0)
	return 1;

	sk = parse_session_key (option, p, 0);

	if (si->session_key)
	log_fatal ("%s given multiple times.", option);

	if (sk.algo)
	si->sed_cipher = sk.algo;

	si->session_key_len = sk.keylen;
	si->session_key = sk.key;

	return 1;
	}

	static int
	sk_esk_password (const char option, int argc, char argv[], void *cookie)
	{
	struct sk_esk_info *si = cookie;
	char *usage = "PASSWORD";

	if (argc == 0)
	log_fatal ("Usage: --sk-esk %s\n", usage);

	if (si->password)
	log_fatal ("%s given multiple times.", option);

	si->password = xstrdup (argv[0]);

	return 1;
	}

	static struct option sk_esk_options[] = {
	{ "--cipher", sk_esk_cipher,
	"The encryption algorithm for encrypting the session key. "
	"One of IDEA, 3DES, CAST5, BLOWFISH, AES (default), AES192, "
	"AES256, TWOFISH, CAMELLIA128, CAMELLIA192, or CAMELLIA256." },
	{ "--sed-cipher", sk_esk_cipher,
	"The encryption algorithm for encrypting the SED packet. "
	"One of IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, "
	"AES256 (default), TWOFISH, CAMELLIA128, CAMELLIA192, or CAMELLIA256." },
	{ "--mode", sk_esk_mode,
	"The S2K mode. Either one of the strings \"simple\", \"salted\" "
	"or \"iterated\" or an integer." },
	{ "--hash", sk_esk_hash_algorithm,
	"The hash algorithm to used to derive the key. One of "
	"MD5, SHA1 (default), RMD160, SHA256, SHA384, SHA512, or SHA224." },
	{ "--salt", sk_esk_salt,
	"The S2K salt encoded as 16 hexadecimal characters. One needed "
	"if the S2K function is in salted or iterated mode." },
	{ "--iterations", sk_esk_iterations,
	"The iteration count. If not provided, a reasonable value is chosen. "
	"Note: due to the encoding scheme, not every value is valid. For "
	"convenience, the provided value will be rounded appropriately. "
	"Only needed if the S2K function is in iterated mode." },
	{ "--session-key", sk_esk_session_key,
	"The session key to be encrypted by the S2K function as a hexadecimal "
	"string. If this is \"new\", then a new session key is generated."
	"If this is \"auto\", then either the last session key is "
	"used, if the was none, one is generated. If this is \"none\", then "
	"the session key is the result of applying the S2K algorithms to the "
	"password. The session key may be prefaced with an integer and a colon "
	"to indicate the cipher to use for the SED packet (making --sed-cipher "
	"unnecessary and allowing the direct use of the result of "
	"\"" GPG_NAME " --show-session-key\")." },
	{ "", sk_esk_password, "The password." },
	{ NULL, NULL,
	"Example:\n\n"
	" $ gpgcompose --sk-esk foobar --encrypted \\\n"
	" --literal --value foo \| " GPG_NAME " --list-packets" }
	};

	static int
	sk_esk (const char option, int argc, char argv[], void *cookie)
	{
	iobuf_t out = cookie;
	gpg_error_t err;
	int processed;
	struct sk_esk_info si;
	DEK sesdek;
	DEK s2kdek;
	PKT_symkey_enc *ske;
	PACKET pkt;

	memset (&si, 0, sizeof (si));

	processed = process_options (option,
	major_options,
	sk_esk_options, &si,
	global_options, NULL,
	argc, argv);

	if (! si.password)
	log_fatal ("%s: missing password. Usage: %s PASSWORD", option, option);

	/* Fill in defaults, if appropriate. */
	if (! si.cipher)
	si.cipher = CIPHER_ALGO_AES;

	if (! si.sed_cipher)
	si.sed_cipher = CIPHER_ALGO_AES256;

	if (! si.hash)
	si.hash = DIGEST_ALGO_SHA1;

	if (! si.mode_set)
	/* Salted and iterated. */
	si.mode = 3;

	if (si.mode != 0 && ! si.salt_set)
	/* Generate a salt. */
	gcry_randomize (si.salt, 8, GCRY_STRONG_RANDOM);

	if (si.mode == 0)
	{
	if (si.iterations)
	log_info ("%s: --iterations provided, but not used for mode=0\n",
	option);
	si.iterations = 0;
	}
	else if (! si.iterations)
	si.iterations = 10000;

	memset (&sesdek, 0, sizeof (sesdek));
	/* The session key is used to encrypt the SED packet. */
	sesdek.algo = si.sed_cipher;
	if (si.session_key)
	/* Copy the unencrypted session key into SESDEK. */
	{
	sesdek.keylen = openpgp_cipher_get_algo_keylen (sesdek.algo);
	if (sesdek.keylen != si.session_key_len)
	log_fatal ("%s: Cipher algorithm requires a %d byte session key, but provided session key is %d bytes.",
	option, sesdek.keylen, si.session_key_len);

	log_assert (sesdek.keylen <= sizeof (sesdek.key));
	memcpy (sesdek.key, si.session_key, sesdek.keylen);
	}
	else if (! si.s2k_is_session_key \|\| si.new_session_key)
	/* We need a session key, but one wasn't provided. Generate it. */
	make_session_key (&sesdek);

	/* The encrypted session key needs 1 + SESDEK.KEYLEN bytes of
	space. */
	ske = xmalloc_clear (sizeof (*ske) + sesdek.keylen);

	ske->version = 4;
	ske->cipher_algo = si.cipher;

	ske->s2k.mode = si.mode;
	ske->s2k.hash_algo = si.hash;
	log_assert (sizeof (si.salt) == sizeof (ske->s2k.salt));
	memcpy (ske->s2k.salt, si.salt, sizeof (ske->s2k.salt));
	if (! si.s2k_is_session_key)
	/* 0 means get the default. */
	ske->s2k.count = encode_s2k_iterations (si.iterations);


	/* Derive the symmetric key that is either the session key or the
	key used to encrypt the session key. */
	memset (&s2kdek, 0, sizeof (s2kdek));

	s2kdek.algo = si.cipher;
	s2kdek.keylen = openpgp_cipher_get_algo_keylen (s2kdek.algo);

	err = gcry_kdf_derive (si.password, strlen (si.password),
	ske->s2k.mode == 3 ? GCRY_KDF_ITERSALTED_S2K
	: ske->s2k.mode == 1 ? GCRY_KDF_SALTED_S2K
	: GCRY_KDF_SIMPLE_S2K,
	ske->s2k.hash_algo, ske->s2k.salt, 8,
	S2K_DECODE_COUNT (ske->s2k.count),
	/* The size of the desired key and its
	buffer. */
	s2kdek.keylen, s2kdek.key);
	if (err)
	log_fatal ("gcry_kdf_derive failed: %s", gpg_strerror (err));


	if (si.s2k_is_session_key)
	{
	ske->seskeylen = 0;
	session_key = s2kdek;
	}
	else
	/* Encrypt the session key using the s2k specifier. */
	{
	DEK *sesdekp = &sesdek;

	/* Now encrypt the session key (or rather, the algorithm used to
	encrypt the SED plus the session key) using ENCKEY. */
	ske->seskeylen = 1 + sesdek.keylen;
	encrypt_seskey (&s2kdek, &sesdekp, ske->seskey);

	/* Save the session key for later. */
	session_key = sesdek;
	}

	pkt.pkttype = PKT_SYMKEY_ENC;
	pkt.pkt.symkey_enc = ske;

	err = build_packet (out, &pkt);
	if (err)
	log_fatal ("Serializing sym-key encrypted packet: %s\n",
	gpg_strerror (err));

	debug ("Wrote sym-key encrypted packet:\n");
	dump_component (&pkt);

	xfree (si.session_key);
	xfree (si.password);
	xfree (ske);

	return processed;
	}

	struct pk_esk_info
	{
	int session_key_set;

	int new_session_key;

	int sed_cipher;
	int session_key_len;
	char *session_key;

	int throw_keyid;

	char *keyid;
	};

	static int
	pk_esk_session_key (const char option, int argc, char argv[], void *cookie)
	{
	struct pk_esk_info *pi = cookie;
	char *usage = "HEX-CHARACTERS\|auto\|none";
	char *p = argv[0];
	struct session_key sk;

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	if (pi->session_key_set)
	log_fatal ("%s given multiple times.", option);
	pi->session_key_set = 1;

	if (strcasecmp (p, "new") == 0)
	{
	pi->new_session_key = 1;
	return 1;
	}

	if (strcasecmp (p, "auto") == 0)
	return 1;

	sk = parse_session_key (option, p, 0);

	if (pi->session_key)
	log_fatal ("%s given multiple times.", option);

	if (sk.algo)
	pi->sed_cipher = sk.algo;

	pi->session_key_len = sk.keylen;
	pi->session_key = sk.key;

	return 1;
	}

	static int
	pk_esk_throw_keyid (const char option, int argc, char argv[], void *cookie)
	{
	struct pk_esk_info *pi = cookie;

	(void) option;
	(void) argc;
	(void) argv;

	pi->throw_keyid = 1;

	return 0;
	}

	static int
	pk_esk_keyid (const char option, int argc, char argv[], void *cookie)
	{
	struct pk_esk_info *pi = cookie;
	char *usage = "KEYID";

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	if (pi->keyid)
	log_fatal ("Multiple key ids given, but only one is allowed.");

	pi->keyid = xstrdup (argv[0]);

	return 1;
	}

	static struct option pk_esk_options[] = {
	{ "--session-key", pk_esk_session_key,
	"The session key to be encrypted by the S2K function as a hexadecimal "
	"string. If this is not given or is \"auto\", then the current "
	"session key is used. If there is no session key or this is \"new\", "
	"then a new session key is generated. The session key may be "
	"prefaced with an integer and a colon to indicate the cipher to use "
	"for the SED packet (making --sed-cipher unnecessary and allowing the "
	"direct use of the result of \"" GPG_NAME " --show-session-key\")." },
	{ "--throw-keyid", pk_esk_throw_keyid,
	"Throw the keyid." },
	{ "", pk_esk_keyid, "The key id." },
	{ NULL, NULL,
	"Example:\n\n"
	" $ gpgcompose --pk-esk $KEYID --encrypted --literal --value foo \\\n"
	" \| " GPG_NAME " --list-packets"}
	};

	static int
	pk_esk (const char option, int argc, char argv[], void *cookie)
	{
	iobuf_t out = cookie;
	gpg_error_t err;
	int processed;
	struct pk_esk_info pi;
	PKT_public_key pk;

	memset (&pi, 0, sizeof (pi));

	processed = process_options (option,
	major_options,
	pk_esk_options, &pi,
	global_options, NULL,
	argc, argv);

	if (! pi.keyid)
	log_fatal ("%s: missing keyid. Usage: %s KEYID", option, option);

	memset (&pk, 0, sizeof (pk));
	pk.req_usage = PUBKEY_USAGE_ENC;
	err = get_pubkey_byname (NULL, NULL, &pk, pi.keyid, NULL, NULL, 1, 1);
	if (err)
	log_fatal ("%s: looking up key %s: %s\n",
	option, pi.keyid, gpg_strerror (err));

	if (pi.sed_cipher)
	/* Have a session key. */
	{
	session_key.algo = pi.sed_cipher;
	session_key.keylen = pi.session_key_len;
	log_assert (session_key.keylen <= sizeof (session_key.key));
	memcpy (session_key.key, pi.session_key, session_key.keylen);
	}

	if (pi.new_session_key \|\| ! session_key.algo)
	{
	if (! pi.new_session_key)
	/* Default to AES256. */
	session_key.algo = CIPHER_ALGO_AES256;
	make_session_key (&session_key);
	}

	err = write_pubkey_enc (&pk, pi.throw_keyid, &session_key, out);
	if (err)
	log_fatal ("%s: writing pk_esk packet for %s: %s\n",
	option, pi.keyid, gpg_strerror (err));

	debug ("Wrote pk_esk packet for %s\n", pi.keyid);

	xfree (pi.keyid);
	xfree (pi.session_key);

	return processed;
	}

	struct encinfo
	{
	int saw_session_key;
	};

	static int
	encrypted_session_key (const char option, int argc, char argv[], void *cookie)
	{
	struct encinfo *ei = cookie;
	char *usage = "HEX-CHARACTERS\|auto";
	char *p = argv[0];
	struct session_key sk;

	if (argc == 0)
	log_fatal ("Usage: %s %s\n", option, usage);

	if (ei->saw_session_key)
	log_fatal ("%s given multiple times.", option);
	ei->saw_session_key = 1;

	if (strcasecmp (p, "auto") == 0)
	return 1;

	sk = parse_session_key (option, p, 1);

	session_key.algo = sk.algo;
	log_assert (sk.keylen <= sizeof (session_key.key));
	memcpy (session_key.key, sk.key, sk.keylen);
	xfree (sk.key);

	return 1;
	}

	static struct option encrypted_options[] = {
	{ "--session-key", encrypted_session_key,
	"The session key to be encrypted by the S2K function as a hexadecimal "
	"string. If this is not given or is \"auto\", then the last session key "
	"is used. If there was none, then an error is raised. The session key "
	"must be prefaced with an integer and a colon to indicate the cipher "
	"to use (this is format used by \"" GPG_NAME " --show-session-key\")." },
	{ NULL, NULL,
	"After creating the packet, this command clears the current "
	"session key.\n\n"
	"Example: nested encryption packets:\n\n"
	" $ gpgcompose --sk-esk foo --encrypted-mdc \\\n"
	" --sk-esk bar --encrypted-mdc \\\n"
	" --literal --value 123 --encrypted-pop --encrypted-pop \| " GPG_NAME" -d" }
	};

	static int
	encrypted (const char option, int argc, char argv[], void *cookie)
	{
	iobuf_t out = cookie;
	int processed;
	struct encinfo ei;
	PKT_encrypted e;
	cipher_filter_context_t *cfx;

	memset (&ei, 0, sizeof (ei));

	processed = process_options (option,
	major_options,
	encrypted_options, &ei,
	global_options, NULL,
	argc, argv);

	if (! session_key.algo)
	log_fatal ("%s: no session key configured.\n", option);

	memset (&e, 0, sizeof (e));
	/* We only need to set E->LEN, E->EXTRALEN (if E->LEN is not
	0), and E->NEW_CTB. */
	e.len = 0;
	e.new_ctb = 1;

	/* Register the cipher filter. */

	cfx = xmalloc_clear (sizeof (*cfx));

	/* Copy the session key. */
	cfx->dek = xmalloc (sizeof (*cfx->dek));
	*cfx->dek = session_key;

	if (do_debug)
	{
	char buf[2 * session_key.keylen + 1];
	debug ("session key: algo: %d; keylen: %d; key: %s\n",
	session_key.algo, session_key.keylen,
	bin2hex (session_key.key, session_key.keylen, buf));
	}

	if (strcmp (option, "--encrypted-mdc") == 0)
	cfx->dek->use_mdc = 1;
	else if (strcmp (option, "--encrypted") == 0)
	cfx->dek->use_mdc = 0;
	else
	log_fatal ("%s: option not handled by this function!\n", option);

	cfx->datalen = 0;

	filter_push (out, cipher_filter, cfx, PKT_ENCRYPTED, cfx->datalen == 0);

	debug ("Wrote encrypted packet:\n");

	/* Clear the current session key. */
	memset (&session_key, 0, sizeof (session_key));

	return processed;
	}

	static int
	encrypted_pop (const char option, int argc, char argv[], void *cookie)
	{
	iobuf_t out = cookie;

	(void) argc;
	(void) argv;

	if (strcmp (option, "--encrypted-pop") == 0)
	filter_pop (out, PKT_ENCRYPTED);
	else if (strcmp (option, "--encrypted-mdc-pop") == 0)
	filter_pop (out, PKT_ENCRYPTED_MDC);
	else
	log_fatal ("%s: option not handled by this function!\n", option);

	debug ("Popped encryption container.\n");

	return 0;
	}

	struct data
	{
	int file;
	union
	{
	char *data;
	char *filename;
	};
	struct data *next;
	};

	/* This must be the first member of the struct to be able to use
	add_value! */
	struct datahead
	{
	struct data *head;
	struct data **last_next;
	};

	static int
	add_value (const char option, int argc, char argv[], void *cookie)
	{
	struct datahead *dh = cookie;
	struct data *d = xmalloc_clear (sizeof (struct data));

	d->file = strcmp ("--file", option) == 0;
	if (! d->file)
	log_assert (strcmp ("--value", option) == 0);

	if (argc == 0)
	{
	if (d->file)
	log_fatal ("Usage: %s FILENAME\n", option);
	else
	log_fatal ("Usage: %s STRING\n", option);
	}

	if (! dh->last_next)
	/* First time through. Initialize DH->LAST_NEXT. */
	{
	log_assert (! dh->head);
	dh->last_next = &dh->head;
	}

	if (d->file)
	d->filename = argv[0];
	else
	d->data = argv[0];

	/* Append it. */
	*dh->last_next = d;
	dh->last_next = &d->next;

	return 1;
	}

	struct litinfo
	{
	/* This must be the first element for add_value to work! */
	struct datahead data;

	int timestamp_set;
	u32 timestamp;
	char mode;
	int partial_body_length_encoding;
	char *name;
	};

	static int
	literal_timestamp (const char option, int argc, char argv[], void *cookie)
	{
	struct litinfo *li = cookie;

	char *tail = NULL;

	if (argc == 0)
	log_fatal ("Usage: %s TIMESTAMP\n", option);

	errno = 0;
	li->timestamp = parse_timestamp (argv[0], &tail);
	if (errno \|\| (tail && *tail))
	log_fatal ("Invalid value passed to %s (%s)\n", option, argv[0]);
	li->timestamp_set = 1;

	return 1;
	}

	static int
	literal_mode (const char option, int argc, char argv[], void *cookie)
	{
	struct litinfo *li = cookie;

	if (argc == 0
	\|\| ! (strcmp (argv[0], "b") == 0
	\|\| strcmp (argv[0], "t") == 0
	\|\| strcmp (argv[0], "u") == 0))
	log_fatal ("Usage: %s [btu]\n", option);

	li->mode = argv[0][0];

	return 1;
	}

	static int
	literal_partial_body_length (const char option, int argc, char argv[],
	void *cookie)
	{
	struct litinfo *li = cookie;
	char *tail;
	int v;
	int range[2] = {0, 1};

	if (argc <= 1)
	log_fatal ("Usage: %s [0\|1]\n", option);

	errno = 0;
	v = strtol (argv[0], &tail, 0);
	if (errno \|\| (tail && *tail) \|\| !(range[0] <= v && v <= range[1]))
	log_fatal ("Invalid value passed to %s (%s). Expected %d-%d\n",
	option, argv[0], range[0], range[1]);

	li->partial_body_length_encoding = v;

	return 1;
	}

	static int
	literal_name (const char option, int argc, char argv[], void *cookie)
	{
	struct litinfo *li = cookie;

	if (argc <= 1)
	log_fatal ("Usage: %s NAME\n", option);

	if (strlen (argv[0]) > 255)
	log_fatal ("%s: name is too long (%zd > 255 characters).\n",
	option, strlen (argv[0]));

	li->name = argv[0];

	return 1;
	}

	static struct option literal_options[] = {
	{ "--value", add_value,
	"A string to store in the literal packet." },
	{ "--file", add_value,
	"A file to copy into the literal packet." },
	{ "--timestamp", literal_timestamp,
	"The literal packet's time stamp. This defaults to the current time." },
	{ "--mode", literal_mode,
	"The content's mode (normally 'b' (default), 't' or 'u')." },
	{ "--partial-body-length", literal_partial_body_length,
	"Force partial body length encoding." },
	{ "--name", literal_name,
	"The literal's name." },
	{ NULL, NULL,
	"Example:\n\n"
	" $ gpgcompose --literal --value foobar \| " GPG_NAME " -d"}
	};

	static int
	literal (const char option, int argc, char argv[], void *cookie)
	{
	iobuf_t out = cookie;
	gpg_error_t err;
	int processed;
	struct litinfo li;
	PKT_plaintext *pt;
	PACKET pkt;
	struct data *data;

	memset (&li, 0, sizeof (li));

	processed = process_options (option,
	major_options,
	literal_options, &li,
	global_options, NULL,
	argc, argv);

	if (! li.data.head)
	log_fatal ("%s: no data provided (use --value or --file)", option);

	pt = xmalloc_clear (sizeof (*pt) + (li.name ? strlen (li.name) : 0));
	pt->new_ctb = 1;

	if (li.timestamp_set)
	pt->timestamp = li.timestamp;
	else
	/* Default to the current time. */
	pt->timestamp = make_timestamp ();

	pt->mode = li.mode;
	if (! pt->mode)
	/* Default to binary. */
	pt->mode = 'b';

	if (li.name)
	{
	strcpy (pt->name, li.name);
	pt->namelen = strlen (pt->name);
	}

	pkt.pkttype = PKT_PLAINTEXT;
	pkt.pkt.plaintext = pt;

	if (! li.partial_body_length_encoding)
	/* Compute the amount of data. */
	{
	pt->len = 0;
	for (data = li.data.head; data; data = data->next)
	{
	if (data->file)
	{
	iobuf_t in;
	int overflow;
	off_t off;

	in = iobuf_open (data->filename);
	if (! in)
	/* An error opening the file. We do error handling
	below so just break here. */
	{
	pt->len = 0;
	break;
	}

	off = iobuf_get_filelength (in, &overflow);
	iobuf_close (in);

	if (overflow \|\| off == 0)
	/* Length is unknown or there was an error
	(unfortunately, iobuf_get_filelength doesn't
	distinguish between 0 length files and an error!).
	Fall back to partial body mode. */
	{
	pt->len = 0;
	break;
	}

	pt->len += off;
	}
	else
	pt->len += strlen (data->data);
	}
	}

	err = build_packet (out, &pkt);
	if (err)
	log_fatal ("Serializing literal packet: %s\n", gpg_strerror (err));

	/* Write out the data. */
	for (data = li.data.head; data; data = data->next)
	{
	if (data->file)
	{
	iobuf_t in;
	errno = 0;
	in = iobuf_open (data->filename);
	if (! in)
	log_fatal ("Opening '%s': %s\n",
	data->filename,
	errno ? strerror (errno): "unknown error");

	iobuf_copy (out, in);
	if (iobuf_error (in))
	log_fatal ("Reading from %s: %s\n",
	data->filename,
	gpg_strerror (iobuf_error (in)));
	if (iobuf_error (out))
	log_fatal ("Writing literal data from %s: %s\n",
	data->filename,
	gpg_strerror (iobuf_error (out)));

	iobuf_close (in);
	}
	else
	{
	err = iobuf_write (out, data->data, strlen (data->data));
	if (err)
	log_fatal ("Writing literal data: %s\n", gpg_strerror (err));
	}
	}

	if (! pt->len)
	{
	/* Disable partial body length mode. */
	log_assert (pt->new_ctb == 1);
	iobuf_set_partial_body_length_mode (out, 0);
	}

	debug ("Wrote literal packet:\n");
	dump_component (&pkt);

	while (li.data.head)
	{
	data = li.data.head->next;
	xfree (li.data.head);
	li.data.head = data;
	}
	xfree (pt);

	return processed;
	}

	static int
	copy_file (const char option, int argc, char argv[], void *cookie)
	{
	char **filep = cookie;

	if (argc == 0)
	log_fatal ("Usage: %s FILENAME\n", option);

	*filep = argv[0];

	return 1;
	}

	static struct option copy_options[] = {
	{ "", copy_file, "Copy the specified file to stdout." },
	{ NULL, NULL,
	"Example:\n\n"
	" $ gpgcompose --copy /etc/hostname\n\n"
	"This is particularly useful when combined with gpgsplit." }
	};

	static int
	copy (const char option, int argc, char argv[], void *cookie)
	{
	iobuf_t out = cookie;
	char *file = NULL;
	iobuf_t in;

	int processed;

	processed = process_options (option,
	major_options,
	copy_options, &file,
	global_options, NULL,
	argc, argv);
	if (! file)
	log_fatal ("Usage: %s FILE\n", option);

	errno = 0;
	in = iobuf_open (file);
	if (! in)
	log_fatal ("Error opening %s: %s.\n",
	file, errno ? strerror (errno): "unknown error");

	iobuf_copy (out, in);
	if (iobuf_error (out))
	log_fatal ("Copying data to destination: %s\n",
	gpg_strerror (iobuf_error (out)));
	if (iobuf_error (in))
	log_fatal ("Reading data from %s: %s\n",
	argv[0], gpg_strerror (iobuf_error (in)));

	iobuf_close (in);

	return processed;
	}

	int
	main (int argc, char *argv[])
	{
	const char *filename = "-";
	iobuf_t out;
	int preprocessed = 1;
	int processed;
	ctrl_t ctrl;

	opt.ignore_time_conflict = 1;
	/* Allow notations in the IETF space, for instance. */
	opt.expert = 1;

	ctrl = xcalloc (1, sizeof *ctrl);

	keydb_add_resource ("pubring" EXTSEP_S GPGEXT_GPG,
	KEYDB_RESOURCE_FLAG_DEFAULT);

	if (argc == 1)
	/* Nothing to do. */
	return 0;

	if (strcmp (argv[1], "--output") == 0
	\|\| strcmp (argv[1], "-o") == 0)
	{
	filename = argv[2];
	log_info ("Writing to %s\n", filename);
	preprocessed += 2;
	}

	out = iobuf_create (filename, 0);
	if (! out)
	log_fatal ("Failed to open stdout for writing\n");

	processed = process_options (NULL, NULL,
	major_options, out,
	global_options, NULL,
	argc - preprocessed, &argv[preprocessed]);
	if (processed != argc - preprocessed)
	log_fatal ("Didn't process %d options.\n", argc - preprocessed - processed);

	iobuf_close (out);

	return 0;
	}

	/* Stubs duplicated from gpg.c. */

	int g10_errors_seen = 0;

	/* Note: This function is used by signal handlers!. */
	static void
	emergency_cleanup (void)
	{
	gcry_control (GCRYCTL_TERM_SECMEM );
	}

	void
	g10_exit( int rc )
	{
	gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);

	emergency_cleanup ();

	rc = rc? rc : log_get_errorcount(0)? 2 : g10_errors_seen? 1 : 0;
	exit (rc);
	}

	void
	keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
	strlist_t commands, int quiet, int seckey_check)
	{
	(void) ctrl;
	(void) username;
	(void) locusr;
	(void) commands;
	(void) quiet;
	(void) seckey_check;
	}

	void
	show_basic_key_info (KBNODE keyblock)
	{
	(void) keyblock;
	}
	diff --git a/sm/server.c b/sm/server.c
	index 8b4a29c87..cdccff3c5 100644
	--- a/sm/server.c
	+++ b/sm/server.c
	@@ -1,1485 +1,1485 @@
	/* server.c - Server mode and main entry point
	* Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
	* 2010 Free Software Foundation, Inc.
	*
	* This file is part of GnuPG.
	*
	* GnuPG is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License as published by
	* the Free Software Foundation; either version 3 of the License, or
	* (at your option) any later version.
	*
	* GnuPG is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with this program; if not, see <http://www.gnu.org/licenses/>.
	*/

	#include <config.h>
	#include <errno.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <stdarg.h>
	#include <ctype.h>
	#include <unistd.h>

	#include "gpgsm.h"
	#include <assuan.h>
	#include "sysutils.h"
	#include "server-help.h"

	#define set_error(e,t) assuan_set_error (ctx, gpg_error (e), (t))


	/* The filepointer for status message used in non-server mode */
	static FILE *statusfp;

	/* Data used to assuciate an Assuan context with local server data */
	struct server_local_s {
	assuan_context_t assuan_ctx;
	int message_fd;
	int list_internal;
	int list_external;
	int list_to_output; /* Write keylistings to the output fd. */
	int enable_audit_log; /* Use an audit log. */
	certlist_t recplist;
	certlist_t signerlist;
	certlist_t default_recplist; /* As set by main() - don't release. */
	int allow_pinentry_notify; /* Set if pinentry notifications should
	be passed back to the client. */
	int no_encrypt_to; /* Local version of option. */
	};


	/* Cookie definition for assuan data line output. */
	static gpgrt_ssize_t data_line_cookie_write (void *cookie,
	const void *buffer, size_t size);
	static int data_line_cookie_close (void *cookie);
	static es_cookie_io_functions_t data_line_cookie_functions =
	{
	NULL,
	data_line_cookie_write,
	NULL,
	data_line_cookie_close
	};



	static int command_has_option (const char cmd, const char cmdopt);




	/* Note that it is sufficient to allocate the target string D as
	long as the source string S, i.e.: strlen(s)+1; */
	static void
	strcpy_escaped_plus (char d, const char s)
	{
	while (*s)
	{
	if (*s == '%' && s[1] && s[2])
	{
	s++;
	*d++ = xtoi_2 (s);
	s += 2;
	}
	else if (*s == '+')
	*d++ = ' ', s++;
	else
	d++ = s++;
	}
	*d = 0;
	}


	/* A write handler used by es_fopencookie to write assuan data
	lines. */
	static gpgrt_ssize_t
	data_line_cookie_write (void cookie, const void buffer, size_t size)
	{
	assuan_context_t ctx = cookie;

	if (assuan_send_data (ctx, buffer, size))
	{
	gpg_err_set_errno (EIO);
	return -1;
	}

	return (gpgrt_ssize_t)size;
	}

	static int
	data_line_cookie_close (void *cookie)
	{
	assuan_context_t ctx = cookie;

	if (assuan_send_data (ctx, NULL, 0))
	{
	gpg_err_set_errno (EIO);
	return -1;
	}

	return 0;
	}


	static void
	close_message_fd (ctrl_t ctrl)
	{
	if (ctrl->server_local->message_fd != -1)
	{
	#ifdef HAVE_W32CE_SYSTEM
	#warning Is this correct for W32/W32CE?
	#endif
	close (ctrl->server_local->message_fd);
	ctrl->server_local->message_fd = -1;
	}
	}


	/* Start a new audit session if this has been enabled. */
	static gpg_error_t
	start_audit_session (ctrl_t ctrl)
	{
	audit_release (ctrl->audit);
	ctrl->audit = NULL;
	if (ctrl->server_local->enable_audit_log && !(ctrl->audit = audit_new ()) )
	return gpg_error_from_syserror ();

	return 0;
	}


	static gpg_error_t
	option_handler (assuan_context_t ctx, const char key, const char value)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	gpg_error_t err = 0;

	if (!strcmp (key, "putenv"))
	{
	/* Change the session's environment to be used for the
	Pinentry. Valid values are:
	<NAME> Delete envvar NAME
	<KEY>= Set envvar NAME to the empty string
	<KEY>=<VALUE> Set envvar NAME to VALUE
	*/
	err = session_env_putenv (opt.session_env, value);
	}
	else if (!strcmp (key, "display"))
	{
	err = session_env_setenv (opt.session_env, "DISPLAY", value);
	}
	else if (!strcmp (key, "ttyname"))
	{
	err = session_env_setenv (opt.session_env, "GPG_TTY", value);
	}
	else if (!strcmp (key, "ttytype"))
	{
	err = session_env_setenv (opt.session_env, "TERM", value);
	}
	else if (!strcmp (key, "lc-ctype"))
	{
	xfree (opt.lc_ctype);
	opt.lc_ctype = xtrystrdup (value);
	if (!opt.lc_ctype)
	err = gpg_error_from_syserror ();
	}
	else if (!strcmp (key, "lc-messages"))
	{
	xfree (opt.lc_messages);
	opt.lc_messages = xtrystrdup (value);
	if (!opt.lc_messages)
	err = gpg_error_from_syserror ();
	}
	else if (!strcmp (key, "xauthority"))
	{
	err = session_env_setenv (opt.session_env, "XAUTHORITY", value);
	}
	else if (!strcmp (key, "pinentry-user-data"))
	{
	err = session_env_setenv (opt.session_env, "PINENTRY_USER_DATA", value);
	}
	else if (!strcmp (key, "include-certs"))
	{
	int i = *value? atoi (value) : -1;
	if (ctrl->include_certs < -2)
	err = gpg_error (GPG_ERR_ASS_PARAMETER);
	else
	ctrl->include_certs = i;
	}
	else if (!strcmp (key, "list-mode"))
	{
	int i = *value? atoi (value) : 0;
	if (!i \|\| i == 1) /* default and mode 1 */
	{
	ctrl->server_local->list_internal = 1;
	ctrl->server_local->list_external = 0;
	}
	else if (i == 2)
	{
	ctrl->server_local->list_internal = 0;
	ctrl->server_local->list_external = 1;
	}
	else if (i == 3)
	{
	ctrl->server_local->list_internal = 1;
	ctrl->server_local->list_external = 1;
	}
	else
	err = gpg_error (GPG_ERR_ASS_PARAMETER);
	}
	else if (!strcmp (key, "list-to-output"))
	{
	int i = *value? atoi (value) : 0;
	ctrl->server_local->list_to_output = i;
	}
	else if (!strcmp (key, "with-validation"))
	{
	int i = *value? atoi (value) : 0;
	ctrl->with_validation = i;
	}
	else if (!strcmp (key, "with-secret"))
	{
	int i = *value? atoi (value) : 0;
	ctrl->with_secret = i;
	}
	else if (!strcmp (key, "validation-model"))
	{
	int i = gpgsm_parse_validation_model (value);
	if ( i >= 0 && i <= 2 )
	ctrl->validation_model = i;
	else
	err = gpg_error (GPG_ERR_ASS_PARAMETER);
	}
	else if (!strcmp (key, "with-key-data"))
	{
	opt.with_key_data = 1;
	}
	else if (!strcmp (key, "enable-audit-log"))
	{
	int i = *value? atoi (value) : 0;
	ctrl->server_local->enable_audit_log = i;
	}
	else if (!strcmp (key, "allow-pinentry-notify"))
	{
	ctrl->server_local->allow_pinentry_notify = 1;
	}
	else if (!strcmp (key, "with-ephemeral-keys"))
	{
	int i = *value? atoi (value) : 0;
	ctrl->with_ephemeral_keys = i;
	}
	else if (!strcmp (key, "no-encrypt-to"))
	{
	ctrl->server_local->no_encrypt_to = 1;
	}
	else if (!strcmp (key, "offline"))
	{
	/* We ignore this option if gpgsm has been started with
	--disable-dirmngr (which also sets offline). */
	if (!opt.disable_dirmngr)
	{
	int i = *value? !!atoi (value) : 1;
	ctrl->offline = i;
	}
	}
	else
	err = gpg_error (GPG_ERR_UNKNOWN_OPTION);

	return err;
	}


	static gpg_error_t
	reset_notify (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);

	(void) line;

	gpgsm_release_certlist (ctrl->server_local->recplist);
	gpgsm_release_certlist (ctrl->server_local->signerlist);
	ctrl->server_local->recplist = NULL;
	ctrl->server_local->signerlist = NULL;
	close_message_fd (ctrl);
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);
	return 0;
	}


	static gpg_error_t
	input_notify (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);

	ctrl->autodetect_encoding = 0;
	ctrl->is_pem = 0;
	ctrl->is_base64 = 0;
	if (strstr (line, "--armor"))
	ctrl->is_pem = 1;
	else if (strstr (line, "--base64"))
	ctrl->is_base64 = 1;
	else if (strstr (line, "--binary"))
	;
	else
	ctrl->autodetect_encoding = 1;
	return 0;
	}

	static gpg_error_t
	output_notify (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);

	ctrl->create_pem = 0;
	ctrl->create_base64 = 0;
	if (strstr (line, "--armor"))
	ctrl->create_pem = 1;
	else if (strstr (line, "--base64"))
	ctrl->create_base64 = 1; /* just the raw output */
	return 0;
	}


	static const char hlp_recipient[] =
	"RECIPIENT <userID>\n"
	"\n"
	"Set the recipient for the encryption. USERID shall be the\n"
	"internal representation of the key; the server may accept any other\n"
	"way of specification [we will support this]. If this is a valid and\n"
	"trusted recipient the server does respond with OK, otherwise the\n"
	"return is an ERR with the reason why the recipient can't be used,\n"
	"the encryption will then not be done for this recipient. If the\n"
	"policy is not to encrypt at all if not all recipients are valid, the\n"
	"client has to take care of this. All RECIPIENT commands are\n"
	"cumulative until a RESET or an successful ENCRYPT command.";
	static gpg_error_t
	cmd_recipient (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int rc;

	if (!ctrl->audit)
	rc = start_audit_session (ctrl);
	else
	rc = 0;

	if (!rc)
	rc = gpgsm_add_to_certlist (ctrl, line, 0,
	&ctrl->server_local->recplist, 0);
	if (rc)
	{
	gpgsm_status2 (ctrl, STATUS_INV_RECP,
	get_inv_recpsgnr_code (rc), line, NULL);
	}

	return rc;
	}


	static const char hlp_signer[] =
	"SIGNER <userID>\n"
	"\n"
	"Set the signer's keys for the signature creation. USERID should\n"
	"be the internal representation of the key; the server may accept any\n"
	"other way of specification [we will support this]. If this is a\n"
	"valid and usable signing key the server does respond with OK,\n"
	"otherwise it returns an ERR with the reason why the key can't be\n"
	"used, the signing will then not be done for this key. If the policy\n"
	"is not to sign at all if not all signer keys are valid, the client\n"
	"has to take care of this. All SIGNER commands are cumulative until\n"
	"a RESET but they are not reset by an SIGN command because it can\n"
	"be expected that set of signers are used for more than one sign\n"
	"operation.";
	static gpg_error_t
	cmd_signer (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int rc;

	rc = gpgsm_add_to_certlist (ctrl, line, 1,
	&ctrl->server_local->signerlist, 0);
	if (rc)
	{
	gpgsm_status2 (ctrl, STATUS_INV_SGNR,
	get_inv_recpsgnr_code (rc), line, NULL);
	/* For compatibiliy reasons we also issue the old code after the
	new one. */
	gpgsm_status2 (ctrl, STATUS_INV_RECP,
	get_inv_recpsgnr_code (rc), line, NULL);
	}
	return rc;
	}


	static const char hlp_encrypt[] =
	"ENCRYPT \n"
	"\n"
	"Do the actual encryption process. Takes the plaintext from the INPUT\n"
	"command, writes to the ciphertext to the file descriptor set with\n"
	"the OUTPUT command, take the recipients form all the recipients set\n"
	"so far. If this command fails the clients should try to delete all\n"
	"output currently done or otherwise mark it as invalid. GPGSM does\n"
	"ensure that there won't be any security problem with leftover data\n"
	"on the output in this case.\n"
	"\n"
	"This command should in general not fail, as all necessary checks\n"
	"have been done while setting the recipients. The input and output\n"
	"pipes are closed.";
	static gpg_error_t
	cmd_encrypt (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	certlist_t cl;
	int inp_fd, out_fd;
	estream_t out_fp;
	int rc;

	(void)line;

	inp_fd = translate_sys2libc_fd (assuan_get_input_fd (ctx), 0);
	if (inp_fd == -1)
	return set_error (GPG_ERR_ASS_NO_INPUT, NULL);
	out_fd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);
	if (out_fd == -1)
	return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);

	out_fp = es_fdopen_nc (out_fd, "w");
	if (!out_fp)
	return set_error (gpg_err_code_from_syserror (), "fdopen() failed");

	/* Now add all encrypt-to marked recipients from the default
	list. */
	rc = 0;
	if (!opt.no_encrypt_to && !ctrl->server_local->no_encrypt_to)
	{
	for (cl=ctrl->server_local->default_recplist; !rc && cl; cl = cl->next)
	if (cl->is_encrypt_to)
	rc = gpgsm_add_cert_to_certlist (ctrl, cl->cert,
	&ctrl->server_local->recplist, 1);
	}
	if (!rc)
	rc = ctrl->audit? 0 : start_audit_session (ctrl);
	if (!rc)
	rc = gpgsm_encrypt (assuan_get_pointer (ctx),
	ctrl->server_local->recplist,
	inp_fd, out_fp);
	es_fclose (out_fp);

	gpgsm_release_certlist (ctrl->server_local->recplist);
	ctrl->server_local->recplist = NULL;
	/* Close and reset the fd */
	close_message_fd (ctrl);
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);
	return rc;
	}


	static const char hlp_decrypt[] =
	"DECRYPT\n"
	"\n"
	"This performs the decrypt operation after doing some check on the\n"
	"internal state. (e.g. that only needed data has been set). Because\n"
	"it utilizes the GPG-Agent for the session key decryption, there is\n"
	"no need to ask the client for a protecting passphrase - GPG-Agent\n"
	"does take care of this by requesting this from the user.";
	static gpg_error_t
	cmd_decrypt (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int inp_fd, out_fd;
	estream_t out_fp;
	int rc;

	(void)line;

	inp_fd = translate_sys2libc_fd (assuan_get_input_fd (ctx), 0);
	if (inp_fd == -1)
	return set_error (GPG_ERR_ASS_NO_INPUT, NULL);
	out_fd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);
	if (out_fd == -1)
	return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);

	out_fp = es_fdopen_nc (out_fd, "w");
	if (!out_fp)
	return set_error (gpg_err_code_from_syserror (), "fdopen() failed");

	rc = start_audit_session (ctrl);
	if (!rc)
	rc = gpgsm_decrypt (ctrl, inp_fd, out_fp);
	es_fclose (out_fp);

	/* Close and reset the fds. */
	close_message_fd (ctrl);
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);

	return rc;
	}


	static const char hlp_verify[] =
	"VERIFY\n"
	"\n"
	"This does a verify operation on the message send to the input FD.\n"
	"The result is written out using status lines. If an output FD was\n"
	"given, the signed text will be written to that.\n"
	"\n"
	"If the signature is a detached one, the server will inquire about\n"
	"the signed material and the client must provide it.";
	static gpg_error_t
	cmd_verify (assuan_context_t ctx, char *line)
	{
	int rc;
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int fd = translate_sys2libc_fd (assuan_get_input_fd (ctx), 0);
	int out_fd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);
	estream_t out_fp = NULL;

	(void)line;

	if (fd == -1)
	return set_error (GPG_ERR_ASS_NO_INPUT, NULL);

	if (out_fd != -1)
	{
	out_fp = es_fdopen_nc (out_fd, "w");
	if (!out_fp)
	return set_error (gpg_err_code_from_syserror (), "fdopen() failed");
	}

	rc = start_audit_session (ctrl);
	if (!rc)
	rc = gpgsm_verify (assuan_get_pointer (ctx), fd,
	ctrl->server_local->message_fd, out_fp);
	es_fclose (out_fp);

	/* Close and reset the fd. */
	close_message_fd (ctrl);
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);

	return rc;
	}


	static const char hlp_sign[] =
	"SIGN [--detached]\n"
	"\n"
	"Sign the data set with the INPUT command and write it to the sink\n"
	"set by OUTPUT. With \"--detached\", a detached signature is\n"
	"created (surprise).";
	static gpg_error_t
	cmd_sign (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int inp_fd, out_fd;
	estream_t out_fp;
	int detached;
	int rc;

	inp_fd = translate_sys2libc_fd (assuan_get_input_fd (ctx), 0);
	if (inp_fd == -1)
	return set_error (GPG_ERR_ASS_NO_INPUT, NULL);
	out_fd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);
	if (out_fd == -1)
	return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);

	detached = has_option (line, "--detached");

	out_fp = es_fdopen_nc (out_fd, "w");
	if (!out_fp)
	return set_error (GPG_ERR_ASS_GENERAL, "fdopen() failed");

	rc = start_audit_session (ctrl);
	if (!rc)
	rc = gpgsm_sign (assuan_get_pointer (ctx), ctrl->server_local->signerlist,
	inp_fd, detached, out_fp);
	es_fclose (out_fp);

	/* close and reset the fd */
	close_message_fd (ctrl);
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);

	return rc;
	}


	static const char hlp_import[] =
	"IMPORT [--re-import]\n"
	"\n"
	"Import the certificates read form the input-fd, return status\n"
	"message for each imported one. The import checks the validity of\n"
	"the certificate but not of the entire chain. It is possible to\n"
	"import expired certificates.\n"
	"\n"
	"With the option --re-import the input data is expected to a be a LF\n"
	"separated list of fingerprints. The command will re-import these\n"
	"certificates, meaning that they are made permanent by removing\n"
	"their ephemeral flag.";
	static gpg_error_t
	cmd_import (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int rc;
	int fd = translate_sys2libc_fd (assuan_get_input_fd (ctx), 0);
	int reimport = has_option (line, "--re-import");

	(void)line;

	if (fd == -1)
	return set_error (GPG_ERR_ASS_NO_INPUT, NULL);

	rc = gpgsm_import (assuan_get_pointer (ctx), fd, reimport);

	/* close and reset the fd */
	close_message_fd (ctrl);
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);

	return rc;
	}


	static const char hlp_export[] =
	"EXPORT [--data [--armor\|--base64]] [--secret [--(raw\|pkcs12)] [--] <pattern>\n"
	"\n"
	"Export the certificates selected by PATTERN. With --data the output\n"
	"is returned using Assuan D lines; the default is to use the sink given\n"
	"by the last \"OUTPUT\" command. The options --armor or --base64 encode \n"
	"the output using the PEM respective a plain base-64 format; the default\n"
	"is a binary format which is only suitable for a single certificate.\n"
	"With --secret the secret key is exported using the PKCS#8 format,\n"
	"with --raw using PKCS#1, and with --pkcs12 as full PKCS#12 container.";
	static gpg_error_t
	cmd_export (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	char *p;
	strlist_t list, sl;
	int use_data;
	int opt_secret;
	int opt_raw = 0;
	int opt_pkcs12 = 0;

	use_data = has_option (line, "--data");
	if (use_data)
	{
	/* We need to override any possible setting done by an OUTPUT command. */
	ctrl->create_pem = has_option (line, "--armor");
	ctrl->create_base64 = has_option (line, "--base64");
	}
	opt_secret = has_option (line, "--secret");
	if (opt_secret)
	{
	opt_raw = has_option (line, "--raw");
	opt_pkcs12 = has_option (line, "--pkcs12");
	}

	line = skip_options (line);

	/* Break the line down into an strlist_t. */
	list = NULL;
	for (p=line; *p; line = p)
	{
	while (p && p != ' ')
	p++;
	if (*p)
	*p++ = 0;
	if (*line)
	{
	sl = xtrymalloc (sizeof *sl + strlen (line));
	if (!sl)
	{
	free_strlist (list);
	return out_of_core ();
	}
	sl->flags = 0;
	strcpy_escaped_plus (sl->d, line);
	sl->next = list;
	list = sl;
	}
	}

	if (opt_secret)
	{
	if (!list \|\| !*list->d)
	return set_error (GPG_ERR_NO_DATA, "No key given");
	if (list->next)
	return set_error (GPG_ERR_TOO_MANY, "Only one key allowed");
	}

	if (use_data)
	{
	estream_t stream;

	stream = es_fopencookie (ctx, "w", data_line_cookie_functions);
	if (!stream)
	{
	free_strlist (list);
	return set_error (GPG_ERR_ASS_GENERAL,
	"error setting up a data stream");
	}
	if (opt_secret)
	gpgsm_p12_export (ctrl, list->d, stream,
	opt_raw? 2 : opt_pkcs12 ? 0 : 1);
	else
	gpgsm_export (ctrl, list, stream);
	es_fclose (stream);
	}
	else
	{
	int fd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);
	estream_t out_fp;

	if (fd == -1)
	{
	free_strlist (list);
	return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);
	}
	out_fp = es_fdopen_nc (fd, "w");
	if (!out_fp)
	{
	free_strlist (list);
	return set_error (gpg_err_code_from_syserror (), "fdopen() failed");
	}

	if (opt_secret)
	gpgsm_p12_export (ctrl, list->d, out_fp,
	opt_raw? 2 : opt_pkcs12 ? 0 : 1);
	else
	gpgsm_export (ctrl, list, out_fp);
	es_fclose (out_fp);
	}

	free_strlist (list);
	/* Close and reset the fds. */
	close_message_fd (ctrl);
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);
	return 0;
	}



	static const char hlp_delkeys[] =
	"DELKEYS <patterns>\n"
	"\n"
	"Delete the certificates specified by PATTERNS. Each pattern shall be\n"
	"a percent-plus escaped certificate specification. Usually a\n"
	"fingerprint will be used for this.";
	static gpg_error_t
	cmd_delkeys (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	char *p;
	strlist_t list, sl;
	int rc;

	/* break the line down into an strlist_t */
	list = NULL;
	for (p=line; *p; line = p)
	{
	while (p && p != ' ')
	p++;
	if (*p)
	*p++ = 0;
	if (*line)
	{
	sl = xtrymalloc (sizeof *sl + strlen (line));
	if (!sl)
	{
	free_strlist (list);
	return out_of_core ();
	}
	sl->flags = 0;
	strcpy_escaped_plus (sl->d, line);
	sl->next = list;
	list = sl;
	}
	}

	rc = gpgsm_delete (ctrl, list);
	free_strlist (list);

	/* close and reset the fd */
	close_message_fd (ctrl);
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);

	return rc;
	}



	static const char hlp_output[] =
	"OUTPUT FD[=<n>]\n"
	"\n"
	"Set the file descriptor to write the output data to N. If N is not\n"
	"given and the operating system supports file descriptor passing, the\n"
	"file descriptor currently in flight will be used. See also the\n"
	"\"INPUT\" and \"MESSAGE\" commands.";
	static const char hlp_input[] =
	"INPUT FD[=<n>]\n"
	"\n"
	"Set the file descriptor to read the input data to N. If N is not\n"
	"given and the operating system supports file descriptor passing, the\n"
	"file descriptor currently in flight will be used. See also the\n"
	"\"MESSAGE\" and \"OUTPUT\" commands.";
	static const char hlp_message[] =
	"MESSAGE FD[=<n>]\n"
	"\n"
	"Set the file descriptor to read the message for a detached\n"
	"signatures to N. If N is not given and the operating system\n"
	"supports file descriptor passing, the file descriptor currently in\n"
	"flight will be used. See also the \"INPUT\" and \"OUTPUT\" commands.";
	static gpg_error_t
	cmd_message (assuan_context_t ctx, char *line)
	{
	int rc;
	gnupg_fd_t sysfd;
	int fd;
	ctrl_t ctrl = assuan_get_pointer (ctx);

	rc = assuan_command_parse_fd (ctx, line, &sysfd);
	if (rc)
	return rc;

	#ifdef HAVE_W32CE_SYSTEM
	sysfd = _assuan_w32ce_finish_pipe ((int)sysfd, 0);
	if (sysfd == INVALID_HANDLE_VALUE)
	return set_error (gpg_err_code_from_syserror (),
	"rvid conversion failed");
	#endif

	fd = translate_sys2libc_fd (sysfd, 0);
	if (fd == -1)
	return set_error (GPG_ERR_ASS_NO_INPUT, NULL);
	ctrl->server_local->message_fd = fd;
	return 0;
	}



	static const char hlp_listkeys[] =
	"LISTKEYS [<patterns>]\n"
	"LISTSECRETKEYS [<patterns>]\n"
	"DUMPKEYS [<patterns>]\n"
	"DUMPSECRETKEYS [<patterns>]\n"
	"\n"
	"List all certificates or only those specified by PATTERNS. Each\n"
	"pattern shall be a percent-plus escaped certificate specification.\n"
	"The \"SECRET\" versions of the command filter the output to include\n"
	"only certificates where the secret key is available or a corresponding\n"
	"smartcard has been registered. The \"DUMP\" versions of the command\n"
	"are only useful for debugging. The output format is a percent escaped\n"
	"colon delimited listing as described in the manual.\n"
	"\n"
	"These \"OPTION\" command keys effect the output::\n"
	"\n"
	" \"list-mode\" set to 0: List only local certificates (default).\n"
	" 1: Ditto.\n"
	" 2: List only external certificates.\n"
	" 3: List local and external certificates.\n"
	"\n"
	" \"with-validation\" set to true: Validate each certificate.\n"
	"\n"
	" \"with-ephemeral-key\" set to true: Always include ephemeral\n"
	" certificates.\n"
	"\n"
	" \"list-to-output\" set to true: Write output to the file descriptor\n"
	" given by the last \"OUTPUT\" command.";
	static int
	do_listkeys (assuan_context_t ctx, char *line, int mode)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	estream_t fp;
	char *p;
	strlist_t list, sl;
	unsigned int listmode;
	gpg_error_t err;

	/* Break the line down into an strlist. */
	list = NULL;
	for (p=line; *p; line = p)
	{
	while (p && p != ' ')
	p++;
	if (*p)
	*p++ = 0;
	if (*line)
	{
	sl = xtrymalloc (sizeof *sl + strlen (line));
	if (!sl)
	{
	free_strlist (list);
	return out_of_core ();
	}
	sl->flags = 0;
	strcpy_escaped_plus (sl->d, line);
	sl->next = list;
	list = sl;
	}
	}

	if (ctrl->server_local->list_to_output)
	{
	int outfd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);

	if ( outfd == -1 )
	return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);
	fp = es_fdopen_nc (outfd, "w");
	if (!fp)
	return set_error (gpg_err_code_from_syserror (), "es_fdopen() failed");
	}
	else
	{
	fp = es_fopencookie (ctx, "w", data_line_cookie_functions);
	if (!fp)
	return set_error (GPG_ERR_ASS_GENERAL,
	"error setting up a data stream");
	}

	ctrl->with_colons = 1;
	listmode = mode;
	if (ctrl->server_local->list_internal)
	listmode \|= (1<<6);
	if (ctrl->server_local->list_external)
	listmode \|= (1<<7);
	err = gpgsm_list_keys (assuan_get_pointer (ctx), list, fp, listmode);
	free_strlist (list);
	es_fclose (fp);
	if (ctrl->server_local->list_to_output)
	assuan_close_output_fd (ctx);
	return err;
	}

	static gpg_error_t
	cmd_listkeys (assuan_context_t ctx, char *line)
	{
	return do_listkeys (ctx, line, 3);
	}

	static gpg_error_t
	cmd_dumpkeys (assuan_context_t ctx, char *line)
	{
	return do_listkeys (ctx, line, 259);
	}

	static gpg_error_t
	cmd_listsecretkeys (assuan_context_t ctx, char *line)
	{
	return do_listkeys (ctx, line, 2);
	}

	static gpg_error_t
	cmd_dumpsecretkeys (assuan_context_t ctx, char *line)
	{
	return do_listkeys (ctx, line, 258);
	}



	static const char hlp_genkey[] =
	"GENKEY\n"
	"\n"
	"Read the parameters in native format from the input fd and write a\n"
	"certificate request to the output.";
	static gpg_error_t
	cmd_genkey (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int inp_fd, out_fd;
	estream_t in_stream, out_stream;
	int rc;

	(void)line;

	inp_fd = translate_sys2libc_fd (assuan_get_input_fd (ctx), 0);
	if (inp_fd == -1)
	return set_error (GPG_ERR_ASS_NO_INPUT, NULL);
	out_fd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);
	if (out_fd == -1)
	return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);

	in_stream = es_fdopen_nc (inp_fd, "r");
	if (!in_stream)
	return set_error (GPG_ERR_ASS_GENERAL, "es_fdopen failed");

	out_stream = es_fdopen_nc (out_fd, "w");
	if (!out_stream)
	{
	es_fclose (in_stream);
	return set_error (gpg_err_code_from_syserror (), "fdopen() failed");
	}
	rc = gpgsm_genkey (ctrl, in_stream, out_stream);
	es_fclose (out_stream);
	es_fclose (in_stream);

	/* close and reset the fds */
	assuan_close_input_fd (ctx);
	assuan_close_output_fd (ctx);

	return rc;
	}



	static const char hlp_getauditlog[] =
	"GETAUDITLOG [--data] [--html]\n"
	"\n"
	"If --data is used, the output is send using D-lines and not to the\n"
	"file descriptor given by an OUTPUT command.\n"
	"\n"
	- "If --html is used the output is formated as an XHTML block. This is\n"
	+ "If --html is used the output is formatted as an XHTML block. This is\n"
	"designed to be incorporated into a HTML document.";
	static gpg_error_t
	cmd_getauditlog (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int out_fd;
	estream_t out_stream;
	int opt_data, opt_html;
	int rc;

	opt_data = has_option (line, "--data");
	opt_html = has_option (line, "--html");
	/* Not needed: line = skip_options (line); */

	if (!ctrl->audit)
	return gpg_error (GPG_ERR_NO_DATA);

	if (opt_data)
	{
	out_stream = es_fopencookie (ctx, "w", data_line_cookie_functions);
	if (!out_stream)
	return set_error (GPG_ERR_ASS_GENERAL,
	"error setting up a data stream");
	}
	else
	{
	out_fd = translate_sys2libc_fd (assuan_get_output_fd (ctx), 1);
	if (out_fd == -1)
	return set_error (GPG_ERR_ASS_NO_OUTPUT, NULL);

	out_stream = es_fdopen_nc (out_fd, "w");
	if (!out_stream)
	{
	return set_error (GPG_ERR_ASS_GENERAL, "es_fdopen() failed");
	}
	}

	audit_print_result (ctrl->audit, out_stream, opt_html);
	rc = 0;

	es_fclose (out_stream);

	/* Close and reset the fd. */
	if (!opt_data)
	assuan_close_output_fd (ctx);
	return rc;
	}

	static const char hlp_getinfo[] =
	"GETINFO <what>\n"
	"\n"
	"Multipurpose function to return a variety of information.\n"
	"Supported values for WHAT are:\n"
	"\n"
	" version - Return the version of the program.\n"
	" pid - Return the process id of the server.\n"
	" agent-check - Return success if the agent is running.\n"
	" cmd_has_option CMD OPT\n"
	" - Returns OK if the command CMD implements the option OPT.\n"
	" offline - Returns OK if the conenction is in offline mode.";
	static gpg_error_t
	cmd_getinfo (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	int rc = 0;

	if (!strcmp (line, "version"))
	{
	const char *s = VERSION;
	rc = assuan_send_data (ctx, s, strlen (s));
	}
	else if (!strcmp (line, "pid"))
	{
	char numbuf[50];

	snprintf (numbuf, sizeof numbuf, "%lu", (unsigned long)getpid ());
	rc = assuan_send_data (ctx, numbuf, strlen (numbuf));
	}
	else if (!strcmp (line, "agent-check"))
	{
	rc = gpgsm_agent_send_nop (ctrl);
	}
	else if (!strncmp (line, "cmd_has_option", 14)
	&& (line[14] == ' ' \|\| line[14] == '\t' \|\| !line[14]))
	{
	char cmd, cmdopt;
	line += 14;
	while (line == ' ' \|\| line == '\t')
	line++;
	if (!*line)
	rc = gpg_error (GPG_ERR_MISSING_VALUE);
	else
	{
	cmd = line;
	while (line && (line != ' ' && *line != '\t'))
	line++;
	if (!*line)
	rc = gpg_error (GPG_ERR_MISSING_VALUE);
	else
	{
	*line++ = 0;
	while (line == ' ' \|\| line == '\t')
	line++;
	if (!*line)
	rc = gpg_error (GPG_ERR_MISSING_VALUE);
	else
	{
	cmdopt = line;
	if (!command_has_option (cmd, cmdopt))
	rc = gpg_error (GPG_ERR_GENERAL);
	}
	}
	}
	}
	else if (!strcmp (line, "offline"))
	{
	rc = ctrl->offline? 0 : gpg_error (GPG_ERR_GENERAL);
	}
	else
	rc = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");

	return rc;
	}


	static const char hlp_passwd[] =
	"PASSWD <userID>\n"
	"\n"
	"Change the passphrase of the secret key for USERID.";
	static gpg_error_t
	cmd_passwd (assuan_context_t ctx, char *line)
	{
	ctrl_t ctrl = assuan_get_pointer (ctx);
	gpg_error_t err;
	ksba_cert_t cert = NULL;
	char *grip = NULL;

	line = skip_options (line);

	err = gpgsm_find_cert (line, NULL, &cert);
	if (err)
	;
	else if (!(grip = gpgsm_get_keygrip_hexstring (cert)))
	err = gpg_error (GPG_ERR_INTERNAL);
	else
	{
	char *desc = gpgsm_format_keydesc (cert);
	err = gpgsm_agent_passwd (ctrl, grip, desc);
	xfree (desc);
	}

	xfree (grip);
	ksba_cert_release (cert);

	return err;
	}



	/* Return true if the command CMD implements the option OPT. */
	static int
	command_has_option (const char cmd, const char cmdopt)
	{
	if (!strcmp (cmd, "IMPORT"))
	{
	if (!strcmp (cmdopt, "re-import"))
	return 1;
	}

	return 0;
	}


	/* Tell the assuan library about our commands */
	static int
	register_commands (assuan_context_t ctx)
	{
	static struct {
	const char *name;
	assuan_handler_t handler;
	const char * const help;
	} table[] = {
	{ "RECIPIENT", cmd_recipient, hlp_recipient },
	{ "SIGNER", cmd_signer, hlp_signer },
	{ "ENCRYPT", cmd_encrypt, hlp_encrypt },
	{ "DECRYPT", cmd_decrypt, hlp_decrypt },
	{ "VERIFY", cmd_verify, hlp_verify },
	{ "SIGN", cmd_sign, hlp_sign },
	{ "IMPORT", cmd_import, hlp_import },
	{ "EXPORT", cmd_export, hlp_export },
	{ "INPUT", NULL, hlp_input },
	{ "OUTPUT", NULL, hlp_output },
	{ "MESSAGE", cmd_message, hlp_message },
	{ "LISTKEYS", cmd_listkeys, hlp_listkeys },
	{ "DUMPKEYS", cmd_dumpkeys, hlp_listkeys },
	{ "LISTSECRETKEYS",cmd_listsecretkeys, hlp_listkeys },
	{ "DUMPSECRETKEYS",cmd_dumpsecretkeys, hlp_listkeys },
	{ "GENKEY", cmd_genkey, hlp_genkey },
	{ "DELKEYS", cmd_delkeys, hlp_delkeys },
	{ "GETAUDITLOG", cmd_getauditlog, hlp_getauditlog },
	{ "GETINFO", cmd_getinfo, hlp_getinfo },
	{ "PASSWD", cmd_passwd, hlp_passwd },
	{ NULL }
	};
	int i, rc;

	for (i=0; table[i].name; i++)
	{
	rc = assuan_register_command (ctx, table[i].name, table[i].handler,
	table[i].help);
	if (rc)
	return rc;
	}
	return 0;
	}

	/* Startup the server. DEFAULT_RECPLIST is the list of recipients as
	set from the command line or config file. We only require those
	marked as encrypt-to. */
	void
	gpgsm_server (certlist_t default_recplist)
	{
	int rc;
	assuan_fd_t filedes[2];
	assuan_context_t ctx;
	struct server_control_s ctrl;
	static const char hello[] = ("GNU Privacy Guard's S/M server "
	VERSION " ready");

	memset (&ctrl, 0, sizeof ctrl);
	gpgsm_init_default_ctrl (&ctrl);

	/* We use a pipe based server so that we can work from scripts.
	assuan_init_pipe_server will automagically detect when we are
	called with a socketpair and ignore FILEDES in this case. */
	#ifdef HAVE_W32CE_SYSTEM
	#define SERVER_STDIN es_fileno(es_stdin)
	#define SERVER_STDOUT es_fileno(es_stdout)
	#else
	#define SERVER_STDIN 0
	#define SERVER_STDOUT 1
	#endif
	filedes[0] = assuan_fdopen (SERVER_STDIN);
	filedes[1] = assuan_fdopen (SERVER_STDOUT);
	rc = assuan_new (&ctx);
	if (rc)
	{
	log_error ("failed to allocate assuan context: %s\n",
	gpg_strerror (rc));
	gpgsm_exit (2);
	}

	rc = assuan_init_pipe_server (ctx, filedes);
	if (rc)
	{
	log_error ("failed to initialize the server: %s\n",
	gpg_strerror (rc));
	gpgsm_exit (2);
	}
	rc = register_commands (ctx);
	if (rc)
	{
	log_error ("failed to the register commands with Assuan: %s\n",
	gpg_strerror(rc));
	gpgsm_exit (2);
	}
	if (opt.verbose \|\| opt.debug)
	{
	char *tmp;

	/* Fixme: Use the really used socket name. */
	if (asprintf (&tmp,
	"Home: %s\n"
	"Config: %s\n"
	"DirmngrInfo: %s\n"
	"%s",
	gnupg_homedir (),
	opt.config_filename,
	(dirmngr_user_socket_name ()
	? dirmngr_user_socket_name ()
	: dirmngr_sys_socket_name ()),
	hello) > 0)
	{
	assuan_set_hello_line (ctx, tmp);
	free (tmp);
	}
	}
	else
	assuan_set_hello_line (ctx, hello);

	assuan_register_reset_notify (ctx, reset_notify);
	assuan_register_input_notify (ctx, input_notify);
	assuan_register_output_notify (ctx, output_notify);
	assuan_register_option_handler (ctx, option_handler);

	assuan_set_pointer (ctx, &ctrl);
	ctrl.server_local = xcalloc (1, sizeof *ctrl.server_local);
	ctrl.server_local->assuan_ctx = ctx;
	ctrl.server_local->message_fd = -1;
	ctrl.server_local->list_internal = 1;
	ctrl.server_local->list_external = 0;
	ctrl.server_local->default_recplist = default_recplist;

	for (;;)
	{
	rc = assuan_accept (ctx);
	if (rc == -1)
	{
	break;
	}
	else if (rc)
	{
	log_info ("Assuan accept problem: %s\n", gpg_strerror (rc));
	break;
	}

	rc = assuan_process (ctx);
	if (rc)
	{
	log_info ("Assuan processing failed: %s\n", gpg_strerror (rc));
	continue;
	}
	}

	gpgsm_release_certlist (ctrl.server_local->recplist);
	ctrl.server_local->recplist = NULL;
	gpgsm_release_certlist (ctrl.server_local->signerlist);
	ctrl.server_local->signerlist = NULL;
	xfree (ctrl.server_local);

	audit_release (ctrl.audit);
	ctrl.audit = NULL;

	assuan_release (ctx);
	}



	gpg_error_t
	gpgsm_status2 (ctrl_t ctrl, int no, ...)
	{
	gpg_error_t err = 0;
	va_list arg_ptr;
	const char *text;

	va_start (arg_ptr, no);

	if (ctrl->no_server && ctrl->status_fd == -1)
	; /* No status wanted. */
	else if (ctrl->no_server)
	{
	if (!statusfp)
	{
	if (ctrl->status_fd == 1)
	statusfp = stdout;
	else if (ctrl->status_fd == 2)
	statusfp = stderr;
	else
	statusfp = fdopen (ctrl->status_fd, "w");

	if (!statusfp)
	{
	log_fatal ("can't open fd %d for status output: %s\n",
	ctrl->status_fd, strerror(errno));
	}
	}

	fputs ("[GNUPG:] ", statusfp);
	fputs (get_status_string (no), statusfp);

	while ( (text = va_arg (arg_ptr, const char*) ))
	{
	putc ( ' ', statusfp );
	for (; *text; text++)
	{
	if (*text == '\n')
	fputs ( "\\n", statusfp );
	else if (*text == '\r')
	fputs ( "\\r", statusfp );
	else
	putc ( (const byte )text, statusfp );
	}
	}
	putc ('\n', statusfp);
	fflush (statusfp);
	}
	else
	{
	assuan_context_t ctx = ctrl->server_local->assuan_ctx;
	char buf[950], *p;
	size_t n;

	p = buf;
	n = 0;
	while ( (text = va_arg (arg_ptr, const char *)) )
	{
	if (n)
	{
	*p++ = ' ';
	n++;
	}
	for ( ; *text && n < DIM (buf)-2; n++)
	p++ = text++;
	}
	*p = 0;
	err = assuan_write_status (ctx, get_status_string (no), buf);
	}

	va_end (arg_ptr);
	return err;
	}

	gpg_error_t
	gpgsm_status (ctrl_t ctrl, int no, const char *text)
	{
	return gpgsm_status2 (ctrl, no, text, NULL);
	}

	gpg_error_t
	gpgsm_status_with_err_code (ctrl_t ctrl, int no, const char *text,
	gpg_err_code_t ec)
	{
	char buf[30];

	sprintf (buf, "%u", (unsigned int)ec);
	if (text)
	return gpgsm_status2 (ctrl, no, text, buf, NULL);
	else
	return gpgsm_status2 (ctrl, no, buf, NULL);
	}


	/* Helper to notify the client about Pinentry events. Because that
	might disturb some older clients, this is only done when enabled
	via an option. Returns an gpg error code. */
	gpg_error_t
	gpgsm_proxy_pinentry_notify (ctrl_t ctrl, const unsigned char *line)
	{
	if (!ctrl \|\| !ctrl->server_local
	\|\| !ctrl->server_local->allow_pinentry_notify)
	return 0;
	return assuan_inquire (ctrl->server_local->assuan_ctx, line, NULL, NULL, 0);
	}
	diff --git a/tests/openpgp/armor.scm b/tests/openpgp/armor.scm
	index 5b4ea1409..578e248a0 100755
	--- a/tests/openpgp/armor.scm
	+++ b/tests/openpgp/armor.scm
	@@ -1,766 +1,766 @@
	#!/usr/bin/env gpgscm

	;; Copyright (C) 2016 g10 Code GmbH
	;;
	;; This file is part of GnuPG.
	;;
	;; GnuPG is free software; you can redistribute it and/or modify
	;; it under the terms of the GNU General Public License as published by
	;; the Free Software Foundation; either version 3 of the License, or
	;; (at your option) any later version.
	;;
	;; GnuPG is distributed in the hope that it will be useful,
	;; but WITHOUT ANY WARRANTY; without even the implied warranty of
	;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	;; GNU General Public License for more details.
	;;
	;; You should have received a copy of the GNU General Public License
	;; along with this program; if not, see <http://www.gnu.org/licenses/>.

	(load (with-path "defs.scm"))

	(define armored_key_8192 "-----BEGIN PGP PUBLIC KEY BLOCK-----
	Version: SKS 1.0.9

	mQGiBDnKLQkRBACVlYh6HivoRjHzGedNpnYPISxImK3eFgt+qs/DD9rqhBOSUTYvmKfa1u7M
	W4XDc23YEoq3MyhtC35IL2RH6rmeIPz7ZVK5rUKWMqzf94n58gIkgdDZgCcaDWImtZFSjji4
	TGhepaIz75iIbymvtnjr9d++fH/lFkz0HDjbOkXCfwCg9GeOjiWw1yBK8cO11acAjk+QpW8D
	/i8ftC1hV0iuh9mswYeG05pBbeeaOW4I2Ps4IcecpXhSyPaP1YiXKRqg9GX2brNgXwc3MEiq
	Wn4UU407RzjrUNF4/d20Q7N2g2MDUDzBtmMytfT2LLKlj53Cq+p510yXESA7UHjiOpRrHPN9
	R69wHmHPsLPkdkB/jRTSM1gzQNtXA/96bRpfGMtCssfB449gBA/kYF14iXUM5KTF6YPSFhCC
	xPGNMoP1uxTk0NHvcYZe4zW2O6b/f9x5Lh15RI1ozWXakX6u3xEV3OqsvVTtXupe4MljHQlX
	YwMDI3MUzFtnHR+He1Bw5lkBVWtkV7rX2kX749J1EgADwlNEP1KFRdjqi7QhU3VzdW11IE9T
	QVdBIDxzdXN1bXVvQGRlYmlhbi5vcmc+iEYEEBECAAYFAjvNYPUACgkQU+WZW1FVMwrlTACf
	RigokAWd1OqYtcOt3v829fhNqYEAnR9uUslZr6B6RaW0z8/BZZuhGuLViEYEEBECAAYFAjzG
	evgACgkQfGUzr9MtPXGWyACg066aP5SSkBHWqqYGGLZv9sVRMNIAoIEHBI1gq4rPJatYDdau
	Ni6DUTkGiEYEEBECAAYFAjzGfBAACgkQ9D5yZjzIjAlTqACeJmtp9kpfljkARhfa3QTc2Q56
	WKkAoJmUchp+fAceVeFncpFeo6leM1YhiEYEEBECAAYFAjzGftIACgkQ2QCnNZ2xmQQCegCg
	rdTsTWzaZk6gF+mtvIDwKsUx8gwAnRUbdDfOP0qL+83Bbz2r/IzPxjCEiEYEEBECAAYFAj2T
	Rd0ACgkQFwU5DuZsm7BfXQCeNVG09VZ2VnuuWTRbgoANXGIyRb0AoI/giUU4DcIpAPbcoNV7
	PzCIreyviEYEExECAAYFAj2508wACgkQ0pu//EQuY8KiUwCdHijK7Wkim2FUPU6i6KxwRH/k
	kFwAn1sOAWVOrLfRBfrNNQBANpbr5ufniEYEExECAAYFAj27vpsACgkQKb5dImj9VJ9m2wCc
	DeL9IkWpytXLPFhKCH9U9XhzPA4AnRjiY3y6AdNhbUgG/eS8Dumch0dniEYEExECAAYFAj5q
	MCcACgkQO/YJxouvzb2O5QCghtxYfrIcbfTcBwvz9vG1sBHkQSkAnj3PMjN9dk1x1e4rUD9d
	S00JOoI0iFYEExECABYFAjnKLQkECwoEAwMVAwIDFgIBAheAAAoJEN7sjAneQVsOUfcAoNgN
	xaeqMn5EWO2MkwVvVrLjWI2FAKDLnp19rJsU69OK7qHqfMeGWFXsQYheBBMRAgAWBQI5yi0J
	BAsKBAMDFQMCAxYCAQIXgAASCRDe7IwJ3kFbDgdlR1BHAAEBUfcAoNgNxaeqMn5EWO2MkwVv
	VrLjWI2FAKDLnp19rJsU69OK7qHqfMeGWFXsQYiVAwUQOcrkWi2pLp/VI9wNAQE5mAP/WW9g
	shqGqWN/rWevpVKlzwqGSqMUq6E2K34dHrFdqd/WnY8ng5zAd66Ey3OLS5x9/+KI6W9MU5OI
	WmxOfrp7PxwqLrQH/BruPTHe9mZbkSyjWIS/V+W8/lYtzIUYTd0584+1x7cK6jah3mAdFu5t
	8fr1k3NyVXFH66dLrLF0bBu0JFN1c3VtdSBPU0FXQSA8c3VzdW11LW9AZGViaWFuLm9yLmpw
	PohGBBARAgAGBQI7zWD4AAoJEFPlmVtRVTMKpEEAn0Oxl1tcdFf6LxiG2URD7kmHNm+iAJ9l
	uLXjsYvo0OXlG1HlaFkFduhgp4hGBBARAgAGBQI8xnr7AAoJEHxlM6/TLT1xZlEAnjSeGhDQ
	mbidMrjv4nOaWWDePjN7AKDXoHEhZbpUIJLJBgS4jZfuGtT3VYhGBBARAgAGBQI8xnwTAAoJ
	EPQ+cmY8yIwJTjEAnAllI6IPXWJlHjtwqlHHwprrZG4eAJwMTl5Rbqu1lf+Lmz3N8QBrcTjn
	zYhGBBARAgAGBQI8xn7VAAoJENkApzWdsZkE6M4AoIpVj26AQLU6dtiJuLNMio8jKx/AAJ9n
	8VzpA4GFEL3Rg2eqNvuQC0bJp4hGBBARAgAGBQI9k0XgAAoJEBcFOQ7mbJuwsaUAnRIT1q2W
	kEgui423U/TVWLvSp2/aAKDG6xkJ+tdAmBnO5CcQcNswRmK4NIhGBBMRAgAGBQI9u76dAAoJ
	ECm+XSJo/VSfDJQAn0pZLQJhXUWzasjG2s2L8egRvvkmAJ4yTxKBoZbvtruTf//8HwNLRs9W
	v4hGBBMRAgAGBQI+ajAuAAoJEDv2CcaLr829bTYAoJzZa95z3Ty/rVS8Q5viOnicJwtOAKCG
	RKoaw3UZfpm6RLHZ4aHlYxCA0YhXBBMRAgAXBQI6aHxFBQsHCgMEAxUDAgMWAgECF4AACgkQ
	3uyMCd5BWw4I+ACfQhdkd2tu9qqWuWW7O1GsLpb359oAoLleotCCH4La5L5ZE/cPIde9+p8o
	iF8EExECABcFAjpofEUFCwcKAwQDFQMCAxYCAQIXgAASCRDe7IwJ3kFbDgdlR1BHAAEBCPgA
	n0IXZHdrbvaqlrlluztRrC6W9+faAKC5XqLQgh+C2uS+WRP3DyHXvfqfKLQlU3VzdW11IE9T
	QVdBIDxzdXN1bXUtb0Bnb2ZvcndhcmQub3JnPohGBBARAgAGBQI7zWD4AAoJEFPlmVtRVTMK
	aY0An0oI4Fwko9YsVWS+0M3/Tpc8FB2eAJ4oALojFgFkOWYT97dh8rTQW8BhyohGBBARAgAG
	BQI8xnr7AAoJEHxlM6/TLT1xsXcAoJV/9zoudxvWy+LwktkGyCB7aTx4AJ0Z8GWmx2/C4W2M
	tSyaUscY3X19uYhGBBARAgAGBQI8xnwTAAoJEPQ+cmY8yIwJpxQAn3efnPpctMJFDQomRDbo
	7Q8rg6r4AKCq7LZmOaXvyrBF/JcYjOCLtYMPIIhGBBARAgAGBQI8xn7VAAoJENkApzWdsZkE
	iB0AnRQs0XjhpGOpR1lyEOuZkm2xxHPzAJ9Is3sG9UMOr+YS5V1GXXiFM29S3YhGBBARAgAG
	BQI9k0XgAAoJEBcFOQ7mbJuwjiAAn2wcQP9HreVLCSQruB1wnX/s79ZcAKCRcecLF+wiRo59
	JJvwtnxp2W24EYhGBBMRAgAGBQI9u76dAAoJECm+XSJo/VSftKUAoJQ/cYKqkyOLSOelU8eM
	plFiFJlPAJwK7B0HrN+tDmR7r8Hc0GrRrbAuvYhGBBMRAgAGBQI+ajAuAAoJEDv2CcaLr829
	PX0An2kfEs+3iR5qV35EQlCdL5ITZCSNAKCf8HErpT620TUhU6hI7vW5R3LNgohXBBMRAgAX
	BQI6aHxeBQsHCgMEAxUDAgMWAgECF4AACgkQ3uyMCd5BWw5HzwCdF8w3WjnwTvktko3ZB7IM
	mFLKvSQAn3GbioDBdV+j6xuhSI90osLMu1jgiF8EExECABcFAjpofF4FCwcKAwQDFQMCAxYC
	AQIXgAASCRDe7IwJ3kFbDgdlR1BHAAEBR88AnRfMN1o58E75LZKN2QeyDJhSyr0kAJ9xm4qA
	wXVfo+sboUiPdKLCzLtY4IkBIgQQAQIADAUCQpGGggUDABJ1AAAKCRCXELibyletfJEKCACw
	Yf5qY4J3RtHnC56HmGiW4GXaahJpBQ1JcWmfx7CkTqJPQveg+KQ4pfLuJvZ8v4YqPZCxPOeK
	/ZhIO48UB4obcD8BZdSkRA4QBamRp8iqcgrCot/LA5xQu9tivIhUJP/1dT6PmDy4DAV3Flgt
	HgED5niVESDPfz3Gjff5iWWIs6dM3bycxoTcFWLz++578aOasoq9T8Tfua9H8UrouVz3+6TK
	xG0rGeb2jOQOQcbLCn3soU/Z60H3SvJYHzgxlS5bqIybrjo3sAnuus/kisrmNjeFfQBdl9v+
	GnK65D1tmBa1+6a95uHb+OG4eHzIXmvnDI4A1RhRKiZ/kpVsT7RViQEiBBABAgAMBQJCo1H8
	BQMAEnUAAAoJEJcQuJvKV618bJgIAMb9Xiv8ps3quJ9ByHhbIQtBOymH0fFiodsutPrcR2Af
	1lc/eh3Ik20Z9Ba3g5V6eUW+3sjpDsjKtI1CXuRq0Zgmze3hrUTMRmyrLoaHPocrqfj2G9mW
	y2OomLHMDurcJFQkSUJioI4Kxo+1NBZmylPKUEeIEoP8UBJbKxf78dVh00ZUecwZcn9lLiZA
	TycRQ0WTT1Yv1fI+tBmvSrpMSe+0k+JS+QigvINN5vUxaV1cN6mkREPYVm7oHzPCQ2C9NX1q
	cI/Wkc38ieZw1Sv9vyPCCL6MYd/2t1209a/ZKADaw5l+mhyWUqIT6SXPLxMDy0NvPhTKdDr1
	7S5LOcKhwPqJASIEEAECAAwFAkK2pukFAwASdQAACgkQlxC4m8pXrXxvUQgAlfw6doD0JHtY
	iN9uCp2M1orLKS/zm66e9eiYPJwbim96KiwP98Ti5J+QO5hZdT3dhW2Avw5JPFiQukSc/rjT
	1YHRyuhZfXKhQhsjom5JmyFSdeIzjnz0PIM2qZaK4OfFihleQfQ8Y94wkPwYtkEXxpBQSClg
	Xk6QJEql34sQexIDM7VsREwv/eIQ73RMquat4RZP1L3h4nj1UJu/X7ey3HVVo61gH0RIAR+A
	adv59AAp//TkKUNIRCHOsIpFCXHjJsJxRvJKhiz3T6FhqFEQNF2tDJKHFV1FcLAIEZheuGOV
	fKNXgmvVATPHrJsg5HsZACg/aRFq9NL9FYskFyGcB4kBIgQQAQIADAUCQrdR0QUDABJ1AAAK
	CRCXELibyletfMNMB/49u9oQzbmTtmHaoKuvou7OA6zmrfeu5X9vV1efZgItF78J7G19fVt8
	K3e6kn0KGYVL+FTbPdEbvrYTb+jfMkzrHooxQYSr0j8Baqfh2bMuZzuw2pVtgBUTYHoihNjQ
	lv6GPtF7Y3CVWLUYXZ25yqY3Hzh9YneoH8bUVFZWxRFitqGB+noFpvm0YXrCJZ19BDNTQlx7
	5quAl4KTNOAxapsKaBrz/4PrnNbuwZBkzP5EEuEyjTM+6UBhxibXfdWKnZw6ky7k6tuUsc68
	qfQJBK6KBmVLflZ5nrd2N90Ueb0m3xfzdncBAZb43THGhi6XyZ4jvbMjvjm3MCGuUosYYbT6
	iQEiBBABAgAMBQJCyQLdBQMAEnUAAAoJEJcQuJvKV618Jz0IAKstm2VX39p4Lt4k55ZdOqXG
	CqHCFT5YYOVcnptx8dKTpHWQXpI2lUJBAcWz0IAXXFhyUbGpvS1E9T/pYF97RSSsQyTncQll
	mLbzy3fESVkGT9xpEvF7ZaK+61BKuWFpbKRdpy5wWakk0GRyF0156vxm7vQh4XI91TwXj7DA
	v6KYWdjnHcEB8O9jLw6RlD4Y6dKjb/v7vTY6dGmYYyOQVK+Bmr/8vVcNDf+tevExsytTu4FZ
	tL9yp+yHODfHP5LZk3mC7UGR/mUKFDYhuEzzIU5ozc6qUfC5ViGt2Hjg45i2T79WeSV0UHSE
	8c3JOgE3e7A71bQEUJygPC9S+RTuc8aJASIEEAECAAwFAkLMT3oFAwASdQAACgkQlxC4m8pX
	rXwoBgf+MEjA/hx7UMl6LHwheZ9qzH/4P1d4CU46SzoC/XEPqWGs9sJw0dKxEAnRZgrG1WMP
	Ml127bOHby5WWDa/xGi0siYM64F386SG0W42FD67vPK9mMPnCDIQ4xn5gGoqUUl8ZzFG0eNv
	XRg0bmMVmoZFvaUyf0uah/0dYCYplgAjJtmC3cmNuJ98PoYEVHMKKGtPW4fVf+TcN90HVjXU
	kr0GnAvRegb3ZXnte3GrOe3jOfXjfjZMyEM6a16FFuKHmykgfyX/I4tS9GqoxPZ6s0KARKn0
	YLZUuxxFL7i1VaGJR/9duyUc8T0BLc9O4TxNuvd1vd5UKVVmTL04fe0q1Bfu4okBIgQQAQIA
	DAUCQtGX8QUDABJ1AAAKCRCXELibyletfNEoCACtKtfWhAfkxLqPihQMbvwXTuSszG61XNYb
	a41gTOpjADF2jQAQ2y8oilVyr5RgSvug8knik3EitSpBOOg0o5Y9NHF3e+85r27m8T5cP3g5
	GHAeugRFDqMXXioiAw9WoyvG9ruMY4caD3gAuogM4hB/3EMEHSlMylMrXLUtbGkQKqkLVJQn
	7V/3SVG8zfUyGb0lSFaGtHFa6LaIIuvJwkQYGMT/SiK7ISqPKOPD7kKRWhxjgcfzVthqGORn
	uQGi+316fdA+JzEYOI/gGdcZsbN/KrMSNQ0DOdSRIeiATy9M0fd+8QtUPOCtaDKLYISSrm72
	xgnKbussJRxAPjxo66dPiQEiBBABAgAMBQJC42DIBQMAEnUAAAoJEJcQuJvKV6181SUIAL/P
	gZhrwepyFUhr+nlYvxeflrxgR9Yl1aNtTngcOYlFU273cs3XnkczIpkg4fVikY5s56Y42G8F
	NvqRu0M0eL5kJvYi50NNMQnf39GkZZp2LrL9bZ9n7ysWU5tiOJsxCBnaOiAg/p6vCUVN3NV+
	t8vRP1fHwPsd5tYEBqA/g4g1U0xJAG+JqJftSDRDLxfTZ16hBdHzlQ3opqMMmW5Mv005p4o+
	buh4HzQLmBHDE98BeZ7CpjYeXY23bu8oi0tvkcTjCEeBWrXWfA3pKSX5HH63nmG3ryKuP0tr
	1A2gTgs9JtLXnGFJUdVYULiQbU781wR6+9o/0h6NuCJDPmJMNmmJASIEEAECAAwFAkLmBFIF
	AwASdQAACgkQlxC4m8pXrXxYZwf/ah4IaTK3CbtqF1+4uz7VVRKemSaNg3jMKLey2simqAQs
	1JwqkLuwEgrwF7XiejfLAvX0/yFqJZkdtDFqeK0VrwOq3WIpfj7+g5B9YSW0CkasD0HUci/l
	oXQiT9CN7PAe1vM5X4X3cqlXfC9tmU7fH7kc0kULxYHAfn96nZQklZS9aVecJ0H+pqMlPoDt
	xtxweNa7UJWAanO9kbPZ/xEdSlkuqzk1CK6ThURedc2lCE+qobPpUZri1FEvMBjyXoQ9MyD6
	AFWfax9eNn1ZSRq9t2WpPyFSQmCvyGETHyvM2BBiFR6UAQUKdr+d4ZE09cR0wXpEtoqaNeJ8
	AidTEGkuLYkBIgQQAQIADAUCQuydlwUDABJ1AAAKCRCXELibyletfLsbB/0X/Jafv+v43U26
	W3HD5XdmHaNdxm7uthGzGGzATGcTAUd3/t8fyVFk2XgmUYxtz0wHUdM8GiyK0tpKBu6wqcbO
	nGkBlvC1m6Blxy+PvpJxQ2sK4ycN8ToEEn/7HCCJesS2fvDudXkvdvskXkxZprPWe7JTHNxj
	fvESUAbLLmSpNGflZnMAOfuQP0hFBQr4D5FEA+zMf7FtrwkBanXt6W65xxEIJ/239ctCsRe8
	jIQ4LesYQN7hyX6x9bP9h3tEw6+OtvjYbMH+2B/3muNVac/9bYqi9rnuGew9eAjmdmm0u8T5
	7Iboy5mUDH2wjpRo6MGU1cHe4oZscW0f9TPE+6XbiQEiBBABAgAMBQJC7UXaBQMAEnUAAAoJ
	EJcQuJvKV618zbcH/RlUtrZSBcUafmhY29s9BYycwWx/UoeJRIJmi852TguSGsoPuAYEGeaW
	WxCdSru2ibn7GPBXowM5u+4MqYqaRB695sg/Ajxho2Djys3lV0TPeSIbyZ7cXbjoSDnSVw/N
	eWGKJLwbFVZPjjC7mcGIMhE1NGGxyRO5H1Z6GA8dEP3zR0rIivklN8KEngfyLRVvB5WYPBs+
	buaNF5HflsBXl2bOP5ueThcal1PSE4HNoQXz79t0Cw7kpsWy3FyFUVVRHPyvwVpJSdYjz8Ur
	L4cD3Dj9SOPwa4AvM7WX+JXbPEIFxi+NA4R0TVxIZXJ/HX8AZj87RFxGYlTfP3GFFw+52QaJ
	ASIEEAECAAwFAkMHCEAFAwASdQAACgkQlxC4m8pXrXxGXQgAwFY5RYFHKcYkL9nDfblQDjXW
	Ictj1rlP2yPsy8dKX579ejhdd8o0TGJf8AzYRaDEpffPf/ZvyfRltqKd979GzdAE3smkrGeD
	kPuUY2rEF6Eon549Tn7omGYNueDuO27QQ4zIs0k9h4m+pE6PxPTgC5BsEVF8Hrz647/XSTf2
	G0Wo11y/KBWGJ9BYvZ1YSxwmk5zicGF4sYNktO1Yl6CGS1ugP9zitCuwSiUm+gJrMCZ3am/D
	+Of+80Ui7e/V9yOOeyC7/gqQq4okPZbdVzJ3hiG2Y3eip19ewHYlYSiLoBW3rr3M3mKBTcbx
	+nLfVOTUHp8HdqxIyI782SaZlpg0mYkBIgQQAQIADAUCQwhbTQUDABJ1AAAKCRCXELibylet
	fD7WB/9ydWuVT1DeeL3UBqqeRRN+mt5DChdFeCjJhWcAjds8R6Z8Q9c+kpKEk+MeSevKaOAf
	iiM2JBtruIxt1sfh/vVEFgjHP/M0sF1il6TwZEKqVn5c3ikMYCMXy75xheslCJoX7fi4jZut
	TO8+JqjVN+z+SYzeRrvQFcjJoIOLRnshh2XgUiXVf/xo/My+fM9rKnMHxF/75PaFVVz8cXz1
	X3jsuUOVLxnUZHsOaP9r1h3bq8uHJxkxPElVPbCuKLdCWrNOHHX6/+TAH9xohUvrBm6HXqbv
	O/aVGqf+Bip6oWSB6rSIe9+0GmXLRe4Ph3ekBvyGUJM/nFhN4hQHX69xZS7yiQEiBBABAgAM
	BQJDEOyRBQMAEnUAAAoJEJcQuJvKV618IlwIAIPbWp20TBCnU0D3kE6JFqRaVKqNAFaJbmRn
	48qxX10NmHnBAluU1iJiUsVL2kOpvf2eyFUsX+sQfVJPzmWkUU2gED/+WZNkcmxPZ72FtJCs
	hW30BcJnLjcRo8wv/6nhdEZ2JYNiBIFHxNQ6iiB7BzVpYsMp1l5tI6mIhbxYxMNETTMrb+hK
	NNAhxjrqiWxPNlrzw6TaKnBOE0Au/Asjz9n37hsPV5Q9xY3zXbff3yDirVkBC4l0Vc+U6drX
	XiFBjQj77yt6AjTYUzBZY7UuGQ0W6o/6QF3KfiC3WAoFJL7SLujIaALkALs+lFzsu3CA9KoB
	X8Ca4hA7kzOP1H76VZKJASIEEAECAAwFAkMSPXoFAwASdQAACgkQlxC4m8pXrXx3cQf9GBPO
	XIrdbvUWIKTofiwftiy6j3MhKOszHkzR9quCu6aLu/aVvIA/avTZHjfj0EvYaQaSNMWplMiX
	i2UhkPHe4cgJYkbjmXEz16GtXYPZXGP1FubQ/RwQ7yQKaVtXSCgz+ZdR5tKhU5kruxAsVjly
	KcQvST95wlqxLuvXzSCjPdWj4qBvkuEt6QADx8EYCafraIiHPRkKtAAiK0sXJSkLevXn3zAN
	6X6ngvZZiNQFvfWLFV8Rodz1vI4S6Af2MTSlVV9Vw0voJGprcsNDlB8k5B/Kl9LigeKdkFa8
	JVfwOQppAtU+Nq3pHjquEafZrPVF9HWY0G0Szh5tOFEpVMF6g4kBIgQQAQIADAUCQxQ7iwUD
	ABJ1AAAKCRCXELibyletfBVfB/9ydVsiBrNWLt0RwbAdMvHRceHz1twh+YeSnpr9Equ7aDMG
	qou4ppl/nTbnZIizdWn3dnRKt+vKY/puuPIT9kEVF7DlfBOcWBdLBvJz34eBt29BCFgvsfOS
	fwESMNKgquZmrraGpEvj4cSTOmW3DJPevB+6ajsN87BC5Qp2MjDGVkwT/Nj6R60pz/vmeSwl
	0BmzgthrBd+NfHSA116HEAF1V21/2UhA1hbkPKe40jWp6HK+GcXDC3+PucTJeS8nX4LLQnWZ
	JCr1QUbkaW6jHCw7i/pgCLfqBBdIh7xJE7d+6mut1AKtq2qUSpEM4qTvrR89DLz3OtNiMnr9
	hq7s5SyduQINBDnKLe0QCACUXlS4TkpEZZP06rJ2IVWZ2v7ZSPkLXjDRcC8h6ESQeZdBOSbd
	dciiWYiHtGq2kyx+eoltwooP7EgJ9m35wn0FGV+5hpKbhSwz2Up9oYsSbexjx/hlopUYGCL4
	kgezCUWQsKypsitJChjV8MHgePDQcF3ho+qK+0ZJeevbYKSZ9bLyzt/i3/b3Jnt0f8tsFP3P
	djel4N76DyQiTyuoOxzZJUJDKx1zr745PUMGcur79oAxuahUfPcRpuwcHFOB0yO7SwEY8fe2
	68U5/AZrGwX+UAZhN7y2MMkU/xK/4BIDY5/W4NY3EX2APAYMRanI+mFW3idui8EEzpzKZ1K1
	8RODAAMFCACOAfgCjg7cgjZe58k0lAV0SANrJbMqgAT1M7v4f5mOf5e3B4si9z8Mk1hx5cRX
	I3dDz/W4LPh8eONmMPjov42NOz8z84PksQBbnjlfZ5UCotPS2fZ2actJPhYCho+a4iXwRm8B
	aXQ3DFa1CsWdXvkGsNIouuSkGoGh6+sEgAdP6JXanM9YGTQINy9Xsg9YOj1UWInSwRqUmJnj
	aNQhxJfj8j5W0uXixzkbKB+Is92mfo8Km3TAi9u0Ge/Acb5Cz0c5sqs+oWqcouaTS3o8/1n6
	CZVmvcHyGI0APiALwU84z7YT9srpXHrjiHo2oS3M4sLxl0nuSFqD6uiIFrg7yF+HiEYEGBEC
	AAYFAjnKLe0ACgkQ3uyMCd5BWw6XgQCg7Gu7XOzqnEcnCYR7v6rub5d0zwwAoOsQ9TNDYmVl
	nW1ff9rt1YcTH9LiiE4EGBECAAYFAjnKLe0AEgkQ3uyMCd5BWw4HZUdQRwABAZeBAKDsa7tc
	7OqcRycJhHu/qu5vl3TPDACg6xD1M0NiZWWdbV9/2u3VhxMf0uI=
	=oXxa
	-----END PGP PUBLIC KEY BLOCK-----
	")

	;; Bug solved 2005-04-07:
	;; Try importing the attached key file. As the key is exactly 8192
	;; bytes long, radix64_read is called twice - the first time to read
	;; the 8192 bytes, and then once again, to handle the pad '=' on the
	;; last four character radix64 block '0uI='. gpg bails out with
	;; gpg: [don't know]: invalid packet (ctb=2d)
	;; On a read for only the = sign, radix64_read returns -1 for EOF.
	;; This causes the iobuf code to pop the armor filter and thus the next
	;; byte read is the '-' from the END header line, causing an error.
	(info "Checking armored_key_8192")
	(pipe:do
	(pipe:echo armored_key_8192)
	(pipe:gpg '(--import)))

	(define nopad_armored_msg "-----BEGIN PGP MESSAGE-----
	Version: GnuPG v1.4.11-svn5139 (GNU/Linux)

	hQEOA2rm1+5GqHH4EAQAi8xXorNRK4QSZR1os2xtbVeZg5pI0hrdyejn0jSnlWmw
	wqnhQnoOXsX/ZE8Sq0deOJDKhIJztVcu4QB17R0zRxXhN+huXq/DRGUa3X2xF+Po
	4bP1XsZT6jYc6RDiN8KzQkuUgEjGsQhEYzBMFgk+tFDDA6PYKRk2mn0UaTyR6NUD
	/jimx1teliNBMhrPQjbBMCdgczfUhH0srGFKovkduf+Fmn0v4rV3JAhtHPYaPrgY
	hQtCMdjgCdh3uMK6rbprGdQ2lh4PAFKd25djBJlf8KBqkJXimAYhe5Y1q/x58xbA
	R5/tAKZFKT+ooU9qjVzXA0APHBwV50/K76Rsxo0QQOTihQEMA7WIRff0Cc1UAQf+
	MZ5HWEX6+2teJWGVKMmJBFkYF4rAEIoqEmtzRWcsAPx6PFXQt5Ok3PbSGDgOsQTQ
	XwR5bEmZ6Gd/O2xIM4BnwKQ/g6PxksPuni0ajZS5YWdoGY7ZTS1LpZMFj++fhtQ9
	1hd8j+i4P+GA2+4TUxVVFwIbHDT58+mw+tYD0KDfizdSwVc22F+5nT1tLaKJVvmu
	VX5L9u8OY6kR/xP09uCq+YzzHt1bi49Avrq9PpV2wbo2P0t7H+3bI92oGvpMPM2L
	ONAXyh11dlQkIrOiVztWtTYIfoCsV7Ud+25V+jYEfd9hyE0gf4awgqhpLwPrzzAs
	aHKQwrjlMaByKKht2teMJNLtARZ+7LbxgF0TR/019x4+XHCBhmwmPzL+OnPTC1r7
	fdB0kte5OefTUfglJyz9tD9QnrvCvuOmKxcsOu0C6NLUqZRJN9knhLBZyXbwx/Cm
	yA60Er2dGssL7e4pa+qW2O/xJRL1IaWpgZa6Ne89ut25hbEDWexCAikBnPUrwrLE
	sqWOepzPNGxUILOcjDV2jKq0t7XKfwj6UPoCQxY6FQpx/0goWllh+PuVLz7tazsM
	c01KGfU61j5EyyuytOkJO2XgyXZj6Zat194NgsMrNGBBWl5QSGUb5W0jW1bHm0Cr
	U+xNTvjnlVZzqy8w3GDr2bCWi6qJs20TrbsbDa4+sK9+WDJ2fcb6LzfTGOekbvyc
	OKyYcEL/UXMH0uYrReRiH/gheESZqyQ1kCz+/q01D0N0KBqj6LHCJyK6cOukrY5M
	Cd+Kdk2gPL5VP0FSVJLoFXfbfwQtjIkbhsP06sFOBszPhd8bh+/r+RKWaqQvHJDX
	u5XqE/lJfBpNd+NBPK1p1fMVW/ljj3EwsJCdYOxh2moXD7gcehbaHCN/pFxD2Xiu
	wFHAqTghAtge4DuIECN+8QrE6xgCnwx1TYlhd9T4f+OqTcn/RdSrGcR/TtQK7TJY
	R2zVvj7vougCx5avrNwmJNX2DiJJl/nDHmjzEFByFv+UvL1PUn4m0dsbyx8alixE
	dw4wl352n/ZpjIc7GdLeusuUPJ7xFY3r1xS16QuInhuj+ZIlPVVeo1vI29BxGP7n
	HH9JmewN57O8xztGeBSMb5dZCSsGaiZtT7TdF2C+r6NgwcULzpgANVMVjNt0U305
	ZhTf0FxH1LFTDd6IH1ry3EABCRQX+NDi78m9082QJPw0u46P6fchF2xW8MlJHa0W
	u+G0+DNrHXUFZBxt0yG7YqWYzqezXX/9ngin/W0o3Myf7RdHxmlwSm7fUuz2nYTn
	0gpJqmu1MdDN5wKxuIO3qMOoG8LGJwnR31sDo9BG+8Hpp+yxYMEMMpmW33otfYcq
	Qqt7L5kWYDrQb0jGr52hS8fBujYi58AY++a/RqddFkU4c3kgA11A2GNqsbtxw7rU
	jN1uqPs2bQA2HqEdlL2ZD71E8jZXztKxMIHyXbJuIEt3GOywJWeHNi2vZa2F4tIw
	bEy12FJXLW/6Dac7COzqVILjNH45S37JRQCc/0kAJV1VWMyhuPBU2LoPwMhdXiDm
	k2vznYlm2cEuvFL/6DRm32Dd/YaA0fw3S/L7nFyuA2FVJjs17XiIRdUemxXt1kC0
	1KPjNVekwJph2YE8GMyyV4nsuf5yGw0wJkXqRYR72Cf8mgxc6rPIS0panSWlAl1x
	5TMf9pEh0TUkNENAbxFazsfpG1RTEVzjpeLXrDSK84O3WW0jUHoG3IyP5iVli3g+
	/HPmOdd6+hBVZq11BcA97xnozZE0d0zFCVkpp2bcK/69X9NC/Cl9FTI0DzdoWMVL
	XTwmOV9BYsXAjJLXAfQR2eDrunaNkZO+rr3KT0/TtqhpcCo2AdP2IPglVRcYGLlr
	SUoF/sAtUgFLGnVnURrkAnKamSs7KBx6J4Y4uiBUqMxX6L4T456FBxHHMQNy7cQB
	quyVixd21NB+P8GYdwb+KLpVjiQRdveqDjBJEn/nTK1yKAhq7SY8B6StVgbzPcmQ
	Pt52HkVTh8a45gxvF8qGWcbhw1E9rwVT6yPFJXQiR/4ciEFFEfqQkYzNz7wVstqe
	R0Uf/rqwBdUCDpPzMPgl9OPKFMHNJ2tfYYU4kzfzdxBb6aKJbOX8xkxrhmktyUaE
	Ap4b2gngCenXf/1zrVoyH8+KOQPZZXlnUK1HfIERZwh2JlmowLvobMlup5zL/+s3
	kRsnxRLbJqn0tYYYFwKsGbEqHZUpzbWR6TKNsJvoRlcgOKbAqel8ggFXiSc4co/f
	VZqk2IPzaQCkTyAU+B5Fl29bTfB4LK9gvZlY63y/VFD2bEBVk36pI9M7CokAr+00
	KvAKEzpmSXN4RHKwJ0W1gZz4IGPKvi3eO6a35wd47K2tIS5K3IfTjsIsUM+agh37
	7xJiJByfKgA7ardssI1xeG46U2iIBvdUNeQe4Q2ODF4AjxczK3hJwBPg55FGkhll
	dIDa07ZsOTB23LpoCejKi4zzn5DsDNqQLaYaSP0Cud6DOuSsmUFHSHSo+NtzqEQG
	rm2o1LkZwQ85iDf1A3b/pzHBf2xhxEEdtMZ2yfWxPJvz+8hsasysqPD8BTJIy0jn
	NzmXJKTj8ll9IhQjr3UBCZZXWUPNbrl3zKGUTQMXbdUIV6cB6hjLERILhgm2VhKR
	eEOFMaqATMKnGETa03l6wDhWDyj7HbgzgKkveHJ5PDFKz+RJ3sIwgKD4LoSOYtZr
	MGuHzMtiFSx+42ZitFm28G6rzj7NUVA+FHvlkogLWCfrXkNyEp0F3D/qbg3S8WS3
	WrdUbLwbjFRSHgkdIUA4yIjCSmRzupfpvXS3UZPFD/tLZicU0ogfVL/2KK5WLYW2
	03q6egJXqYX1iQSOTXwx+Msw9zVzwcAI8j7KKDLVv0fLWXSMOg2ondmznb3s0Y91
	iaYjf7iFhuGH0hk0rTc6+CkxUhet2GeBc51G5XuLt7+Pgml8k7bZHU8kOB6etEP2
	i++7b6uCAhBW3o6shyoRgJNYJmzYbThfIx3yu+3vl1gkSxSQFo4RpEmk8VtjUsio
	tYJNRsAq79wGsyLuPwLKPkPihjGEf488A2NKuVnHB7051oU9hWbRGCVhzdOnD04Q
	HKzZVjt2HyI0v1sY/Nq3BqVH1Ha1CkmySYeeKXRgVQfD6RIzfd3Dgr34+rZqF3qD
	MXna3FeH2W22dbZH/yA+KuQEjU+uOOk8QQsqXorunuyuslrOmGzaDPILW8zJeV+v
	tBeecStyR4FdtWl1KH7YTdFDkeGKOQeBAKYpyYUKr3s1grPh6caqgF1FMNL3Qw+s
	x4d0zp9efHkGqhp1az97oNFBzGmsBD759iPu44QaElulO3OAPyn2GYZA3NhnFX7Q
	uGtFLSexLpVTlVyBHf/QeGJk2lkDuOegiAkW81lorVF0+gFFae/HIOnEZgVK0/Nu
	h8XNFvGd7iKlNhfLtRbKPqHYOtxxGC7gpuSa/M4kgvTmN78QonKjZPDxhlDhYE19
	WOHq14t60lZopVLY1bQREvem1K/RmPk8lak+uf/Fa+UqZ5C33m6kmbM8rwYmuSs5
	Y3M3mR2n4tsTrXEO1AN1vShuIJoMEJ0ledDJiWKkLHRZ/SJOBLYMM+F3/hliWB47
	eNkfQgo9JaTiNs9SBVVcxWYEGUieAZjOekD74oN9nOLVaXS82kQostloXhPHvBG3
	gKQufi48gOj1i7REcTyhQMhIXa/NQ80aKZEedH+qQvYTTNGe1XIJnRILyQfirtgX
	2m7PTaup+psJEOP/+Yf07G5KzN3wtBIXi3Avlr39ihdbuORERUNvu6kR2psvlXdQ
	otIijpBJW3Ur5yTpnTUo7chSlWFzbmVYv2cyXPrQc06RSxzrIQFjyTKI1/Pf6Aax
	wA7Uep62ga5r3IuR26XfaxunphrmFwb47EiFYP6JaNCYW7x5y4OGl8w1OYmabhwP
	azJsUAAem/lXZpPjx3s9meC48fHpuM5N9myIuRlLN1Rtl7EIG8cuZuubi+VUEhWD
	byap1IYIFZjWnS22/yuw6pzyNk5Mr5ccyo5xxvg1ZyC5rondGCcm1egSDcrHXQsE
	pR+jKBcR5AUKBhrgSy+N4HHZvsah+eNnTIZIm2Hh92vTLZZF7u3lW3mlePp4/zAt
	VMbn09ET1qWaIl9xMuHDIfIsSXMLsj4+o8qKaxipQ2sjFjnsFGIK1cAjjptpoUYU
	CffDWoBnLGkFSVTTooOQHuQhUmqaIv2pXWid/f1smPUjkshLoWiPoVl9lLzvo/XH
	NhoJ159/qczMsiosx3Y6e/haFlIfrklSklJCO+j4N/PYW+vyqYg/O6FlWF3BPRhp
	qnKwe+KfUeAyXQKG5CkONWBmUAhuLWOLU1P5280iAKHnOe3YRxkGIpsFJlIA9dIX
	Lf8KW9zFYMS5J1xysSyYtCwUfa/ewpRY+KuLAH/3wSbxViuhwJ1aoS2N6m8hkTqy
	SODnP5Nz/n/EZi3wWesBnz8oqBdrwkOWRnfFORpRkAedcsd9XYCbF1dHozHBdY8Y
	uu8N91ob/5c4RmP08Q5ama/BjaxskdMH3tw7kW/7r9tpzS7a2SLLzbDnyycZjknV
	tPr/xi2bmXHkUNnFwsTL0qvIkcZpae3k2oTwgNrjczqIdYGynflOc/gqxVeBO8gk
	t7mqZ5sCOlhqPkf+/1EY9kVwS0lh84yV2SskkuhEOF5BZP7IgNTgeZlgTwYRsGZq
	R40pWhW2iuAWfHop7NkrIWRvtyVtVtzwqtTLOs4oNrZU6f8xh+1asPdLqp48h53N
	wwS3AduoX31189s/ZnYUR74dfYcf3JehKyBTsfPfq+8rHf/LOHc831bavHQ4ncnW
	f//8T5Xipbjo+WX6LQxr9NnCIkZaJ4cjET+SBvEf2YGRjtG+3jGmWdgAkZLhWJFp
	xqhhOorpOFItwHiYIqsy6WEcEf2hEAww7NnC1qNmglDXw2ou2WOk/WDL+Oya9ANY
	1HAaYrNmyjZ45GXvt9/ISzeiFaClgetu/zmJTe0IG7qxuOsd0MG8DugeFwUDZQrq
	rrVL4U6Z9MZLQl/DAYppnxSmne8vQfwHQqRXoazaIxAh3/uWh/w220YuSIHJt8Cm
	a6J0w6YlQtBmaeY22/rbiOJLqAMtBDC4cCAp8nSuxZKdVTpJA7axQee6lWTzan5q
	WVyvyIkqq/4iuU+WLDtHV441cgnYENyZ/T6jrHwrX1AYIv8d2Bi179JVa0OKO7di
	axMS+65agfbswB1wKRU1QYin1sDQUMPjGbEtP0reyAFwpBlmA38rIg3j4xr1nm8p
	MkdCKOdqZw2ppWDTLFqqM6iUpTiOUZLzC80si8C0VYkTCZkCRze9QTAD3cdfITZZ
	huiHO3K4pS/6ao4QJtr78B4yyUMST8isRibuvqxQYaEIgO7DkFjD0Vh815jkydXB
	Mag8MjSydC3MuAYFtruOm0H2OtoBsY8YBbeQXeC04U49P0ktYYI7MNsShhfFxRtR
	kXV/PldGwhF3egUjSjk5UBiZEUDw39PMiWy6k/uM1KiT6AewNryw6j5SqqzeWynh
	MWAqxK2oIV+zhoR8EaX1sIZ3LtPeDi61GIaeKhnv88FhDQDX+pjm6I2qKgXhnYxr
	TI8YqfbGXGpCZWk13AL6CyYqSzcLeJYKInETPbmZ0D/eA00dKvDUcHnt4UEpuVHq
	XUHETJR1OEF/xNF2DyXBja1+B8fGfChRMjmk2J3YjmIcg1m6svC5r3Cti7WpbKIs
	qldz+u5QKRbAbj+izAd9PEHbJ7azMlFHyL1W69VkO9C2u3qYF3Kx4diDAQFVGisv
	6wVaT7kZod6Yn3dkv19EicvCnfyq1vE511OExvi75E01iznFRjdXIjCOpcsbVsnS
	vbdCo+TnLi01Fg7c4Bp50VMxZOKwvY083cxbR+csrf8z0TyfuaxPsy4YiLhv7SMU
	5D5f85TSgP1j1Gqy2vCqqh5iegpi9+JhO2efZGFTZTyuCsGiIzC9CyQ7BUPHTz12
	nvFa0pYNUjFHJD0FN8qVMVVOgl2SWldRaRD77FbcLsyiS19dFgnvbxXtEdW5OPD/
	AdxCM5PtrJymOijry6jKs7oU/9jZJMw1sooVjcX9Xo9e5HWRqawTAe24nhwzlSRT
	3GLcU/jTOmsjq3NLbzzC0VQb6/nqkN5t4f3JJj6jzRo/1lxKhHB4c+/CgVtQ3GPi
	aCjiyDt3qey29K5lMNmo+dIMtIh6Sf4klKSOlh3oT0XgM1WNNeJdFt6v344vxOrq
	/jw3tSMx9vRMDv52bdtCzzcfkVlSYLPlhS9ErBjaICVWqfaFJMzD2euHmau0RuPV
	S96FiHJfc4t0Lgb75bwIXA6a0SSS/JrDRUynBr3kmSUDJs67i3ULJ1rMV553K/3g
	xOBRT3t+gAYbl+5Dfu1+btu1MkmpVA1duQYcVxO/Mw2asc/kvXA+rGrs3FsScGmD
	Kr/1yLfXvM+p0bYlkCfVoOVEqfU83t1+5Hxp3PlqYwzxlBPx4rgofnDRyeLGtu7j
	+1rZ8m1W/lndkJVf445LqcXWJy8c9V476LXpoRL5oNAQkEERDK5NHS45TP7cYFId
	0xuLwCQQ5hh3cBw+oBSqRZmjiEuxSArhBaw93S5SM96dXhoAmXEiipNbIXO53pqa
	jFeb2kVctAeNhupsUMql4nocwUYWyi0bMBzJH4eUakgBShxJjtAD+k2SEFk+nCVL
	76fVSxUwmpdqOTSMNo/L0CpG3zHU+CflPBnmSXFyTgZD9F2FJCUBWWdKst4bHq0T
	qoL4Y5Wqj6YK8QtZecrqigrayOk+CEM02C6nhyM7Hdt8sWSPtpWGkF85Ksz9RCxF
	QnfIQImjM9Qt6Hd7c8EOxpgdZufvD10vlELH8O5U+TimCoCaViiTcH7p9BziOI4b
	18d9bgXkj6GZmS5uOSBsMIF+uZjKQxyMgwzAaEYHA+vlKPS15rDDtlDNGWDHfNik
	hj7b/FesKCBCdqYpxKWmcHgX4aN7MNMTy+HroF/XVAPGzxGAnMS6oFahb4C/o4be
	T8k1mGhTlTQRWMi3VI9LrXoP1MsH8LwbaPSnSo80X5sbgZmSlctu5QiSaFm0kYc4
	HxMR9fJzxZyuXM/IbXSdlYCc04xwNO7hrF2n2HI4x5BR7fWZSl/E2yfpxwdBtcBf
	l2amxpmIjusGprhGCI860vpQxfyWyTfWNdMX+OFL+Jsgog6Qm8A6bSaNTs35Dkf9
	TjvTPS3wUPwDbTuk9++zPiKt5h85IOFaFzyjC/u+C38IvNmvUUcYLha8GEVz4OnA
	KT7FrOizC7pdyrqbCIJhoZsOzk8romND67wXfgIWZXYMU1b2K81jIFSvkVwrXT9w
	56vollH0x8YJD9xC3U8QcMDnK3FwuOrlGxHY8BfNszCV/OXpT0qlBVC/gywaq993
	YJoQOWugT4CWpmSqnRLjTV3gJTHH+qqQZ23TsoVE9WoByXj/yb14FtdRq9oGL8H4
	Ke03JNOkAlwzohG0XEsoHLC9+o5x6KT37OtLuds2bYV+PzSRVLJjsqNL3C5XSp/a
	nfXTim+6VIANM25jzxfCcot+VBz13fhwnaY3Am78ZEjQVmJn+Z4DbWIIIc6XGtBG
	eNydm9WNcZ2jF64aMN62DBp3RGqgnhE/qXTv/Sw0l9qiOCeWJ5GwqU+Bj08D4/6y
	6xBaaWHcPqCNuyk7pPG/tN59GVUP/jHEX77Z2kn6RiLbnKahcekaifolgBuhgiw1
	/c0fbWmJZVCUVhVPI7fHTAaUIO/VrK878WkSUWL5dRvjXp1yCvAxeYffsdwamPyQ
	R67h7sHAPPtYs9XpIjZxTzGF0YDFc+mpfYykLvc5ixrcuHGo3Km/hzdjVRhcCydM
	CexKFEHqI97u0Bz5aNW3tOE4iTeNth80tl2rV2PsJoK6FRkdGgFGdIsHZkhy3lsG
	GwGcp4bmAawGB/MmjnIQRPeVaSobJSln0BgP/j77h+pe+eTswwxBeCh90umeE9sd
	dFfKQNzuZvd5heYwzbLTwlWbNn8wnB/nh/Jh4O6w3db6WDi8Yl54mt1OSFNVjT9b
	1rM0CfUDFDk+Jzd3fwY5QQDy+Dy8oPm0lm0xCj7mrzmlVGP5JmLCvPiJUTPuybdr
	WlBJe9T3Hyi5xkYgl9P6Itxho+qHEMUYa3ScBBC8Tvl7y91Gp26CIfR5pQxkLKmh
	KI2wYSHF9fytr5F6imJ6kTocxq8T6UvVgXi61pWScjifnQdQBYtNcsmu6F2djNAF
	RIunpWxbcq9b1nuQaMx6aQhYTMnau/ApeW6Y4bbVwUHyHCWMwy4TiE1ifFrvOYzQ
	Ph3WPsfDJ7dfvHfN7/Vr/qF3mcORScAfkWa2yhVitoBnBMJ9fM+q6Qrxulp8xOqH
	0UwdTA/FSaIApZbIHVO5xquLVXDD8Hoene6GWz+wep/oUqXc2k1wl/8XbhKlS29z
	N6vJZ5zVJqLSWWyHceh9L1fd6ycHaNeYkPSAGBA5IluJfm0NsQHGW6LyGkkpnFVp
	mmB+crDof/RHYDU/ep3I+BP27yTFw+j4vgELB6XN689kE2dWetrINmemwilaFoNd
	eDmVpKbQR3J3WD9WNTseI2OJtZn/E+W8mzRkp3G54nGVq94nMYqxCMFHSGQm78iW
	CLqjp0uNPM1NUdAH9Y5jaWF7NzBQGh5H3KLqvn95ynwMbWeFEZ9tzjLoIO3u3qzJ
	eBlhnrM7JnwG/8XYatKQ4JaLteyTdYrlENwmQa0d41kuWiZYGGar4Jwqqf/Ma26V
	UR+IXP39j9agKLjzDDJJgt5Z0rknEWy8wQMhIY6WiKYpYGH4c9zrYtdzwRU7+w1I
	h85xbqgPMTSVlmRlgn81vpljz61Tw2hkb1sUB2uqgas7nwUod2+eiZWBOKDl3awq
	u6kwgp94M0opu9t5xx5oJeb+WdQd1nWo/5E3Pdp1hNPwFpqW0TjMgAtQHmXy3r0r
	sI4pjs5PS6JZ05D5+WR3GA5KDA1cCMq3kBDNhsxqUeKkM2BNuq/J/qQL1pyXjlwr
	4dqR7r49Op0PDIkkl5BEUOXLjLgwAN+TRMhu52vdM9V1jTBFG1hGFd4M7+4jOviy
	jaPsJyzrhvL0tkvxpq5eQUJRqMqqqrJd16UmJZef/xhYFuu+p6sr4oNtE+JxuOmE
	JgaC8I2HM6mIBq3VV4heR0CZUzP1WYk/iv+Z8WmYMTa2AVBbgwHlUK2fhLci8uPp
	tEsLiwyWubB4elo2VLxvgXPaBROuzqANnGSeFM9B2XZoGejAVsDRk9/cfzHunHcv
	is98xkuq9JRtWPdNIXgKVIvP0GuuDP1CNhdWR7XULqMZbZmq6UWsUwRWfPBZ9NM6
	rag4I+gpwnHPHAK3yBe40bgw9J9pSJVClNkH2RLoA4t7V2atSQOatLTP2JictUD1
	2R9kaeRdQ0XHbRe5QnvrByFy1noidLgyv2PXbZMHW+1OyGKMfY3eKa4/k/Wmgw+Z
	QUaomeAVqguCRQB/8QBv7f1fLJu+ZqhjhQXZoTk0MdDro40fTI5wxxg/yV25sw42
	McPy8dR14mKAXocHpYhP792wVhemaBPZC17LXt95xLvfAOLDz/ORalrUHdhwUtZu
	VKzQcxFhVp4aOCYR8gFgMKYNwX5E7I0ixfoTKf099fqwsAvKlOCqnoOuzFnRPrui
	XNg3CkWkJqZG4UgLE9mL0l4CAZ2J9kbleN+4YMLQUXFvlk74Qial8hE0QBIdCCyu
	6huelLEGsUZd+c+VsEQRUfq9sVUONGcIt9LQGFb/IYQoko87E1RThq2b5D+R1R4v
	AWMIJGit1k0F3SxYdeUEYTCqpUddXtjhjSUGbzikMU/PbmyZXFu5PHMK6L8MVoWL
	ZQ2TwphlVTo/gVz7dvW7KeZinnHB1BE2EOoSfhRukO2ckRH+bzuwC76xczosPLGn
	LnYQFLqpYBDN1uCrvoyaV4S0xhgHsfl7kyPVdoqDcoVJSik8uKu6KSCUUyUbrrjg
	lANey8pArBpI7x9BREUnGWNwZS6s5O9giMI58xljBm9wvu91fqGdga3qrv1QMgQg
	Hytb/q+OAgQaQ1wIJpZbKliWz8uqPk41fsDy6ZKOO6UXYwjOg822Wwj7xSpbSRf/
	lhegSXgfihyeEeeWeMTLDWI+N2zuj16zZSCyQHqaDS+vCkMkAXUtJx5Ia3maBHAK
	m1UMTJD6pP99zIqum5/QK4QKEk4rIvYtO0nTOW3L9fos2a6Cc2FouFon0Sbz2+IT
	fVM7zO7RBwI+xSyDmV1nc8C5VyKxUlAAcuqVKEe9YnG5pwv3ogPKQZ0TqSp8zUCO
	YOxHkG4F1kxAXHdrVarP+BYQuYIru1ZFovUQ5vYnl/8F3/7cuD7opnO5hKBr0tvD
	6lM2PvPpIzlOVDiNZSZDHOfmYWWVlq4uzzuP8tG3tLyYBGG/AZuDTA7WNrOGTSSB
	ZP9FVxvNT3kaxGHmjO7lGA1FtjRmkMJr05EWMHHvatvRcDFBVR1thxLkyfneSWs2
	orwnAqkYe8Fz9U8p38L4UC+J+2EZszHAeSO+eW3jrqZuFYbckROdzhktdUsRZcdL
	WFpDIN5zINOo13q2Ei/nG2kIlYKp6Mq0b+wN4x/ILkBWnOuzKXOY6dSrRr4y/zq1
	dpr4ZfQezvsLNh8zjMolwXYdLj32Rg8cgmq6bPWIm0k9Qbln9HCBTO5VihgUfvIe
	edpOxvSi+HpgIGnGl1M/w62z9HnZBCIcgZS4Z3EPvi7CWQg4S1aOABj/mri/RBh4
	k2vx1D0EQX5gBRcbgIGdyFyiRT4cAdPiXyje4zLIl0XT+v3/+LJnX7NPWXLPSOM4
	Skq+fDvzrFQYdZ7yefdxIujVKdI3iuo9dWTwITApf/KYop/M4vb5CJfa12Sig+VA
	k8wdIDwXkklbOvpe468KAtTdUyoluuoROH0hXNaypKHBLMHk0JJRVB9OxBlIdQSs
	jEoUZqQF4Kll7vHSC2sDeYfwiuBp5qZRPet+ew0SdwZfVmXcvjVKr8iPJEtr07Wj
	CtyMi2+yw4G4X99em2JJu728dI4OWPUeyuR4x3dRf1fM5OshgLYxEJl0CMDqKVr6
	GqJ/HAhj7lLQ9k4NOLn/RgKt65jXrjEJB+IHFFitqGu9qLKM8QkMAAKwBfsRyJiZ
	2e7aMj3w51DrifRL7uq8WZdP+RzvNb81WItRtVBQecHnPHrZI9Hwq7guxlzZTOT1
	lmUYNC48LVuq+aZsaD5i6MmT0hXCTC8GC4W+KAAqM1ZkHi8sV9zztWD0YCxmvjpi
	ldx0MTVU8dqySwvBFK0faO31pG1rf8qGVN99Ys/pY4OWGcnbDwGblWhhYlJYZ8uZ
	7IHt+0Zh3hpVWtOAttwifKXM6bGRX83O1FVExJhXkjg3zrklxNv+3baMHKrZFryi
	uDtE3LLbc5ypK1Afp5oenYpUiQwUeJ0fGYH2NT1fEc8UCRqmvcJGSc/MmBiWRMQN
	Iz83mOJ1sP3e0dbbXr4ZcCDf+RLKZRS8AH1zRp1FoBUIhyu4HVOs1C9YBmpaUGyX
	t/c2O+1Slh7bpAKQnguBqIno6O7XB9rZrs/PXezDv/03CU5lQkYqai8SZck1LrhE
	Ta3ak+EV76QfHTQm0DiVFIMD7IaXAjyYdm6nCDxZkLN+Ir/neEC10UzcWHqNIdKe
	o2ao5YePZFY/WW0HicTH62MJDZFvgppWZSxx00IktHmTsILKgHkGgBgMvLTkRX+H
	DdAzqFYNeewOnF2m4U3Z8R2pt3/m63p3sMSYsHnpK3OKjI0trrRJHuFjgTDAwhVm
	xMimLL/8SnVJW+KtjZ+XazD0hMvBC2GzcrYr4h66iVOZI1tsFE44BAlh9LW7h0D6
	FRRkZkbipDpv5uiKoOr6qrhjf4/2NxCdkYI36cAfU2czuPPZ7OoHkLniBbUuKavc
	n45Mn8tkq0qaCfUns46OUCc4qyBb3igBKVLlDlhP6gjNNdYKNaRKsQ09bs7TUk+d
	fJupU57YoatfskkG/RPhJebLSuuvh5+Z966ZTfGSVVIOFPDdACv/S6lJN8DiD7H1
	8b+bAVMdVcXn/egeKvsNuWovYZU4DPVdOLM0E5wGGCmqyt1ygFSaUcoFVFiYfnAB
	FkIxxBOtp67dLSazZDRRcsJRLroZ0AQRl7x9zN8Z5E/OxvQtiv2C/evhntVm2Tjr
	wdJlwPysZfKqjnccXkM5pkoMN3/vrNVjCGMYrCRz2AOPNVHrTr0Hm7TAFJ6QQOPk
	xITHOlIHEBGg1T1ZI3gwSyl9WLlGRp5vyQ+rdef4zg1ycDIj7sxFA2nzBsUBm5Xd
	SgYzbnp32Nir9MSr7pHy5XFPCKVzs0R3GqfAjGQlyt9Xuxau52u194n386tockI7
	iOe2u7DPjqVXcS9Z6lNFO0o6H27F2x+dicSeHXBoWU6DBxvvjWtHG5E/9blp7zCF
	weP5dMmB3UzuL3DcIFprNGJt9kEqmN80eWQRn6H3X/IzNWjLT52AT6pKS1sowOsj
	RztQ2qAJ5md7Uz7fTniUtjp831SmxvUx49Sh7XYfNEpqjyY9VizByKPOUdUKmoXr
	fgXIfsi6yLYkoR/g34dh2JsKrC1bVtC2AiRVAgtcBDN1zFm5hiQGztq7D/aXzr09
	q9szvRnXUat9iAJjCPsfjVJ6k4YjpmQ3iX2Kz+JHHNBYD7EAW89GhTSqJJB0viM8
	3lhxgxZgxnBz8ymwhKsyu1GKzJCv3cmvTqhlHo5xpn1YMFU7ea5xm5XkYKysWhq5
	w1dSMKhuvA0dNau3XTef7M0AI8iWIXdM70447qn2Gwp0bO7f2KZVtXoYMzr51CaP
	QoAEL6FfwULtruriOK26YhmH1F1ey31xgjE0eTbxW6AFLEvYQ0OX0PmjX1/OBW1x
	sVil7+beskMwIJpRPlsx1LUc8uojLnaD2j0ymqkxCuF9G/WkX1nlyi1s/SJpqAbF
	EzXkwj+4B1wM/c6fHfxyt0wxzaTNoZi/omqG6PdXmJDnNF3DlWs5LpHQOsKKKXSh
	2Uv4055evCC9R60LgC/xONXYB4zHTlmeBNnZO9lwcT1AdQ3Ho0h7TnqFm4IBnVva
	f5DZ5ntxLyygAdRLLHR2rQ3SN1Ms4rX3CtfMGvISX14CYu9U7WaHtL1XLbfw7Q2e
	z+wf0xE2zq/cO2161rUUQ7eq4XmF/qYreQ0nBT29ell6wE0540ncv8FAOO3dWK66
	4PrGQJFY8qgZ8B9wmTuHUBvTZ6du3KI1LYGOS5yIktfFX+0UWK+kPRQnLt/ibzID
	n1FoGt4lBlDuOBq3KcVZ5KiwEbS5uNsOuApygXanE9bEIXmGDKqGIMsIz3ZrEURp
	vVMxcr5fZDhNFsaJ6W/MuN1F9+V3Xu4qgS6603JiD/TRiZwKmt+YjZkmD90p5xU1
	joRyPUNv2SVkOqAmxVV0DCEctj3UT6S6XN3eDNN5v+JA4qAJqoSdVjV8M+8R8bHs
	6bDuwPrmOrQ5IFQKC0u0AqmrxfQjNXNftN0OwymryZcg2YTpOu6XAmwa058b7Dp5
	VR11McEUfl5qGtnc8Nhp3TUdvJ0ugx55LTM70SPZqADChRwdz/LGzA6Cj7DTKtAd
	/aD3ccRN4sEXEPGhYacalHKNSAyQPSLWc8+7T2GI8KHZgDQMreHDjzWQwUydEliq
	1wgEkXu72pRArUJ5jmE8ac8r3xGukO+HbAsijgQqKPctveQbGJ+Ypv08wKJHXauq
	E11NwaijBOZoZ6BrCFG/yOrjStDSbrhqd9qVqm3QCewoA2AifcNnzhcQw5Yk5a2I
	ehhGFN7eJxFM+bkXyHMcd3j/4K+7P0WChAS0vujJdm5I8HJYNtz6AlLT+ZT91zGX
	pJOUOnguWtWKhOQ3Hkzy3LrRhjFUmpdh56zOuKOoWP3tIhX5NMZyEBe9JQCYgXMX
	MXLA7uM/muO+Ju0p6TW9eZbc0vdmAjSDXGfJHsdXwt3XuxnbFIpSHhvLTsBqX78s
	cS2kv1IIVvolSeBIFhWmpB8Z0whWNwKWk/Ze9rR+ESmmCM7ykQO+IuEjD/AdzOfC
	H85sQ5uJLcL9xtzdkQ5jkryp0wZSgbApXnKMvt5pVxbUqLkEkguuiGwvPmKvAQau
	jxnypJh+ygKiDrK1WQmaV6sDHofvLjE7VC0SbH2l6ueQ6lQBhE/26UOFKrsOmxmU
	u6fwhiVyv8tiPR5/FLlp3ZuS4FjS6ZzBPAW/8VEhdeU7T6vOvpkDUxQZGsz+L3Nt
	u0mHVaMR1NaMIc6LwCoc2UcWJSlVf8C/tjvWDY8cyNDUCeMpnadQCrxgvVhC6r6Q
	SIJXxnkRgt9QkOQYzHx+l5I6klB6npXYE02+IVjririiAdIT1SCRBOxW02o8Jefk
	lMpqXygQEb21j5LQZgFmwiQSEx5xpvmvjAn7CkWZ+RIwjnLdymz8yUAWHPv433iE
	RvkJ3XeKw6TSrHfiJtVPOVoMbILBjxLHP5SxZ6S671WN+aujWpCKeUkIwiemiHBQ
	NlpR54J9O0u/yDYhDtTWicSnDvMUJPEPOGMhDXgxzl6JdbnvpjEQhPL4/UMpQCuW
	U4kySde3ANyjUgaldWOT4omzh5KLnrBxUrfsV9uFbPnNMROliOU8fpYvkrLaAb32
	mVGbYBncYJPgeVrFQTl2sBM6UMsDFeplGahZ1pzJLkC8aqySgIDpAyvZRBXYDe35
	C5sqCCdjeAUJ+/DOQOoOb8owQR0413HTnHQOU8ZkTsuqSnfNoH6KmjU3XH+xMlhi
	8YqLK+83J9ACgk9e1BkYQA6TdJuI2Nt4MRoBdFnXP8SfpcCO5dm1Prs7hOlhEJQb
	W7vNkZdwAK4WnotcVHRYScTuqn4eA4FIPBu8Mc56QLe9G7FWD8Z7g3bgbIDmgaw/
	Zc/V/6H8jUKMlEtPfJeHFmRxh1F5nDpjJswmLAGP+xJm9WUvuFDKHo/svpUb8KG3
	JP9gu7Hy39pZCU242AH4PK3cxPifhQU88GDWac5FfbGZ3fzoIW/NdxZnhSY7WY4A
	nk9SEv3HGjkmpPGnu3AYDMYnE7XiYk7rtDBMh7ZkZLw26NH9hZeOE4sLqa7aS8KU
	/WbhWzobgS4AlIZVNTUAPPkzKnPCIUPofCF13e23d0QI9nZDTe6JktEzP86lpzw2
	kQg1Zr2pm67jC9FQcu3nUgy0/XBPaBzn3LjCIYB9DX8ZjXBvRnG60qatu/yEYDQJ
	0KE/4V47I2Qs91jjmmTY3yRkCOWR3Hpbi9JIXLuLivvMz36AYQvCrwBxXImBxjNj
	u2d6McMg+LdDrtFjIIViqFJzYSjI/dtCT0aFHN3yF2Cfiy3tvlV8ja2B7Y6w+sOe
	BByjguuUl83bDGZWZD3BXRDiKEjeNJMJT/hlVsIjH++370rZD/XMYimE/oe5m5wQ
	lL4MMw/WjKHT1X+CJs5tDInM9nyzlbwHXkF25iYwA59Fu1Zbdlagz+SmDp3J1dxm
	SbRHKDo3dPp4n3XhHcdH+H4eOdCTOQ9U3jOn5how8DnkHMGHj9NG3Ga6jZqSp5US
	GithsWl6RhTeWYI2vZBafYF75whkB/iPTbwz/SKQprh6D5XbfQ23yp6k9CY1jnSK
	qrxMsEfuJ07xN5Ri4VRn1EOEs5QXf2aD5znMFXlUrVbNRKuYJ64U92wdHjqwZsUA
	CnVlkC+NUWBqLOEWOv7J57Id84Fast/x4DyKri3hqcfw8+t9lXfDFojmHWaPvqSt
	t7Hxxr0dYIQddMF0vePV0OGNMXLAcg9wQ0Hhretge4sbWkp2cW0ESTsvNpk12YJ2
	l14yFBgLOZd5T+xsV/NG+3jB5lyXfhRYa+eTC0VbEyXAWog/3Kl4XcPEAL2rXCju
	T3Z35x7XdbMCz5GSBvsmU92blmscpBLDOUJNpQBKIHyBmixM77YKMyE5ISpQ1Rk3
	hUAoOKIicF278ToBpdWJ/CyLkROzrTuuR7GAG4hhkor76alvyxW1F1rONuWkZkk9
	kV79E8Et772+7ndPsGQ1ZLkWvCHl9hTUJPdsRMjK/NZhuytD/oMWndUewg9AUY4Y
	YUu8iqRsSyE7rcsK/LvBXbjf/LZd5orDCXyWDT7sGZfKtJHiiEHoMhsH/YNcSPKq
	KhPyOz/p4hFFAaGfhxAdSnrh91qviqHpdyT5K6J/kzrrMZm3Mbsoxi5n5hIpeO3w
	4g5i7nGJ8C+TxZqaOr5jL8qYpHN9e+Lakr3oN5pDlpvKlXNzf2de3OgyOXMkbNie
	n0tdlCSkOxh9vCSiekjcclhPzVdcuqNuTriVcZiwcWaGQZq52MGkVbmTY9+qp11T
	OPj51ZB5KbEJaSfzLvX4ju1XZWdbz5FAkt9RyDqm0cLNWU1Ue5iEQuK1fLoDqH8N
	YyJWoHavKb33jQnqHvZrBnwxUlrpbfvqmqCvdsKdsjNu6lcreQU+reRSIbkgiVjT
	jYMWeTLzoMFyo4sVGik2ogUXnVSiWGAxnvc35iB863IlIjr9iYHsiSkZ1Zd2ytQ/
	t2jf7n1chJTyn1wkI3w6Gj1oW1CO+4083O0GfU7aUJUwUACsUAXMso+EdH9uDu5b
	UIS4U2WFff2dJgvNKXZh3vdsAruoEzsk3avocj72GvCBg+qbHL8rDfaZeT5qaBy8
	xNhiOqXULKfg/CwU/ilvt+V/QTvo9WIv11f7mYS0j18GJsgaVm4Mrw7uh4T9A5f5
	4PnmZsNM5b0HpW62DCnARfkjGEObdTC0znKbSoGn4wD3H09T5HP88oSd2q+rdx11
	GFCdo3MOYEhI7y0cUBO+onZozOVJELyW9sbGoXy5jcRtah63sXcZN/+hayQiH+3s
	eLh7rOtQSV/Et1P3oDK8hrMUnNcK6+BMediPxf/PHWCGBqjZP0t4diaON/UBavvZ
	SWA/m2Utgyqvy7h5IEOUbIomiKz90OypeHd57tVNC0BNMIQHnAYvgaDrZbUHpT2T
	7LqLPpG9rffH12550v/ZCCUrIFy0SiaXNZYQiDeG5/WiBOzS0MZZ3PVIMqx0czOG
	Tx8WUcSEasnjAH+pGK16YGDc66YLnrMhyySgiIrWsKqf8NolxDd67Z6AXcvKh+zy
	sCwUHzvTgXJ81ejNWekHIaAUZnpYXe2DCKXUuEOFJpYCdn4EfgOryDwte2WlGvUS
	ZPfj3Ym43bG0RoyFSo5qnJNE1Z7jjNJKxOEIFy8NHvb46ipcY7UeT2r6R8OJLi/H
	yM/8L2op7rXw6UEPat05dCp90VrXtzrT8UgF72yGVP7Wc0Hosb42JuqxmXtLlX6I
	oOu0l7Ht4zaKMm7DGbznsqHs2daXNhJTAQ49e4owHN8zpIZrt+SbN4b1/svO4hZJ
	fK5izj6botAkJIAnY8FT+lyrJ3oRtB3dq51lg/tWXsTR7RYyl2UVxXDRw0mpW5pe
	J8XS2J7tLaTIsVbuO19Q4de5u47KlzOn+exdvmPu6QwZVBIIs2CIFhYKjXKVxKAs
	tTuVv8ygT033gzrXOU9XkbjEPaTY9Dy0WlUf7wwg5Ug5dmEhrRRlhu4+rOc9mGH5
	NzEwSl4ZJmEPP1auB87iM3l1g0KcL81QX0kcTVCS0AnJUNTg1eSr+zc84tn2VLyp
	xdWidOZ5V5T5p7O0TDDZ/PJAddWAuGhRmK5vSW0XaNYcKUdSOTwul4+881/i/1mh
	ft2mHm5+PymHbBRVLMmVvB/AG9jqACnRXg4pbHwxp8RRMm5AXwQiRrKA7arUPttd
	1Faxq6C4e2GIYDdbWmLRg2P3PYZXbZE2HNo5DGpZ60xs9GwirIPeZZbmPjRTTvqC
	h7TBHyNZm/mQ3jB+f+2vdH0k9kXFxGCcitg+1faAjCOIkcQKdpc8RMz+e+XSIV39
	ZcIlLrV2Ku5jpJ9MbWNg4BpcCDi14nteey2R4JQGOSyeR27VMjGtVWB+b8fNjT29
	J9fDdgcso4OINe2jDC2oqtmlCHXMYDsaWx9uAB0LKsGbMYsF4kR8EqS10Yo709ij
	ARppJ4cRcYmxN+GsVLemIBTYVObK6Ro/k88rOZk00+cLGNWsZwkp2Bgdu5cuNfEX
	/0xkeR8dtuIZhAYdc61Hc61TVEQFPUyhbLgS/PEc7jhkLkbD3p4acVNrqt2I6WAH
	iAcLHJe6aCB29C1XRJf8DI9a5+7nXqSKFdv1pKQgVBLon+gk5CctlDsl/H2J4ehW
	J7/MrWpmKmlG5AUuTESqB9tShUZPCoxkB2wEWgNtPwoCi7+P57NR5A8BD56zP7hJ
	3vrkxSLHnzKBVkrN82cDk/RiVJz7PM6108APRRWncXx5kIfeK48A5FxgcZ7RElV6
	UWQGFfoGlC3rRJyMYAKai5Ial/mQVLwtcdTweaQdNiDXVKeAFyXgznA3fkMfE+9d
	0v0u6FtMml7KSXUwIT6JKmg17W4Lr8qdGFzz6W2YqAI0RelErgTbuai35i/4YTnW
	r5hOuCNTsDYZA0XuNVq2xbIcLoCJPOkOGRNtCKZdIt4CwBFGFg4ak4KVhpFjNTvC
	wBhDj7exxsiOdtpniKeHOiGk0hH6IEMITL5e+C9ycXmur9geA4v3Vr8E3MAsFixZ
	mYbgqx/xlI8Ahprd36ab+YTwmhRoav1ZsHJiiejNfUmv8Z625nQ7Pj6LPysLNZ0O
	+UKZ6wm6mEBYm4hP6GfqJK3k/4V9nOt8sXxfo3FXKVAus26m9dDYOL1qb4NWsRLx
	r7hGMJfsf+hwcCpcN2urK/C6Mzpa923kMBBp/E35ObTyv9A9Fnjdpsp2t3Oo+G6z
	Q9IYGV2taJt3pPWK+qLGxkTEb8HzfH98vdWfdplr0B5C9pXel+gK0Dmk6+LnxYXk
	TA6ao7f8mxzLSMUiPjLW1Rl1udPnNjGFIdgcPQ9ZNJSx+6O3o2LcU6YVcwTcb4ES
	vqT+dWkh88O0WoKWkQL36V5mBUudSl6WipcLY2twp+WWweJquHA4xh13uqqbhF4Y
	4kwkupt8Im0oQKrLSofMaEalUPMZkIaXai6qhz5niRfo7x5fe8+8jS20HMUljbDG
	sn/Uyc1/MBv+8w1TXBOWoAgaoutuzOocARU2RbGrICc0Mm/rbuUt9nVKxpW1WvML
	awKfDhbY2XYoYn0CzfYrvA6oGZJ3bNwRa8MtEkmQdR7Qb99H5hn9StOKNE3BVKEu
	AZFgiWTGI2Eq/XlCOHW1vL/D4bPun/0PP8IfL3PyPjiELm/CSVYP59v1ZGtZyPqz
	2By3MT+7r1gqjU02HMElDq/+2MeJMu5YMzhcibQABS4JmqPHr5fpvqTzyz0T+zs7
	KRdMh7LVQ0WmW1F1pkwHEjVV8oFWkHCh0s4e0pmYPhW3/YRDVyAGSFNY9zKsv8a9
	BpLQEEY0JqW4aXLibKciLcj1dkY7XOrpFTir+LwYaCt7NayHm8ddWjWBg694U4Hc
	zxs8FWCp0VKm9/HlS4Nt1VkoYmxWdZCLCpllS7ZmQ4K9m4UfIRcyfh6NGeUOJ+SL
	av+L7m8I0TyRZ/0hra1D1c31Rltmt/2BoOnE6oo5plmxOkpV7PX4tLZO5oNlbbel
	C1IkzdjI9GLQgqr9XhNszFyeVfb8W3UjRNHzv+NfLY/bqU8vhDjtHmchlsnOiFSL
	TbW8I6VtbzhVAh6cwCE+1uLhd4B/pBczdg4DTxv7DkTZamvzOAVfyK5r38A2vCwe
	LOFpV0BN9v/4RqfXejFiw8gfXcA+UJNcOvVuRp6Hz8tmnZzyfTWTMRP38FTR6qVL
	7TGxeUwCmmAzYR3tUAwBYQzb7rLg5U7jeMtii08URsKUqOMFWvEomrm3Gb+/mRXA
	LZSjp18pflAxDtqvHNCxie5Fo1yMbqnO2kYT0BK/mppsLzKYH4QiuYjjTv9ffKjc
	A6RtTVJ/U1aUnJZ62nQJcbAw3Lv6YgtNFFqUq+KlwEhudvJpKtMf/zwp+caxyYNn
	F04gCsJlIVvqYUAZ2LV53tnLkBMs85bs0nzRBUkPCw1PK7YRv39mirDMYvbV3F5t
	bOUjeQvUx+tYzRrnT/ndmpPFR/iS2xatvoErkuIPxMrgX7W3amN6CHKGsqQn9VHd
	ujqoTTHMkIdyq7NcC0DIvUGjIXMMOwHL3bq04rYXadpsNgiKxqhvjallJC/1aNKg
	ra2KuxKxHT4g1lt501i1Xz91bjwXJPnKB5vwseEm4eElS6k/EUBWoR0AWGWu+nCz
	RWt60260ENuSuLT7BB7pbUUfgYxcHd5oJO7jQYK9xY7LImJzR+BYKO0l9M/TMWtL
	LxecJE2SdMkUJcNAM8p5BVL6W9gBzDK/UIh4qM4Ja31CwOdyrUUVr29HuUxnTNVh
	7RCX+WkSSGdiq1G/PEb8YwPPs7roZSP/nBcj4GNh6aZFiv+RBntOpzJA2oxoJ/z7
	4hK2g+UC62A+krW41h3QvMCZ/ZcNmQWcLg1EsnVGThFajtz5+1MU/p/R0JZ1HE/E
	UUoi+Aj6MC1MBsOaTqKNKq+0JL11hxya0uypiBJTQsCex63bdXGmOoN8OK+TQ9gt
	GO24H17S3ZXXy3koLUY50YGVXXY6UXgVYL0TlGWQFNjEzDxgZI4/tJckEyv+0gv8
	82eMDz5sMDVFXdYme8Rz3RyrG2+4kS1dYQNQ3vKuSABtAMU8v8RcoBX/EZGgOXy8
	4K0F+nD/Ldoi9d355n/pumiT5uz8omBNFs8Xv5zIArGCGg8fBQAqRslA6su041rp
	Uet3zhg3/EICocyFAsEL8a/qmG7SgmiLOx58ehTBs3/WMWr0am59UJUKN0iDHjB7
	lOezHJg78R98dfWIeWq2nSbOcriPvZcaWKbTDmh5ss5bNhwLHn1EwVpIdWzJo51R
	3J321Fnm1m1IpPRBkc1DV1Jt7daR27QuC+ikQC33SKOUnKeE9Kb6sRSA/9jBuzIH
	Z51iPuEZDLgFlomc5easAMfMYg1JEi9ocRsnzyEL8P5HS5znAdqO3kBFsG6X2b4r
	z0wgBl0TO9jKgut/WbW7rp4AhZQlrRo+ARF1J1G7dPov3SZ74eIhbbIOYf5owapY
	Fud9ctRnE90T1B8N07RRorhMvhPw0fxiJBPMq0jGVTTxp93gEA79CEBh/c6RhhdZ
	++zOma31Jc/nwvxY/FzGEUdzT+m89leib3I2DIHGBaQ5ZKUNXFRz/VF++sH3YrGB
	UQXRJEu/rbjJMXCfhs3TLor10cDx2P1bnO6oNTwt+BQuWH6Vz/cV6+KYDheGK5IQ
	N8iryCFvr41BDkMj1YaL55EqWpEk64adh5WN8YtruTowlJjsZ+d6MM/vsVz0USLU
	TeoXzOiNIfXFO8xjN2PS4PcsEOq2ti/oTPlJJW3hQ6dB4R8nk++iS+NZ6SRUnI8U
	mQ0utN+N/1HQKLh9nzUACdWe9BJ4KMJMpF8Vdk7mghIcX3aG9H+duT3FY8P0nsed
	cJM5H5tG1RkLw98POYNnPjn7j8iETIAlNG4QFh1qSO27rCHu9X2+9r0XxDPZiNhT
	+HmdKXeIrAd2HotvWdwBnBChfxAb32I8QQHqwxkS9eBcexC7IxIkI3HLO1/EqKZU
	XqpLF8eyZ5YlNwavBoHPs5yiVJyXX9HHDwF12hGiPpj5cmjgAX5jxV3OTVp7A6rc
	cx2Appm5AeN8nz5XE4WrQeQQek19Dd6bM0p0kowmusMRSjOJvLCTtmTyLeVMXsFi
	/mLYee6rSEyjrB8lIjVMWq33rz//tnU1NuoqTM0X5Tj9iUd7R2f8DAA8q2NageAR
	kFK7B2IAIKpfy+366Axc8cE2+of8SocRdbavX35xTahsnQhaFpoDoxlhoOkCTtzj
	Y25jc8xNSO7ULGjE30DIPSNp35KG14rNVNTHJB62ks3z0XirNU4/pUrYOzIfBdZL
	49ETu3y7oVb/ouhZs3QCptZlkiFf9quG/eTumY4cm63n5nTLjWwPpUFQzPE2gpgS
	FJXFFlm252hRNKtJnNZv55EBUxcd5T6GjykyfpKxEnxBNbOLzsg3c/uXDKbJjpwt
	qpCqA4Y2BXHYNti+l4Fxjfy/WQ7a+pwMj8ImA5vqxn14N8cQAKSYI7m8k3ZH5EHy
	LMCrU94T6QFvpxzrRB392MIVR0IRe6mAvdPXpbHdKXkIYNYCtVZBt8TC/kPjuoXK
	84PlabtFzJAMZlf4Eg1+2WLTPCJageKSUsOKbJqn65tw5OX1i7W+hdQQnNl/c+CC
	jR1ZJp+AK5dOi7mR8lV7NPPoI7wkeY8avx4pwFpMtcexxAldfx5sG4Fd3MXSYJAz
	4n+qqrXjkTOfYlbuPcG6CPUcFR6siHktns5HyKBrNm8/8pk61/qgtJy/1pMpUia3
	kV8aFL+8Mey3soYij+DBeiOIE/5tyASokdngNiwZvw4K40PsW+jzQCiXYeGfhi9C
	YiTydDpT+pWBLxdKdk2B+wTIl+F6XniREcz5o2+ZyJzf8u3Nf1DI/bqwNk1+tg9t
	yHcjEHoQsA8YsLkK9JzhE48pLJaLHeGGfJlXlN6lPKhMrvWiEAdjvTLqykyjgv21
	wTgZg8BSf2rKApVGVmJRr1H4hf4eLpT5llt3byZ/lnmTfgJ9gLo32wDfPF4xi1U9
	nW6fk1mLN1tp3YDaIAnr1qbD0kFXkcjGRmWg68vukVNzaRcdF6Su/Y8jLlm3GQM6
	q7hJWH2ZnqiOx+9XPHyb6IDF4AXxbYWu35EiSgqu+5L0W11GlyKbB7plExhPXEn3
	HItmzZ/wuAhf3DOb/szBdeOAevcTjNagohAeax3yvnavgQ2925YGhezxgaEoxo+7
	U9B7T03XEGTaIx5qn8EMqu1wKy546kSWBhAxq8wHXqQfeA3w88f12l3VVDT9nYoU
	lEIJyS6kzOASMh0n3AGFv+q1YG4ZGlO88810wFoGXAOJhCQ5jgAWFDrK68F67Lps
	Cq9lWODdG9dypIn/bGcv0fOQtoj1YmA5ZzvYgzEawftbGruaMW1FjHJcH4Lnosa3
	0hDBLBclrgG5ZoMeOtTQpmRkmioTawwGVoX3fmi6eKtLWKJWL9znh6KRLWIPOQb9
	/KhHmuxPyVYkpBVc7EDyEXdaZfN57JTCvjBaGZBF3eE826q9mSTOiaTOEUDU/TD4
	vCmsDCL9/hVlWf1IjutZ6Iy/BGupHY04lOM18Wvr3Npm2B1TVB49mtZdhbN5bUw+
	xevTb5dgAfYnaDds4zIX+h2FNeLp5rDty2x3th+5Hre/TUY/zJ2WaM0yigQ1s9Rn
	5uZ6sg/bPe+M6nOzPguHz77pqSVa9PrGsHo65Hgb1w71S1NXOMFaCKQEH6lVl6kv
	UPKs73P0vUhAJM0njD+8LaXIsaTsILNY2IbOPyMsT6TgpvHkzlO5nR+h7R/o2pao
	kDmW0vBuHdw15V58JlYD7DR6eqsP0ESdnJRjEiuvnJEWElXXDA6OX89OqiM6cnFX
	LuN8BrmhdfH8nPXDTPkIGLcCOgBg9anEwAWG0T8ZXKY60nElz+bScXijDpyxnGpL
	/Wmwr2L0WtYoDyT/X5a8qtWY0B0I72NFeoEkg/A5rHGZ+SfSc79sE+4dm/zVNU37
	AurHotydNRXi5tL8/SgWggSD//KPv39pg8lmUi8AIfe/+Vrmqy3fnCUgyMb2iULM
	mMahyuZb7m4Glsd/VbCprT++3ZLV1K+SzP9GCZymos3byCw4CZV6oTrkyw9lqCf/
	O4xXy6Kz+Cl91do8OlIG3PhOmRSvVU1uDQmdX26mbbckLhmk6ZPYltg4/A33rfmB
	Atc+5XtVRhRteZ3Bk0csryFi1ljX5jdslsYsiOzPzs4FfzY4pcP/75ec92VEb3C0
	8lF786UbHHVBu6ZGDSBASbhqlVE5vC1z5b2YJRiNolpr+2KUOsDF8ReXDaogAgyj
	vcczjik83AV4+Wyc70sc6Y+9kpTxchdhmug8Fdrx7gUwwkqm25m9ia5Z1qIX5RQv
	RG/pMtdOLbps0XoE1GEZjOC74bIfRffcspiPmUEDKlfqcHdB78Z6sgNAO3TfRzTV
	elsEB27DNDNC4OAYLqfXnt3WPhfKyE2LHGf3jqX+izVgy2LdqxDd5TB6LEnWpLbC
	K388OEnmc2HBxhcoPQqcd5zyDGsXXhK1EuNnJMvP2G3Ug26wKd0xo1H8Y5cVMEw1
	W6YHmLvsxKAOEScsjqfEMkwMQri1d21fzCwcfqF1v7sA2GwLf1QNC8Vfrle1vU2E
	dvrMtsnv4XZHSPMlsYZpsNpR5L7T79hTjsHIVHvfOwG+VhzL43G8EIdUVLDrwZzk
	FtJE4jF0CG/mTcgXPiT9gY5RBDYFjdwEVyz9nCBBopoYmY15tM19g9uZErZ2pm2V
	2pJXdsVMTLM/m9kZcShA7I89XtCZyBlvfV2IO/xLeqhKCBhY945k1EDvQGHWyJ+k
	lC6zPO1F0ihTLE3mhDIV/9WX9V9iKMMcO7b1XRhH9ym6O/bE6XECIvA6V5Zi2Hvy
	p5knHk4cuGSOuQaAxlUHgDTZVuFQrBeygh2xJRHDD0aDKff8lJrUGmSG6STKd2IR
	C7YWBdt/nfpSXEqKejOteMxil0XuOxQUTqmIyysvEXsQAluYyEqNd97LleWuKvox
	0oUIj3W7AuztDo6NesANMSvMquGE1DCRm+SlVab/LpT05CYpLNhsiPjzRy0vTDhz
	RS+2i3d7OFWzmmy0A1dVFojqvVe+rVLgF8L9aVEOg/t8l0/SIS1X7c1deYYIlqyg
	aQ1kjUOrUNaxIXyBgo8drkBt/esoO2aG30Ty5BmNerORyWi97Kf9Kz0FFwXFhjWF
	wfhV3iVlvfB4yt4xyVOiS23PvRqhQh5FDGUacg7l18VFgQkEPCCXoel9oWQaqB//
	efrcNeNlOjRs/zf+gkgQ+YGK1Tg4WkcFCrWyJ4CWp1FDy777m4tgCABc+Uf9elwc
	OnEFDjVMJlIojzQ8ojtsMqDyqka71A02UbR22JV5GGLMrZn7v4a7m3IwYKsYDOMq
	rdnhETVHpR/MZNpmIl9sJDqp0l9f4nfZ0NXaEGtJWrAi1y8dF7DXw06ejb63m/vP
	u3CpEPd031clExD9laaCBX8+eIpZ1qA6auswkck/itIasaeXO0B1pyKKfT8/sdBF
	Yec7SXwaZ7YMdwMeQ/q9epaQCjfC6WhiyZFOspC8iKCv+YG9DnL+IPLoz19Uy+0s
	3MIo2eEb4UEoVusA+qPmyo2J54jxjoLg3lopEzZy6INaWmLwfLwuUPmW4ZQVGxTX
	K48eY7AQVwofe7+bVabVaJt15o0lC4bwwyvUFmVYYiWb6cQPghLlarFhCgQG6PuG
	cb2pbwNpS37CR3ClVoKoGpRim8UdgQCc/87wfpKGdIkNHL03U14uE/S+pnWKgxE/
	hVlfAJmEN2XXaxs8EUnyTyChxvXtR6oVPinbtDKUh+K6jhFrc6j4c2W9LaX6x3VW
	8YceU4m1088zXoAQ+JQ9ZjEE3EZSBhNTtD2CUBWxVvMtI1aD4pXoGcftSC48nJcm
	2yva7a45CfUthHrGM8K5DqHuxgYPkbvMxpQhoSAABg1XttOEBhr0wLCe6GwjB1MV
	NJ02CTwcU9NdGCXNwVY8bMQYUNmKWgno59C4nnYKGx89J6ot0oSDeozipqGR6qHH
	k6TOjTmJck0x5v4UB2bFTqv2d757j1wHX9aWI+TfE5LId9VNlx8eEceJPwLQCN+x
	sklKuZgzJ2kbopE/t6+AmOOf8Exowa74kJFjSRE/T0muNYRFFGUj5s+Q3IVqPc07
	N//rNHGR64YK7rUuIWM225WP9PF4cTIUwReOO9+G/RF/wwlYdPFx7gGE+RZpvRet
	idaiJdgWpWq2LCfDUr1lY5tpO5t0HIEEfGfCngGiMmxtBHjlQsnTxxiUbU76omrG
	GflKQZprwhbm0QjLr8DdqAWbl9NHyx7sNvNIBvIKfx4ha1HdIWqv7TIc4F7weR03
	zm4S2xk3TvQvF5B5S/wkP2ah1Q4D6s2zb/ltAfEdjZh1OplgUwtdl5qmD+6Gb4Rf
	MZhmhwPjFlH6tZbzVlbEKCBAVb1f7fBHdITP9J6vuZdfJX2KLgmowSCvF/CV2eFg
	MkYByXc70gFxGVQYWf+iyokBlopcPrUtaE6lz9HdvdYs8h9E6utNfigBO8HwesOv
	3mzx8QdZIxjlFobEryoM8coveomoQHMysGW2T7ZZcSH/qdGsim4wbz0Gh/2a3tZt
	JLwcuOTnkCy48iRcbmp1yM2v32466e5swRG08jx7WvfksGsyw3s1Bf2aKvXmLTfn
	shsnvKATqsbt9oYfNRSkr1VfbSHrtX/4QFSWoKA/y++3BCf1fymNwgZRqyWGiJ1L
	J+eXOgl8hPXQqwR6NAONtq81uJP5hPZ96B4W8A69Onlz+0O4yuHL0DzJXR6Y4WAa
	+n5TWI7+D5nt5qMpURepwZVFAUblGqnzrt+ObSbZ4439acvFBqn2FqR1l903cMQc
	LVM+5iO7QFHh3cAp0wh5q500lgTI6E7isKaphnf7lrYfhu/XGLEMmhiIr6vCHIHZ
	qqF4LZ57amrwoa6vdbU0Mb84aN72gTee/hstZUUD9hS2NN6bRwwdV7Q8kCd7KXh4
	ksi+C9ezIkLL5rk/4RJEIVXzAYsk8+EPTLmsOpEld9Fhsz8qVixgMUKGuP7DTME0
	Ho+OlDdCc+LjeZ5PutEd+NErTSnKa0/wvr0p3SoNfNIBbLZ3B5vZmc/PJ/lC78dt
	lEJSoPLROxAjjmVL1PBS/xK2C2HFGl5GUtAJr3MBB4AoZqsm0ZE4FzSgkivPbDgT
	BC5uErDc8j5XERShES53q+pqsH6iFCWjtxfbQR2ZuaENehgBS9TZ5FC8TqhG+veg
	f3nyC6l3N1+2Q2vG37MM+u4de+UueB4J5aYaTOnozJefc+B0yqdShxKFjJczuQ+y
	U3DWcLMFVWcxWLJEc/ofdTjaKArlOsPSXcfK+MkGg7uamfmpwBGAVLAg7XQAczQR
	xItqTHxdRgyKmVmSQ+W32dPQezdGlwGx6/6xd4tgvkbmvcdiD2Dxd+hERwLxV8ch
	/6QZsS+2QLwsfCd5PuowAd4smW+t0hh/T2P9nJj9RFqAGJZjxlk2uiWgXnJqYka8
	9Wh3i+l5VjU9Vp88jbXsgNDnXv2moTm8PhU7xs7yup2OEOyINZQKmP/IruBdnIxL
	//mkxVweMNZx/zX8EIU/ZCWJLhTZdD1zQ64qg7OLsbDyoxUgjRqAm3ThGm+/RM2m
	4oYmgnEo0992SEooQQdaEaknVqxr3cFBPipBjhtSrvHtTmPdeXZd9LJMzDma1QPN
	CVE3N3cFlUjmZc6TbNobJs82eepRP5rReUDh774+Dmzjt9zG/f5lwd9AsMak8tSJ
	QqtordsjIBbD9mullL9VCAoEaICDQuKJyuRZKC6Zl8KmUlbJeRWAZoGYzFh9gQNZ
	vyowcho94c5OJVoWrkN9orZ3/AilScbdAbbVx1WUge/M1MTIimoyityrctwS1kCj
	5mEpsmR0KFkxQa0g/N40ieVaidIKulHKJ7/xXUO8Xev8W/73Foh9iJ4Zzk6WeBr6
	TzopDhv9S9C7DjYyPkIa/h/TcoW0ERGleqaXNUdv4FMw/h5elQz8UNTX44LA8e2C
	9rMkErSGRCMJFNMfw1tE9i4bDvfaupbAQ2wpASuLnrE1o8NCHAAVhL4NVhVhuTQZ
	0+p9l1MOKB4Mm1lJ7IQctspsgdI6tX8mSHtFkzxGVTV2mReDgM+xCiM/oK5Nqi3u
	bLeC/zCdhj08i1S33/NLgDTqXHiRQ4ixwmySXpJOhC/rbvcpS8n8LFY7vstUAg0P
	xc+wdjQV2oe7k2nuR/57pExIffynJ7VDbbKwSZ3Dolj78q9WuB7ej+AqXWyJWG8a
	aB7ayuu2J9r5kVjvR4XhHsJsPA5HOe79TJwfLdUdGvoH95mHx5G3BnuqShPWFvB0
	ejs4MN7tUoAMa06Te9AR20s867XbFWlA287mptLRKaWeQF7348vEpGjSQIJOzODS
	GCqFqaWn4ketWLu/EWfrSFMQMLeOlgIjWroeU2j1pIlPAS275ukJq06Tzs3vKq/u
	dDZsFg5skLngk8Uf1IBAuqnvFo+oCmK4Hcjdm22Ab4s7s1cLoRZOOVM+il3kM71X
	pcvOL/MnpEZ7z/Dv+0/EkvOaB6h+f6TXk5pSlW8IwlZ1IyXjXshY8uPo4zr9DuGa
	yHjCfvQxdHzSjBQ8EFcTarxQngcNynIcOt8EhYcg8sM4l73YoE50GIbJEtQStxO4
	sTdfyE+648y3mVXqMmLslw+W5i5CLN2EHvMLiOPcRccRpyfgSzrKOkAh94FjgRyn
	lENX1UgKrCEAQwSdtKW9KdvO0IoLkRqcsISbji0M5H1hxwY3WImYxnPSkLrIDXnx
	1W5qCXTjPqRAyuhLO3L49NcwCbCzRUXbfeATqQNWHrqjgI3rDfXhM2CMEzyndQ2v
	qRKS6NKd7gCRAUJWwqqZeJhkMjIyEodY8Ni001VxiCAjRIekn7W+p0dxfedQWpVI
	mDDElCMlXPQ5wcEftCjNDwrExEV/AAqEPgNzARnzQO3zrdTgs3LNTQ+KD/XRSeE+
	PlRMnR/buNn+EqXFNmF9iQt/y93Btb6GmMe4gAaAUfLpirozlnLYq4crn+LF4HHU
	tIi+AFTXrckbd+UH29l1JZLssgC5hNFVyJ5yl1e5XL+G3Ak63UyGeoqTbuNDMCRY
	L4FCEG38vzg6KZMzKyRbge3jPvI/ant0OwF2R/xNXaTedwHLBw29ObXNrnjzYMcG
	nAhc/i4QSXZpjoucfurBkyeUeRofRc1m62MZJvURsniWqpg1YQeJPBibww3vHd+O
	59UrrcXjga11aRhTV91rGMlgigMeOxn3R4yR16QTRIlnwXUpV4fNddJ4YMNBs4yQ
	bwvO3LZxAoYInLFBI2RMYaXr+ujFMTpw0INHPqo3TXFsHnNa6HVYdNKbouXv5/2j
	bANMr6X1ITuTvtQN4tWGbop5qfp90b9pPyw8P0bxSdro4ZHMeSgbiS9q6qZxjVz7
	jnOKMUrdbDkbYM+ojXZ18/4WPKtaxf6lTLrh3m5CJ1V8slRJp0Jes74aDQf/OXqo
	QgqVrI2wnl1klGwn06bhVaymdk0hMkxAfeHBGZIQ4BMMZ3aLuVWjAcBH/HP1tVQ4
	IG7MHRnm81yVNgA6yAuZZIPQwxDWVko7rRm/DnsJcpKfL0nZHoF+bJ6q4Rd6Dey1
	S96L4PDmXseFkVZOH/7dNWyKuvSA/MmthkN14lWJiYJebaXb7oZG3XDC70o7bG6Y
	mtGOrOwVthFereg1Ii98ZA4nKgqeu2paMju/t03hQXHY5iqyV9ax0A3B0rdivz4U
	VbqCcO7pGNb/Ki3gGc3hfVw9YXnR7E+tra19eE7UM7o+YlunKF1Q5dJaLKY1z3L9
	3UAJmXG/sZcLqrDn9zHfb/YxqbyIkM7VIU2kKztWCCNiNKgLQsIoVzK4sbS2LVDI
	grmvZg+Q7EkwxZ1FXeBGJmsiyjKYPU3PI8ZBU1MXjwTjtnQRuBSxh+Ok9glPeE+1
	rUDdlVoogUGgPAvLV3BM43E/Q5VE+X04KvPNKINvvS1nZpGKyyy1MayOfstc7Hsw
	W/RgllTEd7VW5jgZKg7YyA8r8cUjMqE7zewrq6MtkoFk6ZVslWxfoADBW3ivwdwe
	I4XwNboOgBx77qxf95aHRRdqWZa0JF8zvK5BH6EpBI29hlJU4leax696ACA7QIIM
	Rpc+ulkvHsNxsUlrUut9AXoob0MqDJRmZvU4gSVivHjvKLEIlymJw4pLbMWhcrNa
	v94TExP21Fy/zYcWiZT2nCX6qZVXTcUcQGIrBTWDbR8bxKll4FNo/2zmelyFmeXt
	iH+Zp2EwFAUELsrxx9plNd5WceyU9VnZoeucNFd2QFl7lV9KL8AlQaaMdsYOt27m
	8j7iNBID4HtCYM0xLwE/5uqVQPxX6qzPPZc66MSRIi8ZHZPFvVilFVzFyZSrq5Lo
	ojQQmAycQGOzx7dwx7vi9SeTrBRY2PK3WVurcLiRxM+2u9vjlxigwimpnK3VU1dh
	GDoPghB3O34bfiV5GndcnPDLJxsSGWz2z2WiyCFgCkVp3shHUN5c2PLWDIOf/Ejz
	LzNJXFKjO6/6ZGpMmGf6bZCa9MBnvXMNic9/k0lmtbgj8SS+2//gko1EDa/Gpaqo
	J2xgEuHLvp9KQABWt9VRI+tNUJQCS/Jq10ZiT1TzhczyJEqbtVDOo0l5A5sMV0PO
	HszFNxw2BmuM8RYGgAe5pkrdzVdtB8TLmhys7P+xRXNXnsUb+878kt2EyiXjMl1g
	oFeAlj2afj/GgelJG0G0FXm5WPDhbthHOO1hW9RP5WCTybjUTAS+GbikVwxa7bZE
	LHrROUOInY0ntR9lRNjpVCMdajCsMiqT/G0C/ApzeW6ErLMFIDdVdGSdnz/WDi5C
	xQTIS1FOAdefQ0CohE0yOOvjKTAGzht+g4gYiSa/mOnvXcCVM8t39thglZhq4+6G
	oWpOrXwByd8OA5f1aQMqSgoySJOGg8a3X7NR9bEDbF7/6QNJE5FvxwXvA8zcabUo
	OGxXen85Gkq1M/VnlJ3RGM8vA5UizsdPESYUCVH1eKg8ROlrQOr3ISj5kaNL42fv
	OSROmeHvZrHtvGn6hLTNPtWcm1hGSJS/Q5CEZe0/4ActkorF9kuoHCSG3UegX/lg
	5mD9aMTHUhD5VooS6OdyakqD+6LptNqQPL0IQALsS9Ls+8KUBxIi9cOe0xIusAQl
	OmyJcUJNr+Oq+Ypr6sWvelbWiymgGDN4gHm6BvzyXv5ihnvnmkIQ16WkAsIChzZx
	cZUl/bz9bDsSyJ4FyzSRoWuURTz9la3Bo2x5ufLChv2i9+X9WO6Y3nFc4KOBY4hD
	WeFt0ZUiY30SyTiWqrPHP8Lnto9JTBOZcIIHOqPgy4L+685Ou6xwO0cUzicIza5M
	TbMBOPfnVSgPSCFImGSjAaahWEvl360B8qjx8i1vgkUOxjqfFMnjZUF5b9lBDS72
	JK0esvGRUQqyC4uQHbTi8EOJYaOnCn+0lXPzLNpN171DHfEg/X6iiD0zTjMX/7Sk
	PPm2z3zH7yJmeDnh5e/gvgWaPuTVaN+LdUYv/ijqfS3bx6yF1VpNr+esTI23S+o2
	1HqlCfhZUnVmn6r0J1L8tuVeZaMni1qOFs4KacGA9UwAZeGVdOmK0rFIqUXKDehq
	7BAmDZV3hnQD2TQzgfDfXpegRECX/wZZVrcg896NltY1r6AVm9jcKLVCNalyoCwe
	Rp6anjx8qsUxnXXYN2rhl/l2Y9D23QZ2OM0cpvb9QPJGGgGeSaQu6p8N4hRUroje
	UlL8vBLle6tcvVoiRCvPCja857vnthqUppv9bzM9SAyMz4RXcYgQvFErExOI0eyT
	II67WbrY2j9ul7h4fZjNKCND7o2aENbylK8CU1wlwEBYC8BPgkTqi+dErP+VrWte
	QAhjomMkOVKKzG8JaoPJoVYBmMkMTCPsFFuTjtgvg2+a+DOiYbI8yTDT4+Mi/Woi
	gZUcE0HUosPkkJ2ZU3zDXdwPIr4DI7TlrnZPF99Es68+NXD6lQgc6U2fjnBfKMFw
	MfaTfrg3ykA8mBwqZ6hQdIoqha14uje9Ses2axrEF1FY+pU7JEKDozmo3HzgTfYA
	UFoHCu4Zbeu1IiHHJuVSRrwVy0BsY0nrq0Tjq2uYSbXyR9KylHCxztpzku5Gncy2
	Cl0sBUqv1uNWIt1v6yHdupzRM/fIZ3F95nPIomgM+uHmdpHaXyizM4D3doRGzNPH
	fOm6jWgKCllI8JHYJ1DUBUokYv8TYJLf0gOSaZLZmpEh88iXfBP52ZBlUIokeUN0
	aZlxSqawVMteeqcjCs7TNySBDzfTCZREHr77tnBz4+jINXi06mh+/Hz+LRA3YNRD
	Do5hyzvvFBg49rY0JzZPTC9J4bi+w1MPmmdz0OgQGG1Wiu+4LrSuBUOgiA0V+FyY
	/Md51ShFwRg/5zgcWS4hK1Eg4kKTKLF6Wjdu88PCKx2+gu9dYjXgdRuzZ6LUqqS2
	It/j3VptrXm8NwQFGM27HnqGwK5u+Ym3qLJ0FE4vWNbbxGlZtX3NS8SqZSqVfbqq
	TwIz4lXU3ipZJ5b42IanZ2nfWqKpdYn99C7yK6AbwA+qZf5zmy436dH+Rvo6PC6W
	+9MQcrrNgvq0tiAJvA39dzb77bhRjAKzL5cDiA40hPlcZs5+Q5g9XpYtKsSfzu7s
	FCFRnhXmhiBXoUqf5jsYNrm5dvtl27wPTaKvVQQ6SsVtXDZSWEbdAj8Xfeq7kev+
	jtvaOUmFRMaFevzu5t2uuLYzH7zufMB6p13chVUH9yRnWBzdha/Sqf78k57UQnZg
	EJwvXcDJ+uFbnd2sibgoASzDNljSfERK5RfD7Re3n5dK6W0PXzic+7ljGoSLedtd
	6DD11IzD6WjBlE/9Aiof6IUDdzuo2VZ0XtufBxmYHXUx9LF3/dgGOr8hvxz/wpMx
	nPnr9QDgF9svoCvYq1toUbtWgKd1LjXeVoprAhHXwbn4Z8hj7+/LpPYwR1X3u1ik
	wL916n0bOkLgWgqGjqsrgskk5Lk6ZzyrESZ0xd6/+dSrf2YxLivF8O4eCLfNxB3d
	=3akT
	-----END PGP MESSAGE-----

	")

	(define alpha_seckey "-----BEGIN PGP PRIVATE KEY BLOCK-----
	Version: GnuPG v1.4.8 (GNU/Linux)

	lQHhBDbjjp4RBAC2ZbFDX0wmJI8yLDYQdIiZeAuHLmfyHsqXaLGUMZtWiAvn/hNp
	ctwahmzKm5oXinHUvUkLOQ0s8rOlu15nhw4azc30rTP1LsIkn5zORNnFdgYC6RKy
	hOeim/63+/yGtdnTm49lVfaCqwsEmBCEkXaeWDGq+ie1b89J89T6n/JquwCgoQkj
	VeVGG+B/SzJ6+yifdHWQVkcD/RXDyLXX4+WHGP2aet51XlKojWGwsZmc9LPPYhwU
	/RcUO7ce1QQb0XFlUVFBhY0JQpM/ty/kNi+aGWFzigbQ+HAWZkUvA8+VIAVneN+p
	+SHhGIyLTXKpAYTq46AwvllZ5Cpvf02Cp/+W1aVyA0qnBWMyeIxXmR9HOi6lxxn5
	cjajA/9VZufOXWqCXkBvz4Oy3Q5FbjQQ0/+ty8rDn8OTaiPi41FyUnEi6LO+qyBS
	09FjnZj++PkcRcXW99SNxmEJRY7MuNHt5wIvEH2jNEOJ9lszzZFBDbuwsjXHK35+
	lPbGEy69xCP26iEafysKKbRXJhE1C+tk8SnK+Gm62sivmK/5av4CAwKcF1Qep+Pf
	ssOqtJhr+klruUBf55onBJi4vkk0gK3m32p/05YB2bbMURGz8R4JxUZfUxjdDk73
	LaNYRbQpQWxwaGEgVGVzdCAoZGVtbyBrZXkpIDxhbHBoYUBleGFtcGxlLm5ldD6I
	VQQTEQIAFQUCNuOOngMLCgMDFQMCAxYCAQIXgAAKCRAtcnzHaGl3NDl4AJ4rouHB
	+LpCkNi5C59jHEa1kbANzACgmddtrNSj1yPyTCwUwRghPUomECS0EEFsaWNlIChk
	ZW1vIGtleSmIVQQTEQIAFQUCNuO2qwMLCgMDFQMCAxYCAQIXgAAKCRAtcnzHaGl3
	NCeMAJ9MeUVrago5Jc6PdwdeN5OMwby37QCghW65cZTQlD1bBlIq/QM8bz9AN4G0
	J0FsZmEgVGVzdCAoZGVtbyBrZXkpIDxhbGZhQGV4YW1wbGUubmV0PohVBBMRAgAV
	BQI247hYAwsKAwMVAwIDFgIBAheAAAoJEC1yfMdoaXc0t8IAoJPwa6j+Vm5Vi3Nv
	uo8JZri4PJ/DAJ9dqbmaJdB8FdJnHfGh1rXK3y/Jcp0BuAQ2448PEAQAnI3XH1f0
	uyN9fZnw72zsHMw706g7EW29nD4UDQG4OzRZViSrUa5n39eI7QrfTO+1meVvs0y8
	F/PvFst5jH68rPLnGSrXz4sTl1T4cop1FBkquvCAKwPLy0lE7jjtCyItOSwIOo8x
	oTfY4JEEXmcqsbm+KHv9yYSF/YK4Cf7bIzcAAwcD/Rnl5jKxoucDA96pD2829TKs
	LFQSau+Xiy8bvOSSDdlyABsOkNBSaeKO3eAQEKgDM7dzjVNTnAlpQ0EQ8Y9Z8pxO
	WYEQYlaMrnRBC4DZ2IadzEhLlIOz5BVp/jfhrr8oVVBwKZXsrz9PZLz+e4Yn+siU
	Uvlei9boD9L2ZgSOHakP/gIDApwXVB6n49+yw6e5k2VJBGTFDkQbxpgi4oslePpT
	7Tc2qjAke4zO8JHkgKSokEgnMpMz412q9otFX/3qC5MpPG5P8f4r00Kfy9Am/thk
	ri01WTIUqF8L/VZXJxLKVoRAabSXudG0eavfah14fN5/+Bw5i8vSHhc/xmQEKTya
	2X8Nt1F5zMrE1LAGVVCL9i/DUygnJYOZzAd1Ct0RJ4kFj7lOBICF2IWWiEYEGBEC
	AAYFAjbjjw8ACgkQLXJ8x2hpdzQgqQCgn81AaW8W/lyVwMh/UBeMuVMUb24An2uz
	wg7Md81a5RI3F2FG8747t9gX
	=VM1e
	-----END PGP PRIVATE KEY BLOCK-----
	")

	;; Bug 1179 solved 2010-05-12:
	-;; It occured for messages of a multiple of the iobuf block size where
	+;; It occurred for messages of a multiple of the iobuf block size where
	;; the last line had no pad character. Due to premature poppng of thea
	;; rmor filter gpg swalled the CRC line and passed the '-----END...'
	;; line on to the decryption layer.

	(info "Importing alpha_seckey")
	(pipe:do
	(pipe:echo alpha_seckey)
	(pipe:gpg '(--import)))

	(info "Checking for bug #1179")
	(tr:do
	(tr:pipe-do
	(pipe:echo nopad_armored_msg)
	(pipe:gpg '())))
	diff --git a/tests/openpgp/armor.test b/tests/openpgp/armor.test
	index ce5939c34..72831e361 100755
	--- a/tests/openpgp/armor.test
	+++ b/tests/openpgp/armor.test
	@@ -1,763 +1,763 @@
	#!/bin/sh
	# Regression tests pertaining to the armoring.
	# Copyright 2006, 2007 Free Software Foundation, Inc.
	# This file is free software; as a special exception the author gives
	# unlimited permission to copy and/or distribute it, with or without
	# modifications, as long as this notice is preserved. This file is
	# distributed in the hope that it will be useful, but WITHOUT ANY
	# WARRANTY, to the extent permitted by law; without even the implied
	# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

	. $srcdir/defs.inc \|\| exit 3

	armored_key_8192='-----BEGIN PGP PUBLIC KEY BLOCK-----
	Version: SKS 1.0.9

	mQGiBDnKLQkRBACVlYh6HivoRjHzGedNpnYPISxImK3eFgt+qs/DD9rqhBOSUTYvmKfa1u7M
	W4XDc23YEoq3MyhtC35IL2RH6rmeIPz7ZVK5rUKWMqzf94n58gIkgdDZgCcaDWImtZFSjji4
	TGhepaIz75iIbymvtnjr9d++fH/lFkz0HDjbOkXCfwCg9GeOjiWw1yBK8cO11acAjk+QpW8D
	/i8ftC1hV0iuh9mswYeG05pBbeeaOW4I2Ps4IcecpXhSyPaP1YiXKRqg9GX2brNgXwc3MEiq
	Wn4UU407RzjrUNF4/d20Q7N2g2MDUDzBtmMytfT2LLKlj53Cq+p510yXESA7UHjiOpRrHPN9
	R69wHmHPsLPkdkB/jRTSM1gzQNtXA/96bRpfGMtCssfB449gBA/kYF14iXUM5KTF6YPSFhCC
	xPGNMoP1uxTk0NHvcYZe4zW2O6b/f9x5Lh15RI1ozWXakX6u3xEV3OqsvVTtXupe4MljHQlX
	YwMDI3MUzFtnHR+He1Bw5lkBVWtkV7rX2kX749J1EgADwlNEP1KFRdjqi7QhU3VzdW11IE9T
	QVdBIDxzdXN1bXVvQGRlYmlhbi5vcmc+iEYEEBECAAYFAjvNYPUACgkQU+WZW1FVMwrlTACf
	RigokAWd1OqYtcOt3v829fhNqYEAnR9uUslZr6B6RaW0z8/BZZuhGuLViEYEEBECAAYFAjzG
	evgACgkQfGUzr9MtPXGWyACg066aP5SSkBHWqqYGGLZv9sVRMNIAoIEHBI1gq4rPJatYDdau
	Ni6DUTkGiEYEEBECAAYFAjzGfBAACgkQ9D5yZjzIjAlTqACeJmtp9kpfljkARhfa3QTc2Q56
	WKkAoJmUchp+fAceVeFncpFeo6leM1YhiEYEEBECAAYFAjzGftIACgkQ2QCnNZ2xmQQCegCg
	rdTsTWzaZk6gF+mtvIDwKsUx8gwAnRUbdDfOP0qL+83Bbz2r/IzPxjCEiEYEEBECAAYFAj2T
	Rd0ACgkQFwU5DuZsm7BfXQCeNVG09VZ2VnuuWTRbgoANXGIyRb0AoI/giUU4DcIpAPbcoNV7
	PzCIreyviEYEExECAAYFAj2508wACgkQ0pu//EQuY8KiUwCdHijK7Wkim2FUPU6i6KxwRH/k
	kFwAn1sOAWVOrLfRBfrNNQBANpbr5ufniEYEExECAAYFAj27vpsACgkQKb5dImj9VJ9m2wCc
	DeL9IkWpytXLPFhKCH9U9XhzPA4AnRjiY3y6AdNhbUgG/eS8Dumch0dniEYEExECAAYFAj5q
	MCcACgkQO/YJxouvzb2O5QCghtxYfrIcbfTcBwvz9vG1sBHkQSkAnj3PMjN9dk1x1e4rUD9d
	S00JOoI0iFYEExECABYFAjnKLQkECwoEAwMVAwIDFgIBAheAAAoJEN7sjAneQVsOUfcAoNgN
	xaeqMn5EWO2MkwVvVrLjWI2FAKDLnp19rJsU69OK7qHqfMeGWFXsQYheBBMRAgAWBQI5yi0J
	BAsKBAMDFQMCAxYCAQIXgAASCRDe7IwJ3kFbDgdlR1BHAAEBUfcAoNgNxaeqMn5EWO2MkwVv
	VrLjWI2FAKDLnp19rJsU69OK7qHqfMeGWFXsQYiVAwUQOcrkWi2pLp/VI9wNAQE5mAP/WW9g
	shqGqWN/rWevpVKlzwqGSqMUq6E2K34dHrFdqd/WnY8ng5zAd66Ey3OLS5x9/+KI6W9MU5OI
	WmxOfrp7PxwqLrQH/BruPTHe9mZbkSyjWIS/V+W8/lYtzIUYTd0584+1x7cK6jah3mAdFu5t
	8fr1k3NyVXFH66dLrLF0bBu0JFN1c3VtdSBPU0FXQSA8c3VzdW11LW9AZGViaWFuLm9yLmpw
	PohGBBARAgAGBQI7zWD4AAoJEFPlmVtRVTMKpEEAn0Oxl1tcdFf6LxiG2URD7kmHNm+iAJ9l
	uLXjsYvo0OXlG1HlaFkFduhgp4hGBBARAgAGBQI8xnr7AAoJEHxlM6/TLT1xZlEAnjSeGhDQ
	mbidMrjv4nOaWWDePjN7AKDXoHEhZbpUIJLJBgS4jZfuGtT3VYhGBBARAgAGBQI8xnwTAAoJ
	EPQ+cmY8yIwJTjEAnAllI6IPXWJlHjtwqlHHwprrZG4eAJwMTl5Rbqu1lf+Lmz3N8QBrcTjn
	zYhGBBARAgAGBQI8xn7VAAoJENkApzWdsZkE6M4AoIpVj26AQLU6dtiJuLNMio8jKx/AAJ9n
	8VzpA4GFEL3Rg2eqNvuQC0bJp4hGBBARAgAGBQI9k0XgAAoJEBcFOQ7mbJuwsaUAnRIT1q2W
	kEgui423U/TVWLvSp2/aAKDG6xkJ+tdAmBnO5CcQcNswRmK4NIhGBBMRAgAGBQI9u76dAAoJ
	ECm+XSJo/VSfDJQAn0pZLQJhXUWzasjG2s2L8egRvvkmAJ4yTxKBoZbvtruTf//8HwNLRs9W
	v4hGBBMRAgAGBQI+ajAuAAoJEDv2CcaLr829bTYAoJzZa95z3Ty/rVS8Q5viOnicJwtOAKCG
	RKoaw3UZfpm6RLHZ4aHlYxCA0YhXBBMRAgAXBQI6aHxFBQsHCgMEAxUDAgMWAgECF4AACgkQ
	3uyMCd5BWw4I+ACfQhdkd2tu9qqWuWW7O1GsLpb359oAoLleotCCH4La5L5ZE/cPIde9+p8o
	iF8EExECABcFAjpofEUFCwcKAwQDFQMCAxYCAQIXgAASCRDe7IwJ3kFbDgdlR1BHAAEBCPgA
	n0IXZHdrbvaqlrlluztRrC6W9+faAKC5XqLQgh+C2uS+WRP3DyHXvfqfKLQlU3VzdW11IE9T
	QVdBIDxzdXN1bXUtb0Bnb2ZvcndhcmQub3JnPohGBBARAgAGBQI7zWD4AAoJEFPlmVtRVTMK
	aY0An0oI4Fwko9YsVWS+0M3/Tpc8FB2eAJ4oALojFgFkOWYT97dh8rTQW8BhyohGBBARAgAG
	BQI8xnr7AAoJEHxlM6/TLT1xsXcAoJV/9zoudxvWy+LwktkGyCB7aTx4AJ0Z8GWmx2/C4W2M
	tSyaUscY3X19uYhGBBARAgAGBQI8xnwTAAoJEPQ+cmY8yIwJpxQAn3efnPpctMJFDQomRDbo
	7Q8rg6r4AKCq7LZmOaXvyrBF/JcYjOCLtYMPIIhGBBARAgAGBQI8xn7VAAoJENkApzWdsZkE
	iB0AnRQs0XjhpGOpR1lyEOuZkm2xxHPzAJ9Is3sG9UMOr+YS5V1GXXiFM29S3YhGBBARAgAG
	BQI9k0XgAAoJEBcFOQ7mbJuwjiAAn2wcQP9HreVLCSQruB1wnX/s79ZcAKCRcecLF+wiRo59
	JJvwtnxp2W24EYhGBBMRAgAGBQI9u76dAAoJECm+XSJo/VSftKUAoJQ/cYKqkyOLSOelU8eM
	plFiFJlPAJwK7B0HrN+tDmR7r8Hc0GrRrbAuvYhGBBMRAgAGBQI+ajAuAAoJEDv2CcaLr829
	PX0An2kfEs+3iR5qV35EQlCdL5ITZCSNAKCf8HErpT620TUhU6hI7vW5R3LNgohXBBMRAgAX
	BQI6aHxeBQsHCgMEAxUDAgMWAgECF4AACgkQ3uyMCd5BWw5HzwCdF8w3WjnwTvktko3ZB7IM
	mFLKvSQAn3GbioDBdV+j6xuhSI90osLMu1jgiF8EExECABcFAjpofF4FCwcKAwQDFQMCAxYC
	AQIXgAASCRDe7IwJ3kFbDgdlR1BHAAEBR88AnRfMN1o58E75LZKN2QeyDJhSyr0kAJ9xm4qA
	wXVfo+sboUiPdKLCzLtY4IkBIgQQAQIADAUCQpGGggUDABJ1AAAKCRCXELibyletfJEKCACw
	Yf5qY4J3RtHnC56HmGiW4GXaahJpBQ1JcWmfx7CkTqJPQveg+KQ4pfLuJvZ8v4YqPZCxPOeK
	/ZhIO48UB4obcD8BZdSkRA4QBamRp8iqcgrCot/LA5xQu9tivIhUJP/1dT6PmDy4DAV3Flgt
	HgED5niVESDPfz3Gjff5iWWIs6dM3bycxoTcFWLz++578aOasoq9T8Tfua9H8UrouVz3+6TK
	xG0rGeb2jOQOQcbLCn3soU/Z60H3SvJYHzgxlS5bqIybrjo3sAnuus/kisrmNjeFfQBdl9v+
	GnK65D1tmBa1+6a95uHb+OG4eHzIXmvnDI4A1RhRKiZ/kpVsT7RViQEiBBABAgAMBQJCo1H8
	BQMAEnUAAAoJEJcQuJvKV618bJgIAMb9Xiv8ps3quJ9ByHhbIQtBOymH0fFiodsutPrcR2Af
	1lc/eh3Ik20Z9Ba3g5V6eUW+3sjpDsjKtI1CXuRq0Zgmze3hrUTMRmyrLoaHPocrqfj2G9mW
	y2OomLHMDurcJFQkSUJioI4Kxo+1NBZmylPKUEeIEoP8UBJbKxf78dVh00ZUecwZcn9lLiZA
	TycRQ0WTT1Yv1fI+tBmvSrpMSe+0k+JS+QigvINN5vUxaV1cN6mkREPYVm7oHzPCQ2C9NX1q
	cI/Wkc38ieZw1Sv9vyPCCL6MYd/2t1209a/ZKADaw5l+mhyWUqIT6SXPLxMDy0NvPhTKdDr1
	7S5LOcKhwPqJASIEEAECAAwFAkK2pukFAwASdQAACgkQlxC4m8pXrXxvUQgAlfw6doD0JHtY
	iN9uCp2M1orLKS/zm66e9eiYPJwbim96KiwP98Ti5J+QO5hZdT3dhW2Avw5JPFiQukSc/rjT
	1YHRyuhZfXKhQhsjom5JmyFSdeIzjnz0PIM2qZaK4OfFihleQfQ8Y94wkPwYtkEXxpBQSClg
	Xk6QJEql34sQexIDM7VsREwv/eIQ73RMquat4RZP1L3h4nj1UJu/X7ey3HVVo61gH0RIAR+A
	adv59AAp//TkKUNIRCHOsIpFCXHjJsJxRvJKhiz3T6FhqFEQNF2tDJKHFV1FcLAIEZheuGOV
	fKNXgmvVATPHrJsg5HsZACg/aRFq9NL9FYskFyGcB4kBIgQQAQIADAUCQrdR0QUDABJ1AAAK
	CRCXELibyletfMNMB/49u9oQzbmTtmHaoKuvou7OA6zmrfeu5X9vV1efZgItF78J7G19fVt8
	K3e6kn0KGYVL+FTbPdEbvrYTb+jfMkzrHooxQYSr0j8Baqfh2bMuZzuw2pVtgBUTYHoihNjQ
	lv6GPtF7Y3CVWLUYXZ25yqY3Hzh9YneoH8bUVFZWxRFitqGB+noFpvm0YXrCJZ19BDNTQlx7
	5quAl4KTNOAxapsKaBrz/4PrnNbuwZBkzP5EEuEyjTM+6UBhxibXfdWKnZw6ky7k6tuUsc68
	qfQJBK6KBmVLflZ5nrd2N90Ueb0m3xfzdncBAZb43THGhi6XyZ4jvbMjvjm3MCGuUosYYbT6
	iQEiBBABAgAMBQJCyQLdBQMAEnUAAAoJEJcQuJvKV618Jz0IAKstm2VX39p4Lt4k55ZdOqXG
	CqHCFT5YYOVcnptx8dKTpHWQXpI2lUJBAcWz0IAXXFhyUbGpvS1E9T/pYF97RSSsQyTncQll
	mLbzy3fESVkGT9xpEvF7ZaK+61BKuWFpbKRdpy5wWakk0GRyF0156vxm7vQh4XI91TwXj7DA
	v6KYWdjnHcEB8O9jLw6RlD4Y6dKjb/v7vTY6dGmYYyOQVK+Bmr/8vVcNDf+tevExsytTu4FZ
	tL9yp+yHODfHP5LZk3mC7UGR/mUKFDYhuEzzIU5ozc6qUfC5ViGt2Hjg45i2T79WeSV0UHSE
	8c3JOgE3e7A71bQEUJygPC9S+RTuc8aJASIEEAECAAwFAkLMT3oFAwASdQAACgkQlxC4m8pX
	rXwoBgf+MEjA/hx7UMl6LHwheZ9qzH/4P1d4CU46SzoC/XEPqWGs9sJw0dKxEAnRZgrG1WMP
	Ml127bOHby5WWDa/xGi0siYM64F386SG0W42FD67vPK9mMPnCDIQ4xn5gGoqUUl8ZzFG0eNv
	XRg0bmMVmoZFvaUyf0uah/0dYCYplgAjJtmC3cmNuJ98PoYEVHMKKGtPW4fVf+TcN90HVjXU
	kr0GnAvRegb3ZXnte3GrOe3jOfXjfjZMyEM6a16FFuKHmykgfyX/I4tS9GqoxPZ6s0KARKn0
	YLZUuxxFL7i1VaGJR/9duyUc8T0BLc9O4TxNuvd1vd5UKVVmTL04fe0q1Bfu4okBIgQQAQIA
	DAUCQtGX8QUDABJ1AAAKCRCXELibyletfNEoCACtKtfWhAfkxLqPihQMbvwXTuSszG61XNYb
	a41gTOpjADF2jQAQ2y8oilVyr5RgSvug8knik3EitSpBOOg0o5Y9NHF3e+85r27m8T5cP3g5
	GHAeugRFDqMXXioiAw9WoyvG9ruMY4caD3gAuogM4hB/3EMEHSlMylMrXLUtbGkQKqkLVJQn
	7V/3SVG8zfUyGb0lSFaGtHFa6LaIIuvJwkQYGMT/SiK7ISqPKOPD7kKRWhxjgcfzVthqGORn
	uQGi+316fdA+JzEYOI/gGdcZsbN/KrMSNQ0DOdSRIeiATy9M0fd+8QtUPOCtaDKLYISSrm72
	xgnKbussJRxAPjxo66dPiQEiBBABAgAMBQJC42DIBQMAEnUAAAoJEJcQuJvKV6181SUIAL/P
	gZhrwepyFUhr+nlYvxeflrxgR9Yl1aNtTngcOYlFU273cs3XnkczIpkg4fVikY5s56Y42G8F
	NvqRu0M0eL5kJvYi50NNMQnf39GkZZp2LrL9bZ9n7ysWU5tiOJsxCBnaOiAg/p6vCUVN3NV+
	t8vRP1fHwPsd5tYEBqA/g4g1U0xJAG+JqJftSDRDLxfTZ16hBdHzlQ3opqMMmW5Mv005p4o+
	buh4HzQLmBHDE98BeZ7CpjYeXY23bu8oi0tvkcTjCEeBWrXWfA3pKSX5HH63nmG3ryKuP0tr
	1A2gTgs9JtLXnGFJUdVYULiQbU781wR6+9o/0h6NuCJDPmJMNmmJASIEEAECAAwFAkLmBFIF
	AwASdQAACgkQlxC4m8pXrXxYZwf/ah4IaTK3CbtqF1+4uz7VVRKemSaNg3jMKLey2simqAQs
	1JwqkLuwEgrwF7XiejfLAvX0/yFqJZkdtDFqeK0VrwOq3WIpfj7+g5B9YSW0CkasD0HUci/l
	oXQiT9CN7PAe1vM5X4X3cqlXfC9tmU7fH7kc0kULxYHAfn96nZQklZS9aVecJ0H+pqMlPoDt
	xtxweNa7UJWAanO9kbPZ/xEdSlkuqzk1CK6ThURedc2lCE+qobPpUZri1FEvMBjyXoQ9MyD6
	AFWfax9eNn1ZSRq9t2WpPyFSQmCvyGETHyvM2BBiFR6UAQUKdr+d4ZE09cR0wXpEtoqaNeJ8
	AidTEGkuLYkBIgQQAQIADAUCQuydlwUDABJ1AAAKCRCXELibyletfLsbB/0X/Jafv+v43U26
	W3HD5XdmHaNdxm7uthGzGGzATGcTAUd3/t8fyVFk2XgmUYxtz0wHUdM8GiyK0tpKBu6wqcbO
	nGkBlvC1m6Blxy+PvpJxQ2sK4ycN8ToEEn/7HCCJesS2fvDudXkvdvskXkxZprPWe7JTHNxj
	fvESUAbLLmSpNGflZnMAOfuQP0hFBQr4D5FEA+zMf7FtrwkBanXt6W65xxEIJ/239ctCsRe8
	jIQ4LesYQN7hyX6x9bP9h3tEw6+OtvjYbMH+2B/3muNVac/9bYqi9rnuGew9eAjmdmm0u8T5
	7Iboy5mUDH2wjpRo6MGU1cHe4oZscW0f9TPE+6XbiQEiBBABAgAMBQJC7UXaBQMAEnUAAAoJ
	EJcQuJvKV618zbcH/RlUtrZSBcUafmhY29s9BYycwWx/UoeJRIJmi852TguSGsoPuAYEGeaW
	WxCdSru2ibn7GPBXowM5u+4MqYqaRB695sg/Ajxho2Djys3lV0TPeSIbyZ7cXbjoSDnSVw/N
	eWGKJLwbFVZPjjC7mcGIMhE1NGGxyRO5H1Z6GA8dEP3zR0rIivklN8KEngfyLRVvB5WYPBs+
	buaNF5HflsBXl2bOP5ueThcal1PSE4HNoQXz79t0Cw7kpsWy3FyFUVVRHPyvwVpJSdYjz8Ur
	L4cD3Dj9SOPwa4AvM7WX+JXbPEIFxi+NA4R0TVxIZXJ/HX8AZj87RFxGYlTfP3GFFw+52QaJ
	ASIEEAECAAwFAkMHCEAFAwASdQAACgkQlxC4m8pXrXxGXQgAwFY5RYFHKcYkL9nDfblQDjXW
	Ictj1rlP2yPsy8dKX579ejhdd8o0TGJf8AzYRaDEpffPf/ZvyfRltqKd979GzdAE3smkrGeD
	kPuUY2rEF6Eon549Tn7omGYNueDuO27QQ4zIs0k9h4m+pE6PxPTgC5BsEVF8Hrz647/XSTf2
	G0Wo11y/KBWGJ9BYvZ1YSxwmk5zicGF4sYNktO1Yl6CGS1ugP9zitCuwSiUm+gJrMCZ3am/D
	+Of+80Ui7e/V9yOOeyC7/gqQq4okPZbdVzJ3hiG2Y3eip19ewHYlYSiLoBW3rr3M3mKBTcbx
	+nLfVOTUHp8HdqxIyI782SaZlpg0mYkBIgQQAQIADAUCQwhbTQUDABJ1AAAKCRCXELibylet
	fD7WB/9ydWuVT1DeeL3UBqqeRRN+mt5DChdFeCjJhWcAjds8R6Z8Q9c+kpKEk+MeSevKaOAf
	iiM2JBtruIxt1sfh/vVEFgjHP/M0sF1il6TwZEKqVn5c3ikMYCMXy75xheslCJoX7fi4jZut
	TO8+JqjVN+z+SYzeRrvQFcjJoIOLRnshh2XgUiXVf/xo/My+fM9rKnMHxF/75PaFVVz8cXz1
	X3jsuUOVLxnUZHsOaP9r1h3bq8uHJxkxPElVPbCuKLdCWrNOHHX6/+TAH9xohUvrBm6HXqbv
	O/aVGqf+Bip6oWSB6rSIe9+0GmXLRe4Ph3ekBvyGUJM/nFhN4hQHX69xZS7yiQEiBBABAgAM
	BQJDEOyRBQMAEnUAAAoJEJcQuJvKV618IlwIAIPbWp20TBCnU0D3kE6JFqRaVKqNAFaJbmRn
	48qxX10NmHnBAluU1iJiUsVL2kOpvf2eyFUsX+sQfVJPzmWkUU2gED/+WZNkcmxPZ72FtJCs
	hW30BcJnLjcRo8wv/6nhdEZ2JYNiBIFHxNQ6iiB7BzVpYsMp1l5tI6mIhbxYxMNETTMrb+hK
	NNAhxjrqiWxPNlrzw6TaKnBOE0Au/Asjz9n37hsPV5Q9xY3zXbff3yDirVkBC4l0Vc+U6drX
	XiFBjQj77yt6AjTYUzBZY7UuGQ0W6o/6QF3KfiC3WAoFJL7SLujIaALkALs+lFzsu3CA9KoB
	X8Ca4hA7kzOP1H76VZKJASIEEAECAAwFAkMSPXoFAwASdQAACgkQlxC4m8pXrXx3cQf9GBPO
	XIrdbvUWIKTofiwftiy6j3MhKOszHkzR9quCu6aLu/aVvIA/avTZHjfj0EvYaQaSNMWplMiX
	i2UhkPHe4cgJYkbjmXEz16GtXYPZXGP1FubQ/RwQ7yQKaVtXSCgz+ZdR5tKhU5kruxAsVjly
	KcQvST95wlqxLuvXzSCjPdWj4qBvkuEt6QADx8EYCafraIiHPRkKtAAiK0sXJSkLevXn3zAN
	6X6ngvZZiNQFvfWLFV8Rodz1vI4S6Af2MTSlVV9Vw0voJGprcsNDlB8k5B/Kl9LigeKdkFa8
	JVfwOQppAtU+Nq3pHjquEafZrPVF9HWY0G0Szh5tOFEpVMF6g4kBIgQQAQIADAUCQxQ7iwUD
	ABJ1AAAKCRCXELibyletfBVfB/9ydVsiBrNWLt0RwbAdMvHRceHz1twh+YeSnpr9Equ7aDMG
	qou4ppl/nTbnZIizdWn3dnRKt+vKY/puuPIT9kEVF7DlfBOcWBdLBvJz34eBt29BCFgvsfOS
	fwESMNKgquZmrraGpEvj4cSTOmW3DJPevB+6ajsN87BC5Qp2MjDGVkwT/Nj6R60pz/vmeSwl
	0BmzgthrBd+NfHSA116HEAF1V21/2UhA1hbkPKe40jWp6HK+GcXDC3+PucTJeS8nX4LLQnWZ
	JCr1QUbkaW6jHCw7i/pgCLfqBBdIh7xJE7d+6mut1AKtq2qUSpEM4qTvrR89DLz3OtNiMnr9
	hq7s5SyduQINBDnKLe0QCACUXlS4TkpEZZP06rJ2IVWZ2v7ZSPkLXjDRcC8h6ESQeZdBOSbd
	dciiWYiHtGq2kyx+eoltwooP7EgJ9m35wn0FGV+5hpKbhSwz2Up9oYsSbexjx/hlopUYGCL4
	kgezCUWQsKypsitJChjV8MHgePDQcF3ho+qK+0ZJeevbYKSZ9bLyzt/i3/b3Jnt0f8tsFP3P
	djel4N76DyQiTyuoOxzZJUJDKx1zr745PUMGcur79oAxuahUfPcRpuwcHFOB0yO7SwEY8fe2
	68U5/AZrGwX+UAZhN7y2MMkU/xK/4BIDY5/W4NY3EX2APAYMRanI+mFW3idui8EEzpzKZ1K1
	8RODAAMFCACOAfgCjg7cgjZe58k0lAV0SANrJbMqgAT1M7v4f5mOf5e3B4si9z8Mk1hx5cRX
	I3dDz/W4LPh8eONmMPjov42NOz8z84PksQBbnjlfZ5UCotPS2fZ2actJPhYCho+a4iXwRm8B
	aXQ3DFa1CsWdXvkGsNIouuSkGoGh6+sEgAdP6JXanM9YGTQINy9Xsg9YOj1UWInSwRqUmJnj
	aNQhxJfj8j5W0uXixzkbKB+Is92mfo8Km3TAi9u0Ge/Acb5Cz0c5sqs+oWqcouaTS3o8/1n6
	CZVmvcHyGI0APiALwU84z7YT9srpXHrjiHo2oS3M4sLxl0nuSFqD6uiIFrg7yF+HiEYEGBEC
	AAYFAjnKLe0ACgkQ3uyMCd5BWw6XgQCg7Gu7XOzqnEcnCYR7v6rub5d0zwwAoOsQ9TNDYmVl
	nW1ff9rt1YcTH9LiiE4EGBECAAYFAjnKLe0AEgkQ3uyMCd5BWw4HZUdQRwABAZeBAKDsa7tc
	7OqcRycJhHu/qu5vl3TPDACg6xD1M0NiZWWdbV9/2u3VhxMf0uI=
	=oXxa
	-----END PGP PUBLIC KEY BLOCK-----
	'

	# Bug solved 2005-04-07:
	# Try importing the attached key file. As the key is exactly 8192
	# bytes long, radix64_read is called twice - the first time to read
	# the 8192 bytes, and then once again, to handle the pad '=' on the
	# last four character radix64 block '0uI='. gpg bails out with
	# gpg: [don't know]: invalid packet (ctb=2d)
	# On a read for only the = sign, radix64_read returns -1 for EOF.
	# This causes the iobuf code to pop the armor filter and thus the next
	# byte read is the '-' from the END header line, causing an error.
	i=armored_key_8192
	info "checking: $i"
	eval "(IFS=; echo \"\$$i\")" >x
	$GPG --import x \|\| error "the $i bug is back in town"



	nopad_armored_msg='-----BEGIN PGP MESSAGE-----
	Version: GnuPG v1.4.11-svn5139 (GNU/Linux)

	hQEOA2rm1+5GqHH4EAQAi8xXorNRK4QSZR1os2xtbVeZg5pI0hrdyejn0jSnlWmw
	wqnhQnoOXsX/ZE8Sq0deOJDKhIJztVcu4QB17R0zRxXhN+huXq/DRGUa3X2xF+Po
	4bP1XsZT6jYc6RDiN8KzQkuUgEjGsQhEYzBMFgk+tFDDA6PYKRk2mn0UaTyR6NUD
	/jimx1teliNBMhrPQjbBMCdgczfUhH0srGFKovkduf+Fmn0v4rV3JAhtHPYaPrgY
	hQtCMdjgCdh3uMK6rbprGdQ2lh4PAFKd25djBJlf8KBqkJXimAYhe5Y1q/x58xbA
	R5/tAKZFKT+ooU9qjVzXA0APHBwV50/K76Rsxo0QQOTihQEMA7WIRff0Cc1UAQf+
	MZ5HWEX6+2teJWGVKMmJBFkYF4rAEIoqEmtzRWcsAPx6PFXQt5Ok3PbSGDgOsQTQ
	XwR5bEmZ6Gd/O2xIM4BnwKQ/g6PxksPuni0ajZS5YWdoGY7ZTS1LpZMFj++fhtQ9
	1hd8j+i4P+GA2+4TUxVVFwIbHDT58+mw+tYD0KDfizdSwVc22F+5nT1tLaKJVvmu
	VX5L9u8OY6kR/xP09uCq+YzzHt1bi49Avrq9PpV2wbo2P0t7H+3bI92oGvpMPM2L
	ONAXyh11dlQkIrOiVztWtTYIfoCsV7Ud+25V+jYEfd9hyE0gf4awgqhpLwPrzzAs
	aHKQwrjlMaByKKht2teMJNLtARZ+7LbxgF0TR/019x4+XHCBhmwmPzL+OnPTC1r7
	fdB0kte5OefTUfglJyz9tD9QnrvCvuOmKxcsOu0C6NLUqZRJN9knhLBZyXbwx/Cm
	yA60Er2dGssL7e4pa+qW2O/xJRL1IaWpgZa6Ne89ut25hbEDWexCAikBnPUrwrLE
	sqWOepzPNGxUILOcjDV2jKq0t7XKfwj6UPoCQxY6FQpx/0goWllh+PuVLz7tazsM
	c01KGfU61j5EyyuytOkJO2XgyXZj6Zat194NgsMrNGBBWl5QSGUb5W0jW1bHm0Cr
	U+xNTvjnlVZzqy8w3GDr2bCWi6qJs20TrbsbDa4+sK9+WDJ2fcb6LzfTGOekbvyc
	OKyYcEL/UXMH0uYrReRiH/gheESZqyQ1kCz+/q01D0N0KBqj6LHCJyK6cOukrY5M
	Cd+Kdk2gPL5VP0FSVJLoFXfbfwQtjIkbhsP06sFOBszPhd8bh+/r+RKWaqQvHJDX
	u5XqE/lJfBpNd+NBPK1p1fMVW/ljj3EwsJCdYOxh2moXD7gcehbaHCN/pFxD2Xiu
	wFHAqTghAtge4DuIECN+8QrE6xgCnwx1TYlhd9T4f+OqTcn/RdSrGcR/TtQK7TJY
	R2zVvj7vougCx5avrNwmJNX2DiJJl/nDHmjzEFByFv+UvL1PUn4m0dsbyx8alixE
	dw4wl352n/ZpjIc7GdLeusuUPJ7xFY3r1xS16QuInhuj+ZIlPVVeo1vI29BxGP7n
	HH9JmewN57O8xztGeBSMb5dZCSsGaiZtT7TdF2C+r6NgwcULzpgANVMVjNt0U305
	ZhTf0FxH1LFTDd6IH1ry3EABCRQX+NDi78m9082QJPw0u46P6fchF2xW8MlJHa0W
	u+G0+DNrHXUFZBxt0yG7YqWYzqezXX/9ngin/W0o3Myf7RdHxmlwSm7fUuz2nYTn
	0gpJqmu1MdDN5wKxuIO3qMOoG8LGJwnR31sDo9BG+8Hpp+yxYMEMMpmW33otfYcq
	Qqt7L5kWYDrQb0jGr52hS8fBujYi58AY++a/RqddFkU4c3kgA11A2GNqsbtxw7rU
	jN1uqPs2bQA2HqEdlL2ZD71E8jZXztKxMIHyXbJuIEt3GOywJWeHNi2vZa2F4tIw
	bEy12FJXLW/6Dac7COzqVILjNH45S37JRQCc/0kAJV1VWMyhuPBU2LoPwMhdXiDm
	k2vznYlm2cEuvFL/6DRm32Dd/YaA0fw3S/L7nFyuA2FVJjs17XiIRdUemxXt1kC0
	1KPjNVekwJph2YE8GMyyV4nsuf5yGw0wJkXqRYR72Cf8mgxc6rPIS0panSWlAl1x
	5TMf9pEh0TUkNENAbxFazsfpG1RTEVzjpeLXrDSK84O3WW0jUHoG3IyP5iVli3g+
	/HPmOdd6+hBVZq11BcA97xnozZE0d0zFCVkpp2bcK/69X9NC/Cl9FTI0DzdoWMVL
	XTwmOV9BYsXAjJLXAfQR2eDrunaNkZO+rr3KT0/TtqhpcCo2AdP2IPglVRcYGLlr
	SUoF/sAtUgFLGnVnURrkAnKamSs7KBx6J4Y4uiBUqMxX6L4T456FBxHHMQNy7cQB
	quyVixd21NB+P8GYdwb+KLpVjiQRdveqDjBJEn/nTK1yKAhq7SY8B6StVgbzPcmQ
	Pt52HkVTh8a45gxvF8qGWcbhw1E9rwVT6yPFJXQiR/4ciEFFEfqQkYzNz7wVstqe
	R0Uf/rqwBdUCDpPzMPgl9OPKFMHNJ2tfYYU4kzfzdxBb6aKJbOX8xkxrhmktyUaE
	Ap4b2gngCenXf/1zrVoyH8+KOQPZZXlnUK1HfIERZwh2JlmowLvobMlup5zL/+s3
	kRsnxRLbJqn0tYYYFwKsGbEqHZUpzbWR6TKNsJvoRlcgOKbAqel8ggFXiSc4co/f
	VZqk2IPzaQCkTyAU+B5Fl29bTfB4LK9gvZlY63y/VFD2bEBVk36pI9M7CokAr+00
	KvAKEzpmSXN4RHKwJ0W1gZz4IGPKvi3eO6a35wd47K2tIS5K3IfTjsIsUM+agh37
	7xJiJByfKgA7ardssI1xeG46U2iIBvdUNeQe4Q2ODF4AjxczK3hJwBPg55FGkhll
	dIDa07ZsOTB23LpoCejKi4zzn5DsDNqQLaYaSP0Cud6DOuSsmUFHSHSo+NtzqEQG
	rm2o1LkZwQ85iDf1A3b/pzHBf2xhxEEdtMZ2yfWxPJvz+8hsasysqPD8BTJIy0jn
	NzmXJKTj8ll9IhQjr3UBCZZXWUPNbrl3zKGUTQMXbdUIV6cB6hjLERILhgm2VhKR
	eEOFMaqATMKnGETa03l6wDhWDyj7HbgzgKkveHJ5PDFKz+RJ3sIwgKD4LoSOYtZr
	MGuHzMtiFSx+42ZitFm28G6rzj7NUVA+FHvlkogLWCfrXkNyEp0F3D/qbg3S8WS3
	WrdUbLwbjFRSHgkdIUA4yIjCSmRzupfpvXS3UZPFD/tLZicU0ogfVL/2KK5WLYW2
	03q6egJXqYX1iQSOTXwx+Msw9zVzwcAI8j7KKDLVv0fLWXSMOg2ondmznb3s0Y91
	iaYjf7iFhuGH0hk0rTc6+CkxUhet2GeBc51G5XuLt7+Pgml8k7bZHU8kOB6etEP2
	i++7b6uCAhBW3o6shyoRgJNYJmzYbThfIx3yu+3vl1gkSxSQFo4RpEmk8VtjUsio
	tYJNRsAq79wGsyLuPwLKPkPihjGEf488A2NKuVnHB7051oU9hWbRGCVhzdOnD04Q
	HKzZVjt2HyI0v1sY/Nq3BqVH1Ha1CkmySYeeKXRgVQfD6RIzfd3Dgr34+rZqF3qD
	MXna3FeH2W22dbZH/yA+KuQEjU+uOOk8QQsqXorunuyuslrOmGzaDPILW8zJeV+v
	tBeecStyR4FdtWl1KH7YTdFDkeGKOQeBAKYpyYUKr3s1grPh6caqgF1FMNL3Qw+s
	x4d0zp9efHkGqhp1az97oNFBzGmsBD759iPu44QaElulO3OAPyn2GYZA3NhnFX7Q
	uGtFLSexLpVTlVyBHf/QeGJk2lkDuOegiAkW81lorVF0+gFFae/HIOnEZgVK0/Nu
	h8XNFvGd7iKlNhfLtRbKPqHYOtxxGC7gpuSa/M4kgvTmN78QonKjZPDxhlDhYE19
	WOHq14t60lZopVLY1bQREvem1K/RmPk8lak+uf/Fa+UqZ5C33m6kmbM8rwYmuSs5
	Y3M3mR2n4tsTrXEO1AN1vShuIJoMEJ0ledDJiWKkLHRZ/SJOBLYMM+F3/hliWB47
	eNkfQgo9JaTiNs9SBVVcxWYEGUieAZjOekD74oN9nOLVaXS82kQostloXhPHvBG3
	gKQufi48gOj1i7REcTyhQMhIXa/NQ80aKZEedH+qQvYTTNGe1XIJnRILyQfirtgX
	2m7PTaup+psJEOP/+Yf07G5KzN3wtBIXi3Avlr39ihdbuORERUNvu6kR2psvlXdQ
	otIijpBJW3Ur5yTpnTUo7chSlWFzbmVYv2cyXPrQc06RSxzrIQFjyTKI1/Pf6Aax
	wA7Uep62ga5r3IuR26XfaxunphrmFwb47EiFYP6JaNCYW7x5y4OGl8w1OYmabhwP
	azJsUAAem/lXZpPjx3s9meC48fHpuM5N9myIuRlLN1Rtl7EIG8cuZuubi+VUEhWD
	byap1IYIFZjWnS22/yuw6pzyNk5Mr5ccyo5xxvg1ZyC5rondGCcm1egSDcrHXQsE
	pR+jKBcR5AUKBhrgSy+N4HHZvsah+eNnTIZIm2Hh92vTLZZF7u3lW3mlePp4/zAt
	VMbn09ET1qWaIl9xMuHDIfIsSXMLsj4+o8qKaxipQ2sjFjnsFGIK1cAjjptpoUYU
	CffDWoBnLGkFSVTTooOQHuQhUmqaIv2pXWid/f1smPUjkshLoWiPoVl9lLzvo/XH
	NhoJ159/qczMsiosx3Y6e/haFlIfrklSklJCO+j4N/PYW+vyqYg/O6FlWF3BPRhp
	qnKwe+KfUeAyXQKG5CkONWBmUAhuLWOLU1P5280iAKHnOe3YRxkGIpsFJlIA9dIX
	Lf8KW9zFYMS5J1xysSyYtCwUfa/ewpRY+KuLAH/3wSbxViuhwJ1aoS2N6m8hkTqy
	SODnP5Nz/n/EZi3wWesBnz8oqBdrwkOWRnfFORpRkAedcsd9XYCbF1dHozHBdY8Y
	uu8N91ob/5c4RmP08Q5ama/BjaxskdMH3tw7kW/7r9tpzS7a2SLLzbDnyycZjknV
	tPr/xi2bmXHkUNnFwsTL0qvIkcZpae3k2oTwgNrjczqIdYGynflOc/gqxVeBO8gk
	t7mqZ5sCOlhqPkf+/1EY9kVwS0lh84yV2SskkuhEOF5BZP7IgNTgeZlgTwYRsGZq
	R40pWhW2iuAWfHop7NkrIWRvtyVtVtzwqtTLOs4oNrZU6f8xh+1asPdLqp48h53N
	wwS3AduoX31189s/ZnYUR74dfYcf3JehKyBTsfPfq+8rHf/LOHc831bavHQ4ncnW
	f//8T5Xipbjo+WX6LQxr9NnCIkZaJ4cjET+SBvEf2YGRjtG+3jGmWdgAkZLhWJFp
	xqhhOorpOFItwHiYIqsy6WEcEf2hEAww7NnC1qNmglDXw2ou2WOk/WDL+Oya9ANY
	1HAaYrNmyjZ45GXvt9/ISzeiFaClgetu/zmJTe0IG7qxuOsd0MG8DugeFwUDZQrq
	rrVL4U6Z9MZLQl/DAYppnxSmne8vQfwHQqRXoazaIxAh3/uWh/w220YuSIHJt8Cm
	a6J0w6YlQtBmaeY22/rbiOJLqAMtBDC4cCAp8nSuxZKdVTpJA7axQee6lWTzan5q
	WVyvyIkqq/4iuU+WLDtHV441cgnYENyZ/T6jrHwrX1AYIv8d2Bi179JVa0OKO7di
	axMS+65agfbswB1wKRU1QYin1sDQUMPjGbEtP0reyAFwpBlmA38rIg3j4xr1nm8p
	MkdCKOdqZw2ppWDTLFqqM6iUpTiOUZLzC80si8C0VYkTCZkCRze9QTAD3cdfITZZ
	huiHO3K4pS/6ao4QJtr78B4yyUMST8isRibuvqxQYaEIgO7DkFjD0Vh815jkydXB
	Mag8MjSydC3MuAYFtruOm0H2OtoBsY8YBbeQXeC04U49P0ktYYI7MNsShhfFxRtR
	kXV/PldGwhF3egUjSjk5UBiZEUDw39PMiWy6k/uM1KiT6AewNryw6j5SqqzeWynh
	MWAqxK2oIV+zhoR8EaX1sIZ3LtPeDi61GIaeKhnv88FhDQDX+pjm6I2qKgXhnYxr
	TI8YqfbGXGpCZWk13AL6CyYqSzcLeJYKInETPbmZ0D/eA00dKvDUcHnt4UEpuVHq
	XUHETJR1OEF/xNF2DyXBja1+B8fGfChRMjmk2J3YjmIcg1m6svC5r3Cti7WpbKIs
	qldz+u5QKRbAbj+izAd9PEHbJ7azMlFHyL1W69VkO9C2u3qYF3Kx4diDAQFVGisv
	6wVaT7kZod6Yn3dkv19EicvCnfyq1vE511OExvi75E01iznFRjdXIjCOpcsbVsnS
	vbdCo+TnLi01Fg7c4Bp50VMxZOKwvY083cxbR+csrf8z0TyfuaxPsy4YiLhv7SMU
	5D5f85TSgP1j1Gqy2vCqqh5iegpi9+JhO2efZGFTZTyuCsGiIzC9CyQ7BUPHTz12
	nvFa0pYNUjFHJD0FN8qVMVVOgl2SWldRaRD77FbcLsyiS19dFgnvbxXtEdW5OPD/
	AdxCM5PtrJymOijry6jKs7oU/9jZJMw1sooVjcX9Xo9e5HWRqawTAe24nhwzlSRT
	3GLcU/jTOmsjq3NLbzzC0VQb6/nqkN5t4f3JJj6jzRo/1lxKhHB4c+/CgVtQ3GPi
	aCjiyDt3qey29K5lMNmo+dIMtIh6Sf4klKSOlh3oT0XgM1WNNeJdFt6v344vxOrq
	/jw3tSMx9vRMDv52bdtCzzcfkVlSYLPlhS9ErBjaICVWqfaFJMzD2euHmau0RuPV
	S96FiHJfc4t0Lgb75bwIXA6a0SSS/JrDRUynBr3kmSUDJs67i3ULJ1rMV553K/3g
	xOBRT3t+gAYbl+5Dfu1+btu1MkmpVA1duQYcVxO/Mw2asc/kvXA+rGrs3FsScGmD
	Kr/1yLfXvM+p0bYlkCfVoOVEqfU83t1+5Hxp3PlqYwzxlBPx4rgofnDRyeLGtu7j
	+1rZ8m1W/lndkJVf445LqcXWJy8c9V476LXpoRL5oNAQkEERDK5NHS45TP7cYFId
	0xuLwCQQ5hh3cBw+oBSqRZmjiEuxSArhBaw93S5SM96dXhoAmXEiipNbIXO53pqa
	jFeb2kVctAeNhupsUMql4nocwUYWyi0bMBzJH4eUakgBShxJjtAD+k2SEFk+nCVL
	76fVSxUwmpdqOTSMNo/L0CpG3zHU+CflPBnmSXFyTgZD9F2FJCUBWWdKst4bHq0T
	qoL4Y5Wqj6YK8QtZecrqigrayOk+CEM02C6nhyM7Hdt8sWSPtpWGkF85Ksz9RCxF
	QnfIQImjM9Qt6Hd7c8EOxpgdZufvD10vlELH8O5U+TimCoCaViiTcH7p9BziOI4b
	18d9bgXkj6GZmS5uOSBsMIF+uZjKQxyMgwzAaEYHA+vlKPS15rDDtlDNGWDHfNik
	hj7b/FesKCBCdqYpxKWmcHgX4aN7MNMTy+HroF/XVAPGzxGAnMS6oFahb4C/o4be
	T8k1mGhTlTQRWMi3VI9LrXoP1MsH8LwbaPSnSo80X5sbgZmSlctu5QiSaFm0kYc4
	HxMR9fJzxZyuXM/IbXSdlYCc04xwNO7hrF2n2HI4x5BR7fWZSl/E2yfpxwdBtcBf
	l2amxpmIjusGprhGCI860vpQxfyWyTfWNdMX+OFL+Jsgog6Qm8A6bSaNTs35Dkf9
	TjvTPS3wUPwDbTuk9++zPiKt5h85IOFaFzyjC/u+C38IvNmvUUcYLha8GEVz4OnA
	KT7FrOizC7pdyrqbCIJhoZsOzk8romND67wXfgIWZXYMU1b2K81jIFSvkVwrXT9w
	56vollH0x8YJD9xC3U8QcMDnK3FwuOrlGxHY8BfNszCV/OXpT0qlBVC/gywaq993
	YJoQOWugT4CWpmSqnRLjTV3gJTHH+qqQZ23TsoVE9WoByXj/yb14FtdRq9oGL8H4
	Ke03JNOkAlwzohG0XEsoHLC9+o5x6KT37OtLuds2bYV+PzSRVLJjsqNL3C5XSp/a
	nfXTim+6VIANM25jzxfCcot+VBz13fhwnaY3Am78ZEjQVmJn+Z4DbWIIIc6XGtBG
	eNydm9WNcZ2jF64aMN62DBp3RGqgnhE/qXTv/Sw0l9qiOCeWJ5GwqU+Bj08D4/6y
	6xBaaWHcPqCNuyk7pPG/tN59GVUP/jHEX77Z2kn6RiLbnKahcekaifolgBuhgiw1
	/c0fbWmJZVCUVhVPI7fHTAaUIO/VrK878WkSUWL5dRvjXp1yCvAxeYffsdwamPyQ
	R67h7sHAPPtYs9XpIjZxTzGF0YDFc+mpfYykLvc5ixrcuHGo3Km/hzdjVRhcCydM
	CexKFEHqI97u0Bz5aNW3tOE4iTeNth80tl2rV2PsJoK6FRkdGgFGdIsHZkhy3lsG
	GwGcp4bmAawGB/MmjnIQRPeVaSobJSln0BgP/j77h+pe+eTswwxBeCh90umeE9sd
	dFfKQNzuZvd5heYwzbLTwlWbNn8wnB/nh/Jh4O6w3db6WDi8Yl54mt1OSFNVjT9b
	1rM0CfUDFDk+Jzd3fwY5QQDy+Dy8oPm0lm0xCj7mrzmlVGP5JmLCvPiJUTPuybdr
	WlBJe9T3Hyi5xkYgl9P6Itxho+qHEMUYa3ScBBC8Tvl7y91Gp26CIfR5pQxkLKmh
	KI2wYSHF9fytr5F6imJ6kTocxq8T6UvVgXi61pWScjifnQdQBYtNcsmu6F2djNAF
	RIunpWxbcq9b1nuQaMx6aQhYTMnau/ApeW6Y4bbVwUHyHCWMwy4TiE1ifFrvOYzQ
	Ph3WPsfDJ7dfvHfN7/Vr/qF3mcORScAfkWa2yhVitoBnBMJ9fM+q6Qrxulp8xOqH
	0UwdTA/FSaIApZbIHVO5xquLVXDD8Hoene6GWz+wep/oUqXc2k1wl/8XbhKlS29z
	N6vJZ5zVJqLSWWyHceh9L1fd6ycHaNeYkPSAGBA5IluJfm0NsQHGW6LyGkkpnFVp
	mmB+crDof/RHYDU/ep3I+BP27yTFw+j4vgELB6XN689kE2dWetrINmemwilaFoNd
	eDmVpKbQR3J3WD9WNTseI2OJtZn/E+W8mzRkp3G54nGVq94nMYqxCMFHSGQm78iW
	CLqjp0uNPM1NUdAH9Y5jaWF7NzBQGh5H3KLqvn95ynwMbWeFEZ9tzjLoIO3u3qzJ
	eBlhnrM7JnwG/8XYatKQ4JaLteyTdYrlENwmQa0d41kuWiZYGGar4Jwqqf/Ma26V
	UR+IXP39j9agKLjzDDJJgt5Z0rknEWy8wQMhIY6WiKYpYGH4c9zrYtdzwRU7+w1I
	h85xbqgPMTSVlmRlgn81vpljz61Tw2hkb1sUB2uqgas7nwUod2+eiZWBOKDl3awq
	u6kwgp94M0opu9t5xx5oJeb+WdQd1nWo/5E3Pdp1hNPwFpqW0TjMgAtQHmXy3r0r
	sI4pjs5PS6JZ05D5+WR3GA5KDA1cCMq3kBDNhsxqUeKkM2BNuq/J/qQL1pyXjlwr
	4dqR7r49Op0PDIkkl5BEUOXLjLgwAN+TRMhu52vdM9V1jTBFG1hGFd4M7+4jOviy
	jaPsJyzrhvL0tkvxpq5eQUJRqMqqqrJd16UmJZef/xhYFuu+p6sr4oNtE+JxuOmE
	JgaC8I2HM6mIBq3VV4heR0CZUzP1WYk/iv+Z8WmYMTa2AVBbgwHlUK2fhLci8uPp
	tEsLiwyWubB4elo2VLxvgXPaBROuzqANnGSeFM9B2XZoGejAVsDRk9/cfzHunHcv
	is98xkuq9JRtWPdNIXgKVIvP0GuuDP1CNhdWR7XULqMZbZmq6UWsUwRWfPBZ9NM6
	rag4I+gpwnHPHAK3yBe40bgw9J9pSJVClNkH2RLoA4t7V2atSQOatLTP2JictUD1
	2R9kaeRdQ0XHbRe5QnvrByFy1noidLgyv2PXbZMHW+1OyGKMfY3eKa4/k/Wmgw+Z
	QUaomeAVqguCRQB/8QBv7f1fLJu+ZqhjhQXZoTk0MdDro40fTI5wxxg/yV25sw42
	McPy8dR14mKAXocHpYhP792wVhemaBPZC17LXt95xLvfAOLDz/ORalrUHdhwUtZu
	VKzQcxFhVp4aOCYR8gFgMKYNwX5E7I0ixfoTKf099fqwsAvKlOCqnoOuzFnRPrui
	XNg3CkWkJqZG4UgLE9mL0l4CAZ2J9kbleN+4YMLQUXFvlk74Qial8hE0QBIdCCyu
	6huelLEGsUZd+c+VsEQRUfq9sVUONGcIt9LQGFb/IYQoko87E1RThq2b5D+R1R4v
	AWMIJGit1k0F3SxYdeUEYTCqpUddXtjhjSUGbzikMU/PbmyZXFu5PHMK6L8MVoWL
	ZQ2TwphlVTo/gVz7dvW7KeZinnHB1BE2EOoSfhRukO2ckRH+bzuwC76xczosPLGn
	LnYQFLqpYBDN1uCrvoyaV4S0xhgHsfl7kyPVdoqDcoVJSik8uKu6KSCUUyUbrrjg
	lANey8pArBpI7x9BREUnGWNwZS6s5O9giMI58xljBm9wvu91fqGdga3qrv1QMgQg
	Hytb/q+OAgQaQ1wIJpZbKliWz8uqPk41fsDy6ZKOO6UXYwjOg822Wwj7xSpbSRf/
	lhegSXgfihyeEeeWeMTLDWI+N2zuj16zZSCyQHqaDS+vCkMkAXUtJx5Ia3maBHAK
	m1UMTJD6pP99zIqum5/QK4QKEk4rIvYtO0nTOW3L9fos2a6Cc2FouFon0Sbz2+IT
	fVM7zO7RBwI+xSyDmV1nc8C5VyKxUlAAcuqVKEe9YnG5pwv3ogPKQZ0TqSp8zUCO
	YOxHkG4F1kxAXHdrVarP+BYQuYIru1ZFovUQ5vYnl/8F3/7cuD7opnO5hKBr0tvD
	6lM2PvPpIzlOVDiNZSZDHOfmYWWVlq4uzzuP8tG3tLyYBGG/AZuDTA7WNrOGTSSB
	ZP9FVxvNT3kaxGHmjO7lGA1FtjRmkMJr05EWMHHvatvRcDFBVR1thxLkyfneSWs2
	orwnAqkYe8Fz9U8p38L4UC+J+2EZszHAeSO+eW3jrqZuFYbckROdzhktdUsRZcdL
	WFpDIN5zINOo13q2Ei/nG2kIlYKp6Mq0b+wN4x/ILkBWnOuzKXOY6dSrRr4y/zq1
	dpr4ZfQezvsLNh8zjMolwXYdLj32Rg8cgmq6bPWIm0k9Qbln9HCBTO5VihgUfvIe
	edpOxvSi+HpgIGnGl1M/w62z9HnZBCIcgZS4Z3EPvi7CWQg4S1aOABj/mri/RBh4
	k2vx1D0EQX5gBRcbgIGdyFyiRT4cAdPiXyje4zLIl0XT+v3/+LJnX7NPWXLPSOM4
	Skq+fDvzrFQYdZ7yefdxIujVKdI3iuo9dWTwITApf/KYop/M4vb5CJfa12Sig+VA
	k8wdIDwXkklbOvpe468KAtTdUyoluuoROH0hXNaypKHBLMHk0JJRVB9OxBlIdQSs
	jEoUZqQF4Kll7vHSC2sDeYfwiuBp5qZRPet+ew0SdwZfVmXcvjVKr8iPJEtr07Wj
	CtyMi2+yw4G4X99em2JJu728dI4OWPUeyuR4x3dRf1fM5OshgLYxEJl0CMDqKVr6
	GqJ/HAhj7lLQ9k4NOLn/RgKt65jXrjEJB+IHFFitqGu9qLKM8QkMAAKwBfsRyJiZ
	2e7aMj3w51DrifRL7uq8WZdP+RzvNb81WItRtVBQecHnPHrZI9Hwq7guxlzZTOT1
	lmUYNC48LVuq+aZsaD5i6MmT0hXCTC8GC4W+KAAqM1ZkHi8sV9zztWD0YCxmvjpi
	ldx0MTVU8dqySwvBFK0faO31pG1rf8qGVN99Ys/pY4OWGcnbDwGblWhhYlJYZ8uZ
	7IHt+0Zh3hpVWtOAttwifKXM6bGRX83O1FVExJhXkjg3zrklxNv+3baMHKrZFryi
	uDtE3LLbc5ypK1Afp5oenYpUiQwUeJ0fGYH2NT1fEc8UCRqmvcJGSc/MmBiWRMQN
	Iz83mOJ1sP3e0dbbXr4ZcCDf+RLKZRS8AH1zRp1FoBUIhyu4HVOs1C9YBmpaUGyX
	t/c2O+1Slh7bpAKQnguBqIno6O7XB9rZrs/PXezDv/03CU5lQkYqai8SZck1LrhE
	Ta3ak+EV76QfHTQm0DiVFIMD7IaXAjyYdm6nCDxZkLN+Ir/neEC10UzcWHqNIdKe
	o2ao5YePZFY/WW0HicTH62MJDZFvgppWZSxx00IktHmTsILKgHkGgBgMvLTkRX+H
	DdAzqFYNeewOnF2m4U3Z8R2pt3/m63p3sMSYsHnpK3OKjI0trrRJHuFjgTDAwhVm
	xMimLL/8SnVJW+KtjZ+XazD0hMvBC2GzcrYr4h66iVOZI1tsFE44BAlh9LW7h0D6
	FRRkZkbipDpv5uiKoOr6qrhjf4/2NxCdkYI36cAfU2czuPPZ7OoHkLniBbUuKavc
	n45Mn8tkq0qaCfUns46OUCc4qyBb3igBKVLlDlhP6gjNNdYKNaRKsQ09bs7TUk+d
	fJupU57YoatfskkG/RPhJebLSuuvh5+Z966ZTfGSVVIOFPDdACv/S6lJN8DiD7H1
	8b+bAVMdVcXn/egeKvsNuWovYZU4DPVdOLM0E5wGGCmqyt1ygFSaUcoFVFiYfnAB
	FkIxxBOtp67dLSazZDRRcsJRLroZ0AQRl7x9zN8Z5E/OxvQtiv2C/evhntVm2Tjr
	wdJlwPysZfKqjnccXkM5pkoMN3/vrNVjCGMYrCRz2AOPNVHrTr0Hm7TAFJ6QQOPk
	xITHOlIHEBGg1T1ZI3gwSyl9WLlGRp5vyQ+rdef4zg1ycDIj7sxFA2nzBsUBm5Xd
	SgYzbnp32Nir9MSr7pHy5XFPCKVzs0R3GqfAjGQlyt9Xuxau52u194n386tockI7
	iOe2u7DPjqVXcS9Z6lNFO0o6H27F2x+dicSeHXBoWU6DBxvvjWtHG5E/9blp7zCF
	weP5dMmB3UzuL3DcIFprNGJt9kEqmN80eWQRn6H3X/IzNWjLT52AT6pKS1sowOsj
	RztQ2qAJ5md7Uz7fTniUtjp831SmxvUx49Sh7XYfNEpqjyY9VizByKPOUdUKmoXr
	fgXIfsi6yLYkoR/g34dh2JsKrC1bVtC2AiRVAgtcBDN1zFm5hiQGztq7D/aXzr09
	q9szvRnXUat9iAJjCPsfjVJ6k4YjpmQ3iX2Kz+JHHNBYD7EAW89GhTSqJJB0viM8
	3lhxgxZgxnBz8ymwhKsyu1GKzJCv3cmvTqhlHo5xpn1YMFU7ea5xm5XkYKysWhq5
	w1dSMKhuvA0dNau3XTef7M0AI8iWIXdM70447qn2Gwp0bO7f2KZVtXoYMzr51CaP
	QoAEL6FfwULtruriOK26YhmH1F1ey31xgjE0eTbxW6AFLEvYQ0OX0PmjX1/OBW1x
	sVil7+beskMwIJpRPlsx1LUc8uojLnaD2j0ymqkxCuF9G/WkX1nlyi1s/SJpqAbF
	EzXkwj+4B1wM/c6fHfxyt0wxzaTNoZi/omqG6PdXmJDnNF3DlWs5LpHQOsKKKXSh
	2Uv4055evCC9R60LgC/xONXYB4zHTlmeBNnZO9lwcT1AdQ3Ho0h7TnqFm4IBnVva
	f5DZ5ntxLyygAdRLLHR2rQ3SN1Ms4rX3CtfMGvISX14CYu9U7WaHtL1XLbfw7Q2e
	z+wf0xE2zq/cO2161rUUQ7eq4XmF/qYreQ0nBT29ell6wE0540ncv8FAOO3dWK66
	4PrGQJFY8qgZ8B9wmTuHUBvTZ6du3KI1LYGOS5yIktfFX+0UWK+kPRQnLt/ibzID
	n1FoGt4lBlDuOBq3KcVZ5KiwEbS5uNsOuApygXanE9bEIXmGDKqGIMsIz3ZrEURp
	vVMxcr5fZDhNFsaJ6W/MuN1F9+V3Xu4qgS6603JiD/TRiZwKmt+YjZkmD90p5xU1
	joRyPUNv2SVkOqAmxVV0DCEctj3UT6S6XN3eDNN5v+JA4qAJqoSdVjV8M+8R8bHs
	6bDuwPrmOrQ5IFQKC0u0AqmrxfQjNXNftN0OwymryZcg2YTpOu6XAmwa058b7Dp5
	VR11McEUfl5qGtnc8Nhp3TUdvJ0ugx55LTM70SPZqADChRwdz/LGzA6Cj7DTKtAd
	/aD3ccRN4sEXEPGhYacalHKNSAyQPSLWc8+7T2GI8KHZgDQMreHDjzWQwUydEliq
	1wgEkXu72pRArUJ5jmE8ac8r3xGukO+HbAsijgQqKPctveQbGJ+Ypv08wKJHXauq
	E11NwaijBOZoZ6BrCFG/yOrjStDSbrhqd9qVqm3QCewoA2AifcNnzhcQw5Yk5a2I
	ehhGFN7eJxFM+bkXyHMcd3j/4K+7P0WChAS0vujJdm5I8HJYNtz6AlLT+ZT91zGX
	pJOUOnguWtWKhOQ3Hkzy3LrRhjFUmpdh56zOuKOoWP3tIhX5NMZyEBe9JQCYgXMX
	MXLA7uM/muO+Ju0p6TW9eZbc0vdmAjSDXGfJHsdXwt3XuxnbFIpSHhvLTsBqX78s
	cS2kv1IIVvolSeBIFhWmpB8Z0whWNwKWk/Ze9rR+ESmmCM7ykQO+IuEjD/AdzOfC
	H85sQ5uJLcL9xtzdkQ5jkryp0wZSgbApXnKMvt5pVxbUqLkEkguuiGwvPmKvAQau
	jxnypJh+ygKiDrK1WQmaV6sDHofvLjE7VC0SbH2l6ueQ6lQBhE/26UOFKrsOmxmU
	u6fwhiVyv8tiPR5/FLlp3ZuS4FjS6ZzBPAW/8VEhdeU7T6vOvpkDUxQZGsz+L3Nt
	u0mHVaMR1NaMIc6LwCoc2UcWJSlVf8C/tjvWDY8cyNDUCeMpnadQCrxgvVhC6r6Q
	SIJXxnkRgt9QkOQYzHx+l5I6klB6npXYE02+IVjririiAdIT1SCRBOxW02o8Jefk
	lMpqXygQEb21j5LQZgFmwiQSEx5xpvmvjAn7CkWZ+RIwjnLdymz8yUAWHPv433iE
	RvkJ3XeKw6TSrHfiJtVPOVoMbILBjxLHP5SxZ6S671WN+aujWpCKeUkIwiemiHBQ
	NlpR54J9O0u/yDYhDtTWicSnDvMUJPEPOGMhDXgxzl6JdbnvpjEQhPL4/UMpQCuW
	U4kySde3ANyjUgaldWOT4omzh5KLnrBxUrfsV9uFbPnNMROliOU8fpYvkrLaAb32
	mVGbYBncYJPgeVrFQTl2sBM6UMsDFeplGahZ1pzJLkC8aqySgIDpAyvZRBXYDe35
	C5sqCCdjeAUJ+/DOQOoOb8owQR0413HTnHQOU8ZkTsuqSnfNoH6KmjU3XH+xMlhi
	8YqLK+83J9ACgk9e1BkYQA6TdJuI2Nt4MRoBdFnXP8SfpcCO5dm1Prs7hOlhEJQb
	W7vNkZdwAK4WnotcVHRYScTuqn4eA4FIPBu8Mc56QLe9G7FWD8Z7g3bgbIDmgaw/
	Zc/V/6H8jUKMlEtPfJeHFmRxh1F5nDpjJswmLAGP+xJm9WUvuFDKHo/svpUb8KG3
	JP9gu7Hy39pZCU242AH4PK3cxPifhQU88GDWac5FfbGZ3fzoIW/NdxZnhSY7WY4A
	nk9SEv3HGjkmpPGnu3AYDMYnE7XiYk7rtDBMh7ZkZLw26NH9hZeOE4sLqa7aS8KU
	/WbhWzobgS4AlIZVNTUAPPkzKnPCIUPofCF13e23d0QI9nZDTe6JktEzP86lpzw2
	kQg1Zr2pm67jC9FQcu3nUgy0/XBPaBzn3LjCIYB9DX8ZjXBvRnG60qatu/yEYDQJ
	0KE/4V47I2Qs91jjmmTY3yRkCOWR3Hpbi9JIXLuLivvMz36AYQvCrwBxXImBxjNj
	u2d6McMg+LdDrtFjIIViqFJzYSjI/dtCT0aFHN3yF2Cfiy3tvlV8ja2B7Y6w+sOe
	BByjguuUl83bDGZWZD3BXRDiKEjeNJMJT/hlVsIjH++370rZD/XMYimE/oe5m5wQ
	lL4MMw/WjKHT1X+CJs5tDInM9nyzlbwHXkF25iYwA59Fu1Zbdlagz+SmDp3J1dxm
	SbRHKDo3dPp4n3XhHcdH+H4eOdCTOQ9U3jOn5how8DnkHMGHj9NG3Ga6jZqSp5US
	GithsWl6RhTeWYI2vZBafYF75whkB/iPTbwz/SKQprh6D5XbfQ23yp6k9CY1jnSK
	qrxMsEfuJ07xN5Ri4VRn1EOEs5QXf2aD5znMFXlUrVbNRKuYJ64U92wdHjqwZsUA
	CnVlkC+NUWBqLOEWOv7J57Id84Fast/x4DyKri3hqcfw8+t9lXfDFojmHWaPvqSt
	t7Hxxr0dYIQddMF0vePV0OGNMXLAcg9wQ0Hhretge4sbWkp2cW0ESTsvNpk12YJ2
	l14yFBgLOZd5T+xsV/NG+3jB5lyXfhRYa+eTC0VbEyXAWog/3Kl4XcPEAL2rXCju
	T3Z35x7XdbMCz5GSBvsmU92blmscpBLDOUJNpQBKIHyBmixM77YKMyE5ISpQ1Rk3
	hUAoOKIicF278ToBpdWJ/CyLkROzrTuuR7GAG4hhkor76alvyxW1F1rONuWkZkk9
	kV79E8Et772+7ndPsGQ1ZLkWvCHl9hTUJPdsRMjK/NZhuytD/oMWndUewg9AUY4Y
	YUu8iqRsSyE7rcsK/LvBXbjf/LZd5orDCXyWDT7sGZfKtJHiiEHoMhsH/YNcSPKq
	KhPyOz/p4hFFAaGfhxAdSnrh91qviqHpdyT5K6J/kzrrMZm3Mbsoxi5n5hIpeO3w
	4g5i7nGJ8C+TxZqaOr5jL8qYpHN9e+Lakr3oN5pDlpvKlXNzf2de3OgyOXMkbNie
	n0tdlCSkOxh9vCSiekjcclhPzVdcuqNuTriVcZiwcWaGQZq52MGkVbmTY9+qp11T
	OPj51ZB5KbEJaSfzLvX4ju1XZWdbz5FAkt9RyDqm0cLNWU1Ue5iEQuK1fLoDqH8N
	YyJWoHavKb33jQnqHvZrBnwxUlrpbfvqmqCvdsKdsjNu6lcreQU+reRSIbkgiVjT
	jYMWeTLzoMFyo4sVGik2ogUXnVSiWGAxnvc35iB863IlIjr9iYHsiSkZ1Zd2ytQ/
	t2jf7n1chJTyn1wkI3w6Gj1oW1CO+4083O0GfU7aUJUwUACsUAXMso+EdH9uDu5b
	UIS4U2WFff2dJgvNKXZh3vdsAruoEzsk3avocj72GvCBg+qbHL8rDfaZeT5qaBy8
	xNhiOqXULKfg/CwU/ilvt+V/QTvo9WIv11f7mYS0j18GJsgaVm4Mrw7uh4T9A5f5
	4PnmZsNM5b0HpW62DCnARfkjGEObdTC0znKbSoGn4wD3H09T5HP88oSd2q+rdx11
	GFCdo3MOYEhI7y0cUBO+onZozOVJELyW9sbGoXy5jcRtah63sXcZN/+hayQiH+3s
	eLh7rOtQSV/Et1P3oDK8hrMUnNcK6+BMediPxf/PHWCGBqjZP0t4diaON/UBavvZ
	SWA/m2Utgyqvy7h5IEOUbIomiKz90OypeHd57tVNC0BNMIQHnAYvgaDrZbUHpT2T
	7LqLPpG9rffH12550v/ZCCUrIFy0SiaXNZYQiDeG5/WiBOzS0MZZ3PVIMqx0czOG
	Tx8WUcSEasnjAH+pGK16YGDc66YLnrMhyySgiIrWsKqf8NolxDd67Z6AXcvKh+zy
	sCwUHzvTgXJ81ejNWekHIaAUZnpYXe2DCKXUuEOFJpYCdn4EfgOryDwte2WlGvUS
	ZPfj3Ym43bG0RoyFSo5qnJNE1Z7jjNJKxOEIFy8NHvb46ipcY7UeT2r6R8OJLi/H
	yM/8L2op7rXw6UEPat05dCp90VrXtzrT8UgF72yGVP7Wc0Hosb42JuqxmXtLlX6I
	oOu0l7Ht4zaKMm7DGbznsqHs2daXNhJTAQ49e4owHN8zpIZrt+SbN4b1/svO4hZJ
	fK5izj6botAkJIAnY8FT+lyrJ3oRtB3dq51lg/tWXsTR7RYyl2UVxXDRw0mpW5pe
	J8XS2J7tLaTIsVbuO19Q4de5u47KlzOn+exdvmPu6QwZVBIIs2CIFhYKjXKVxKAs
	tTuVv8ygT033gzrXOU9XkbjEPaTY9Dy0WlUf7wwg5Ug5dmEhrRRlhu4+rOc9mGH5
	NzEwSl4ZJmEPP1auB87iM3l1g0KcL81QX0kcTVCS0AnJUNTg1eSr+zc84tn2VLyp
	xdWidOZ5V5T5p7O0TDDZ/PJAddWAuGhRmK5vSW0XaNYcKUdSOTwul4+881/i/1mh
	ft2mHm5+PymHbBRVLMmVvB/AG9jqACnRXg4pbHwxp8RRMm5AXwQiRrKA7arUPttd
	1Faxq6C4e2GIYDdbWmLRg2P3PYZXbZE2HNo5DGpZ60xs9GwirIPeZZbmPjRTTvqC
	h7TBHyNZm/mQ3jB+f+2vdH0k9kXFxGCcitg+1faAjCOIkcQKdpc8RMz+e+XSIV39
	ZcIlLrV2Ku5jpJ9MbWNg4BpcCDi14nteey2R4JQGOSyeR27VMjGtVWB+b8fNjT29
	J9fDdgcso4OINe2jDC2oqtmlCHXMYDsaWx9uAB0LKsGbMYsF4kR8EqS10Yo709ij
	ARppJ4cRcYmxN+GsVLemIBTYVObK6Ro/k88rOZk00+cLGNWsZwkp2Bgdu5cuNfEX
	/0xkeR8dtuIZhAYdc61Hc61TVEQFPUyhbLgS/PEc7jhkLkbD3p4acVNrqt2I6WAH
	iAcLHJe6aCB29C1XRJf8DI9a5+7nXqSKFdv1pKQgVBLon+gk5CctlDsl/H2J4ehW
	J7/MrWpmKmlG5AUuTESqB9tShUZPCoxkB2wEWgNtPwoCi7+P57NR5A8BD56zP7hJ
	3vrkxSLHnzKBVkrN82cDk/RiVJz7PM6108APRRWncXx5kIfeK48A5FxgcZ7RElV6
	UWQGFfoGlC3rRJyMYAKai5Ial/mQVLwtcdTweaQdNiDXVKeAFyXgznA3fkMfE+9d
	0v0u6FtMml7KSXUwIT6JKmg17W4Lr8qdGFzz6W2YqAI0RelErgTbuai35i/4YTnW
	r5hOuCNTsDYZA0XuNVq2xbIcLoCJPOkOGRNtCKZdIt4CwBFGFg4ak4KVhpFjNTvC
	wBhDj7exxsiOdtpniKeHOiGk0hH6IEMITL5e+C9ycXmur9geA4v3Vr8E3MAsFixZ
	mYbgqx/xlI8Ahprd36ab+YTwmhRoav1ZsHJiiejNfUmv8Z625nQ7Pj6LPysLNZ0O
	+UKZ6wm6mEBYm4hP6GfqJK3k/4V9nOt8sXxfo3FXKVAus26m9dDYOL1qb4NWsRLx
	r7hGMJfsf+hwcCpcN2urK/C6Mzpa923kMBBp/E35ObTyv9A9Fnjdpsp2t3Oo+G6z
	Q9IYGV2taJt3pPWK+qLGxkTEb8HzfH98vdWfdplr0B5C9pXel+gK0Dmk6+LnxYXk
	TA6ao7f8mxzLSMUiPjLW1Rl1udPnNjGFIdgcPQ9ZNJSx+6O3o2LcU6YVcwTcb4ES
	vqT+dWkh88O0WoKWkQL36V5mBUudSl6WipcLY2twp+WWweJquHA4xh13uqqbhF4Y
	4kwkupt8Im0oQKrLSofMaEalUPMZkIaXai6qhz5niRfo7x5fe8+8jS20HMUljbDG
	sn/Uyc1/MBv+8w1TXBOWoAgaoutuzOocARU2RbGrICc0Mm/rbuUt9nVKxpW1WvML
	awKfDhbY2XYoYn0CzfYrvA6oGZJ3bNwRa8MtEkmQdR7Qb99H5hn9StOKNE3BVKEu
	AZFgiWTGI2Eq/XlCOHW1vL/D4bPun/0PP8IfL3PyPjiELm/CSVYP59v1ZGtZyPqz
	2By3MT+7r1gqjU02HMElDq/+2MeJMu5YMzhcibQABS4JmqPHr5fpvqTzyz0T+zs7
	KRdMh7LVQ0WmW1F1pkwHEjVV8oFWkHCh0s4e0pmYPhW3/YRDVyAGSFNY9zKsv8a9
	BpLQEEY0JqW4aXLibKciLcj1dkY7XOrpFTir+LwYaCt7NayHm8ddWjWBg694U4Hc
	zxs8FWCp0VKm9/HlS4Nt1VkoYmxWdZCLCpllS7ZmQ4K9m4UfIRcyfh6NGeUOJ+SL
	av+L7m8I0TyRZ/0hra1D1c31Rltmt/2BoOnE6oo5plmxOkpV7PX4tLZO5oNlbbel
	C1IkzdjI9GLQgqr9XhNszFyeVfb8W3UjRNHzv+NfLY/bqU8vhDjtHmchlsnOiFSL
	TbW8I6VtbzhVAh6cwCE+1uLhd4B/pBczdg4DTxv7DkTZamvzOAVfyK5r38A2vCwe
	LOFpV0BN9v/4RqfXejFiw8gfXcA+UJNcOvVuRp6Hz8tmnZzyfTWTMRP38FTR6qVL
	7TGxeUwCmmAzYR3tUAwBYQzb7rLg5U7jeMtii08URsKUqOMFWvEomrm3Gb+/mRXA
	LZSjp18pflAxDtqvHNCxie5Fo1yMbqnO2kYT0BK/mppsLzKYH4QiuYjjTv9ffKjc
	A6RtTVJ/U1aUnJZ62nQJcbAw3Lv6YgtNFFqUq+KlwEhudvJpKtMf/zwp+caxyYNn
	F04gCsJlIVvqYUAZ2LV53tnLkBMs85bs0nzRBUkPCw1PK7YRv39mirDMYvbV3F5t
	bOUjeQvUx+tYzRrnT/ndmpPFR/iS2xatvoErkuIPxMrgX7W3amN6CHKGsqQn9VHd
	ujqoTTHMkIdyq7NcC0DIvUGjIXMMOwHL3bq04rYXadpsNgiKxqhvjallJC/1aNKg
	ra2KuxKxHT4g1lt501i1Xz91bjwXJPnKB5vwseEm4eElS6k/EUBWoR0AWGWu+nCz
	RWt60260ENuSuLT7BB7pbUUfgYxcHd5oJO7jQYK9xY7LImJzR+BYKO0l9M/TMWtL
	LxecJE2SdMkUJcNAM8p5BVL6W9gBzDK/UIh4qM4Ja31CwOdyrUUVr29HuUxnTNVh
	7RCX+WkSSGdiq1G/PEb8YwPPs7roZSP/nBcj4GNh6aZFiv+RBntOpzJA2oxoJ/z7
	4hK2g+UC62A+krW41h3QvMCZ/ZcNmQWcLg1EsnVGThFajtz5+1MU/p/R0JZ1HE/E
	UUoi+Aj6MC1MBsOaTqKNKq+0JL11hxya0uypiBJTQsCex63bdXGmOoN8OK+TQ9gt
	GO24H17S3ZXXy3koLUY50YGVXXY6UXgVYL0TlGWQFNjEzDxgZI4/tJckEyv+0gv8
	82eMDz5sMDVFXdYme8Rz3RyrG2+4kS1dYQNQ3vKuSABtAMU8v8RcoBX/EZGgOXy8
	4K0F+nD/Ldoi9d355n/pumiT5uz8omBNFs8Xv5zIArGCGg8fBQAqRslA6su041rp
	Uet3zhg3/EICocyFAsEL8a/qmG7SgmiLOx58ehTBs3/WMWr0am59UJUKN0iDHjB7
	lOezHJg78R98dfWIeWq2nSbOcriPvZcaWKbTDmh5ss5bNhwLHn1EwVpIdWzJo51R
	3J321Fnm1m1IpPRBkc1DV1Jt7daR27QuC+ikQC33SKOUnKeE9Kb6sRSA/9jBuzIH
	Z51iPuEZDLgFlomc5easAMfMYg1JEi9ocRsnzyEL8P5HS5znAdqO3kBFsG6X2b4r
	z0wgBl0TO9jKgut/WbW7rp4AhZQlrRo+ARF1J1G7dPov3SZ74eIhbbIOYf5owapY
	Fud9ctRnE90T1B8N07RRorhMvhPw0fxiJBPMq0jGVTTxp93gEA79CEBh/c6RhhdZ
	++zOma31Jc/nwvxY/FzGEUdzT+m89leib3I2DIHGBaQ5ZKUNXFRz/VF++sH3YrGB
	UQXRJEu/rbjJMXCfhs3TLor10cDx2P1bnO6oNTwt+BQuWH6Vz/cV6+KYDheGK5IQ
	N8iryCFvr41BDkMj1YaL55EqWpEk64adh5WN8YtruTowlJjsZ+d6MM/vsVz0USLU
	TeoXzOiNIfXFO8xjN2PS4PcsEOq2ti/oTPlJJW3hQ6dB4R8nk++iS+NZ6SRUnI8U
	mQ0utN+N/1HQKLh9nzUACdWe9BJ4KMJMpF8Vdk7mghIcX3aG9H+duT3FY8P0nsed
	cJM5H5tG1RkLw98POYNnPjn7j8iETIAlNG4QFh1qSO27rCHu9X2+9r0XxDPZiNhT
	+HmdKXeIrAd2HotvWdwBnBChfxAb32I8QQHqwxkS9eBcexC7IxIkI3HLO1/EqKZU
	XqpLF8eyZ5YlNwavBoHPs5yiVJyXX9HHDwF12hGiPpj5cmjgAX5jxV3OTVp7A6rc
	cx2Appm5AeN8nz5XE4WrQeQQek19Dd6bM0p0kowmusMRSjOJvLCTtmTyLeVMXsFi
	/mLYee6rSEyjrB8lIjVMWq33rz//tnU1NuoqTM0X5Tj9iUd7R2f8DAA8q2NageAR
	kFK7B2IAIKpfy+366Axc8cE2+of8SocRdbavX35xTahsnQhaFpoDoxlhoOkCTtzj
	Y25jc8xNSO7ULGjE30DIPSNp35KG14rNVNTHJB62ks3z0XirNU4/pUrYOzIfBdZL
	49ETu3y7oVb/ouhZs3QCptZlkiFf9quG/eTumY4cm63n5nTLjWwPpUFQzPE2gpgS
	FJXFFlm252hRNKtJnNZv55EBUxcd5T6GjykyfpKxEnxBNbOLzsg3c/uXDKbJjpwt
	qpCqA4Y2BXHYNti+l4Fxjfy/WQ7a+pwMj8ImA5vqxn14N8cQAKSYI7m8k3ZH5EHy
	LMCrU94T6QFvpxzrRB392MIVR0IRe6mAvdPXpbHdKXkIYNYCtVZBt8TC/kPjuoXK
	84PlabtFzJAMZlf4Eg1+2WLTPCJageKSUsOKbJqn65tw5OX1i7W+hdQQnNl/c+CC
	jR1ZJp+AK5dOi7mR8lV7NPPoI7wkeY8avx4pwFpMtcexxAldfx5sG4Fd3MXSYJAz
	4n+qqrXjkTOfYlbuPcG6CPUcFR6siHktns5HyKBrNm8/8pk61/qgtJy/1pMpUia3
	kV8aFL+8Mey3soYij+DBeiOIE/5tyASokdngNiwZvw4K40PsW+jzQCiXYeGfhi9C
	YiTydDpT+pWBLxdKdk2B+wTIl+F6XniREcz5o2+ZyJzf8u3Nf1DI/bqwNk1+tg9t
	yHcjEHoQsA8YsLkK9JzhE48pLJaLHeGGfJlXlN6lPKhMrvWiEAdjvTLqykyjgv21
	wTgZg8BSf2rKApVGVmJRr1H4hf4eLpT5llt3byZ/lnmTfgJ9gLo32wDfPF4xi1U9
	nW6fk1mLN1tp3YDaIAnr1qbD0kFXkcjGRmWg68vukVNzaRcdF6Su/Y8jLlm3GQM6
	q7hJWH2ZnqiOx+9XPHyb6IDF4AXxbYWu35EiSgqu+5L0W11GlyKbB7plExhPXEn3
	HItmzZ/wuAhf3DOb/szBdeOAevcTjNagohAeax3yvnavgQ2925YGhezxgaEoxo+7
	U9B7T03XEGTaIx5qn8EMqu1wKy546kSWBhAxq8wHXqQfeA3w88f12l3VVDT9nYoU
	lEIJyS6kzOASMh0n3AGFv+q1YG4ZGlO88810wFoGXAOJhCQ5jgAWFDrK68F67Lps
	Cq9lWODdG9dypIn/bGcv0fOQtoj1YmA5ZzvYgzEawftbGruaMW1FjHJcH4Lnosa3
	0hDBLBclrgG5ZoMeOtTQpmRkmioTawwGVoX3fmi6eKtLWKJWL9znh6KRLWIPOQb9
	/KhHmuxPyVYkpBVc7EDyEXdaZfN57JTCvjBaGZBF3eE826q9mSTOiaTOEUDU/TD4
	vCmsDCL9/hVlWf1IjutZ6Iy/BGupHY04lOM18Wvr3Npm2B1TVB49mtZdhbN5bUw+
	xevTb5dgAfYnaDds4zIX+h2FNeLp5rDty2x3th+5Hre/TUY/zJ2WaM0yigQ1s9Rn
	5uZ6sg/bPe+M6nOzPguHz77pqSVa9PrGsHo65Hgb1w71S1NXOMFaCKQEH6lVl6kv
	UPKs73P0vUhAJM0njD+8LaXIsaTsILNY2IbOPyMsT6TgpvHkzlO5nR+h7R/o2pao
	kDmW0vBuHdw15V58JlYD7DR6eqsP0ESdnJRjEiuvnJEWElXXDA6OX89OqiM6cnFX
	LuN8BrmhdfH8nPXDTPkIGLcCOgBg9anEwAWG0T8ZXKY60nElz+bScXijDpyxnGpL
	/Wmwr2L0WtYoDyT/X5a8qtWY0B0I72NFeoEkg/A5rHGZ+SfSc79sE+4dm/zVNU37
	AurHotydNRXi5tL8/SgWggSD//KPv39pg8lmUi8AIfe/+Vrmqy3fnCUgyMb2iULM
	mMahyuZb7m4Glsd/VbCprT++3ZLV1K+SzP9GCZymos3byCw4CZV6oTrkyw9lqCf/
	O4xXy6Kz+Cl91do8OlIG3PhOmRSvVU1uDQmdX26mbbckLhmk6ZPYltg4/A33rfmB
	Atc+5XtVRhRteZ3Bk0csryFi1ljX5jdslsYsiOzPzs4FfzY4pcP/75ec92VEb3C0
	8lF786UbHHVBu6ZGDSBASbhqlVE5vC1z5b2YJRiNolpr+2KUOsDF8ReXDaogAgyj
	vcczjik83AV4+Wyc70sc6Y+9kpTxchdhmug8Fdrx7gUwwkqm25m9ia5Z1qIX5RQv
	RG/pMtdOLbps0XoE1GEZjOC74bIfRffcspiPmUEDKlfqcHdB78Z6sgNAO3TfRzTV
	elsEB27DNDNC4OAYLqfXnt3WPhfKyE2LHGf3jqX+izVgy2LdqxDd5TB6LEnWpLbC
	K388OEnmc2HBxhcoPQqcd5zyDGsXXhK1EuNnJMvP2G3Ug26wKd0xo1H8Y5cVMEw1
	W6YHmLvsxKAOEScsjqfEMkwMQri1d21fzCwcfqF1v7sA2GwLf1QNC8Vfrle1vU2E
	dvrMtsnv4XZHSPMlsYZpsNpR5L7T79hTjsHIVHvfOwG+VhzL43G8EIdUVLDrwZzk
	FtJE4jF0CG/mTcgXPiT9gY5RBDYFjdwEVyz9nCBBopoYmY15tM19g9uZErZ2pm2V
	2pJXdsVMTLM/m9kZcShA7I89XtCZyBlvfV2IO/xLeqhKCBhY945k1EDvQGHWyJ+k
	lC6zPO1F0ihTLE3mhDIV/9WX9V9iKMMcO7b1XRhH9ym6O/bE6XECIvA6V5Zi2Hvy
	p5knHk4cuGSOuQaAxlUHgDTZVuFQrBeygh2xJRHDD0aDKff8lJrUGmSG6STKd2IR
	C7YWBdt/nfpSXEqKejOteMxil0XuOxQUTqmIyysvEXsQAluYyEqNd97LleWuKvox
	0oUIj3W7AuztDo6NesANMSvMquGE1DCRm+SlVab/LpT05CYpLNhsiPjzRy0vTDhz
	RS+2i3d7OFWzmmy0A1dVFojqvVe+rVLgF8L9aVEOg/t8l0/SIS1X7c1deYYIlqyg
	aQ1kjUOrUNaxIXyBgo8drkBt/esoO2aG30Ty5BmNerORyWi97Kf9Kz0FFwXFhjWF
	wfhV3iVlvfB4yt4xyVOiS23PvRqhQh5FDGUacg7l18VFgQkEPCCXoel9oWQaqB//
	efrcNeNlOjRs/zf+gkgQ+YGK1Tg4WkcFCrWyJ4CWp1FDy777m4tgCABc+Uf9elwc
	OnEFDjVMJlIojzQ8ojtsMqDyqka71A02UbR22JV5GGLMrZn7v4a7m3IwYKsYDOMq
	rdnhETVHpR/MZNpmIl9sJDqp0l9f4nfZ0NXaEGtJWrAi1y8dF7DXw06ejb63m/vP
	u3CpEPd031clExD9laaCBX8+eIpZ1qA6auswkck/itIasaeXO0B1pyKKfT8/sdBF
	Yec7SXwaZ7YMdwMeQ/q9epaQCjfC6WhiyZFOspC8iKCv+YG9DnL+IPLoz19Uy+0s
	3MIo2eEb4UEoVusA+qPmyo2J54jxjoLg3lopEzZy6INaWmLwfLwuUPmW4ZQVGxTX
	K48eY7AQVwofe7+bVabVaJt15o0lC4bwwyvUFmVYYiWb6cQPghLlarFhCgQG6PuG
	cb2pbwNpS37CR3ClVoKoGpRim8UdgQCc/87wfpKGdIkNHL03U14uE/S+pnWKgxE/
	hVlfAJmEN2XXaxs8EUnyTyChxvXtR6oVPinbtDKUh+K6jhFrc6j4c2W9LaX6x3VW
	8YceU4m1088zXoAQ+JQ9ZjEE3EZSBhNTtD2CUBWxVvMtI1aD4pXoGcftSC48nJcm
	2yva7a45CfUthHrGM8K5DqHuxgYPkbvMxpQhoSAABg1XttOEBhr0wLCe6GwjB1MV
	NJ02CTwcU9NdGCXNwVY8bMQYUNmKWgno59C4nnYKGx89J6ot0oSDeozipqGR6qHH
	k6TOjTmJck0x5v4UB2bFTqv2d757j1wHX9aWI+TfE5LId9VNlx8eEceJPwLQCN+x
	sklKuZgzJ2kbopE/t6+AmOOf8Exowa74kJFjSRE/T0muNYRFFGUj5s+Q3IVqPc07
	N//rNHGR64YK7rUuIWM225WP9PF4cTIUwReOO9+G/RF/wwlYdPFx7gGE+RZpvRet
	idaiJdgWpWq2LCfDUr1lY5tpO5t0HIEEfGfCngGiMmxtBHjlQsnTxxiUbU76omrG
	GflKQZprwhbm0QjLr8DdqAWbl9NHyx7sNvNIBvIKfx4ha1HdIWqv7TIc4F7weR03
	zm4S2xk3TvQvF5B5S/wkP2ah1Q4D6s2zb/ltAfEdjZh1OplgUwtdl5qmD+6Gb4Rf
	MZhmhwPjFlH6tZbzVlbEKCBAVb1f7fBHdITP9J6vuZdfJX2KLgmowSCvF/CV2eFg
	MkYByXc70gFxGVQYWf+iyokBlopcPrUtaE6lz9HdvdYs8h9E6utNfigBO8HwesOv
	3mzx8QdZIxjlFobEryoM8coveomoQHMysGW2T7ZZcSH/qdGsim4wbz0Gh/2a3tZt
	JLwcuOTnkCy48iRcbmp1yM2v32466e5swRG08jx7WvfksGsyw3s1Bf2aKvXmLTfn
	shsnvKATqsbt9oYfNRSkr1VfbSHrtX/4QFSWoKA/y++3BCf1fymNwgZRqyWGiJ1L
	J+eXOgl8hPXQqwR6NAONtq81uJP5hPZ96B4W8A69Onlz+0O4yuHL0DzJXR6Y4WAa
	+n5TWI7+D5nt5qMpURepwZVFAUblGqnzrt+ObSbZ4439acvFBqn2FqR1l903cMQc
	LVM+5iO7QFHh3cAp0wh5q500lgTI6E7isKaphnf7lrYfhu/XGLEMmhiIr6vCHIHZ
	qqF4LZ57amrwoa6vdbU0Mb84aN72gTee/hstZUUD9hS2NN6bRwwdV7Q8kCd7KXh4
	ksi+C9ezIkLL5rk/4RJEIVXzAYsk8+EPTLmsOpEld9Fhsz8qVixgMUKGuP7DTME0
	Ho+OlDdCc+LjeZ5PutEd+NErTSnKa0/wvr0p3SoNfNIBbLZ3B5vZmc/PJ/lC78dt
	lEJSoPLROxAjjmVL1PBS/xK2C2HFGl5GUtAJr3MBB4AoZqsm0ZE4FzSgkivPbDgT
	BC5uErDc8j5XERShES53q+pqsH6iFCWjtxfbQR2ZuaENehgBS9TZ5FC8TqhG+veg
	f3nyC6l3N1+2Q2vG37MM+u4de+UueB4J5aYaTOnozJefc+B0yqdShxKFjJczuQ+y
	U3DWcLMFVWcxWLJEc/ofdTjaKArlOsPSXcfK+MkGg7uamfmpwBGAVLAg7XQAczQR
	xItqTHxdRgyKmVmSQ+W32dPQezdGlwGx6/6xd4tgvkbmvcdiD2Dxd+hERwLxV8ch
	/6QZsS+2QLwsfCd5PuowAd4smW+t0hh/T2P9nJj9RFqAGJZjxlk2uiWgXnJqYka8
	9Wh3i+l5VjU9Vp88jbXsgNDnXv2moTm8PhU7xs7yup2OEOyINZQKmP/IruBdnIxL
	//mkxVweMNZx/zX8EIU/ZCWJLhTZdD1zQ64qg7OLsbDyoxUgjRqAm3ThGm+/RM2m
	4oYmgnEo0992SEooQQdaEaknVqxr3cFBPipBjhtSrvHtTmPdeXZd9LJMzDma1QPN
	CVE3N3cFlUjmZc6TbNobJs82eepRP5rReUDh774+Dmzjt9zG/f5lwd9AsMak8tSJ
	QqtordsjIBbD9mullL9VCAoEaICDQuKJyuRZKC6Zl8KmUlbJeRWAZoGYzFh9gQNZ
	vyowcho94c5OJVoWrkN9orZ3/AilScbdAbbVx1WUge/M1MTIimoyityrctwS1kCj
	5mEpsmR0KFkxQa0g/N40ieVaidIKulHKJ7/xXUO8Xev8W/73Foh9iJ4Zzk6WeBr6
	TzopDhv9S9C7DjYyPkIa/h/TcoW0ERGleqaXNUdv4FMw/h5elQz8UNTX44LA8e2C
	9rMkErSGRCMJFNMfw1tE9i4bDvfaupbAQ2wpASuLnrE1o8NCHAAVhL4NVhVhuTQZ
	0+p9l1MOKB4Mm1lJ7IQctspsgdI6tX8mSHtFkzxGVTV2mReDgM+xCiM/oK5Nqi3u
	bLeC/zCdhj08i1S33/NLgDTqXHiRQ4ixwmySXpJOhC/rbvcpS8n8LFY7vstUAg0P
	xc+wdjQV2oe7k2nuR/57pExIffynJ7VDbbKwSZ3Dolj78q9WuB7ej+AqXWyJWG8a
	aB7ayuu2J9r5kVjvR4XhHsJsPA5HOe79TJwfLdUdGvoH95mHx5G3BnuqShPWFvB0
	ejs4MN7tUoAMa06Te9AR20s867XbFWlA287mptLRKaWeQF7348vEpGjSQIJOzODS
	GCqFqaWn4ketWLu/EWfrSFMQMLeOlgIjWroeU2j1pIlPAS275ukJq06Tzs3vKq/u
	dDZsFg5skLngk8Uf1IBAuqnvFo+oCmK4Hcjdm22Ab4s7s1cLoRZOOVM+il3kM71X
	pcvOL/MnpEZ7z/Dv+0/EkvOaB6h+f6TXk5pSlW8IwlZ1IyXjXshY8uPo4zr9DuGa
	yHjCfvQxdHzSjBQ8EFcTarxQngcNynIcOt8EhYcg8sM4l73YoE50GIbJEtQStxO4
	sTdfyE+648y3mVXqMmLslw+W5i5CLN2EHvMLiOPcRccRpyfgSzrKOkAh94FjgRyn
	lENX1UgKrCEAQwSdtKW9KdvO0IoLkRqcsISbji0M5H1hxwY3WImYxnPSkLrIDXnx
	1W5qCXTjPqRAyuhLO3L49NcwCbCzRUXbfeATqQNWHrqjgI3rDfXhM2CMEzyndQ2v
	qRKS6NKd7gCRAUJWwqqZeJhkMjIyEodY8Ni001VxiCAjRIekn7W+p0dxfedQWpVI
	mDDElCMlXPQ5wcEftCjNDwrExEV/AAqEPgNzARnzQO3zrdTgs3LNTQ+KD/XRSeE+
	PlRMnR/buNn+EqXFNmF9iQt/y93Btb6GmMe4gAaAUfLpirozlnLYq4crn+LF4HHU
	tIi+AFTXrckbd+UH29l1JZLssgC5hNFVyJ5yl1e5XL+G3Ak63UyGeoqTbuNDMCRY
	L4FCEG38vzg6KZMzKyRbge3jPvI/ant0OwF2R/xNXaTedwHLBw29ObXNrnjzYMcG
	nAhc/i4QSXZpjoucfurBkyeUeRofRc1m62MZJvURsniWqpg1YQeJPBibww3vHd+O
	59UrrcXjga11aRhTV91rGMlgigMeOxn3R4yR16QTRIlnwXUpV4fNddJ4YMNBs4yQ
	bwvO3LZxAoYInLFBI2RMYaXr+ujFMTpw0INHPqo3TXFsHnNa6HVYdNKbouXv5/2j
	bANMr6X1ITuTvtQN4tWGbop5qfp90b9pPyw8P0bxSdro4ZHMeSgbiS9q6qZxjVz7
	jnOKMUrdbDkbYM+ojXZ18/4WPKtaxf6lTLrh3m5CJ1V8slRJp0Jes74aDQf/OXqo
	QgqVrI2wnl1klGwn06bhVaymdk0hMkxAfeHBGZIQ4BMMZ3aLuVWjAcBH/HP1tVQ4
	IG7MHRnm81yVNgA6yAuZZIPQwxDWVko7rRm/DnsJcpKfL0nZHoF+bJ6q4Rd6Dey1
	S96L4PDmXseFkVZOH/7dNWyKuvSA/MmthkN14lWJiYJebaXb7oZG3XDC70o7bG6Y
	mtGOrOwVthFereg1Ii98ZA4nKgqeu2paMju/t03hQXHY5iqyV9ax0A3B0rdivz4U
	VbqCcO7pGNb/Ki3gGc3hfVw9YXnR7E+tra19eE7UM7o+YlunKF1Q5dJaLKY1z3L9
	3UAJmXG/sZcLqrDn9zHfb/YxqbyIkM7VIU2kKztWCCNiNKgLQsIoVzK4sbS2LVDI
	grmvZg+Q7EkwxZ1FXeBGJmsiyjKYPU3PI8ZBU1MXjwTjtnQRuBSxh+Ok9glPeE+1
	rUDdlVoogUGgPAvLV3BM43E/Q5VE+X04KvPNKINvvS1nZpGKyyy1MayOfstc7Hsw
	W/RgllTEd7VW5jgZKg7YyA8r8cUjMqE7zewrq6MtkoFk6ZVslWxfoADBW3ivwdwe
	I4XwNboOgBx77qxf95aHRRdqWZa0JF8zvK5BH6EpBI29hlJU4leax696ACA7QIIM
	Rpc+ulkvHsNxsUlrUut9AXoob0MqDJRmZvU4gSVivHjvKLEIlymJw4pLbMWhcrNa
	v94TExP21Fy/zYcWiZT2nCX6qZVXTcUcQGIrBTWDbR8bxKll4FNo/2zmelyFmeXt
	iH+Zp2EwFAUELsrxx9plNd5WceyU9VnZoeucNFd2QFl7lV9KL8AlQaaMdsYOt27m
	8j7iNBID4HtCYM0xLwE/5uqVQPxX6qzPPZc66MSRIi8ZHZPFvVilFVzFyZSrq5Lo
	ojQQmAycQGOzx7dwx7vi9SeTrBRY2PK3WVurcLiRxM+2u9vjlxigwimpnK3VU1dh
	GDoPghB3O34bfiV5GndcnPDLJxsSGWz2z2WiyCFgCkVp3shHUN5c2PLWDIOf/Ejz
	LzNJXFKjO6/6ZGpMmGf6bZCa9MBnvXMNic9/k0lmtbgj8SS+2//gko1EDa/Gpaqo
	J2xgEuHLvp9KQABWt9VRI+tNUJQCS/Jq10ZiT1TzhczyJEqbtVDOo0l5A5sMV0PO
	HszFNxw2BmuM8RYGgAe5pkrdzVdtB8TLmhys7P+xRXNXnsUb+878kt2EyiXjMl1g
	oFeAlj2afj/GgelJG0G0FXm5WPDhbthHOO1hW9RP5WCTybjUTAS+GbikVwxa7bZE
	LHrROUOInY0ntR9lRNjpVCMdajCsMiqT/G0C/ApzeW6ErLMFIDdVdGSdnz/WDi5C
	xQTIS1FOAdefQ0CohE0yOOvjKTAGzht+g4gYiSa/mOnvXcCVM8t39thglZhq4+6G
	oWpOrXwByd8OA5f1aQMqSgoySJOGg8a3X7NR9bEDbF7/6QNJE5FvxwXvA8zcabUo
	OGxXen85Gkq1M/VnlJ3RGM8vA5UizsdPESYUCVH1eKg8ROlrQOr3ISj5kaNL42fv
	OSROmeHvZrHtvGn6hLTNPtWcm1hGSJS/Q5CEZe0/4ActkorF9kuoHCSG3UegX/lg
	5mD9aMTHUhD5VooS6OdyakqD+6LptNqQPL0IQALsS9Ls+8KUBxIi9cOe0xIusAQl
	OmyJcUJNr+Oq+Ypr6sWvelbWiymgGDN4gHm6BvzyXv5ihnvnmkIQ16WkAsIChzZx
	cZUl/bz9bDsSyJ4FyzSRoWuURTz9la3Bo2x5ufLChv2i9+X9WO6Y3nFc4KOBY4hD
	WeFt0ZUiY30SyTiWqrPHP8Lnto9JTBOZcIIHOqPgy4L+685Ou6xwO0cUzicIza5M
	TbMBOPfnVSgPSCFImGSjAaahWEvl360B8qjx8i1vgkUOxjqfFMnjZUF5b9lBDS72
	JK0esvGRUQqyC4uQHbTi8EOJYaOnCn+0lXPzLNpN171DHfEg/X6iiD0zTjMX/7Sk
	PPm2z3zH7yJmeDnh5e/gvgWaPuTVaN+LdUYv/ijqfS3bx6yF1VpNr+esTI23S+o2
	1HqlCfhZUnVmn6r0J1L8tuVeZaMni1qOFs4KacGA9UwAZeGVdOmK0rFIqUXKDehq
	7BAmDZV3hnQD2TQzgfDfXpegRECX/wZZVrcg896NltY1r6AVm9jcKLVCNalyoCwe
	Rp6anjx8qsUxnXXYN2rhl/l2Y9D23QZ2OM0cpvb9QPJGGgGeSaQu6p8N4hRUroje
	UlL8vBLle6tcvVoiRCvPCja857vnthqUppv9bzM9SAyMz4RXcYgQvFErExOI0eyT
	II67WbrY2j9ul7h4fZjNKCND7o2aENbylK8CU1wlwEBYC8BPgkTqi+dErP+VrWte
	QAhjomMkOVKKzG8JaoPJoVYBmMkMTCPsFFuTjtgvg2+a+DOiYbI8yTDT4+Mi/Woi
	gZUcE0HUosPkkJ2ZU3zDXdwPIr4DI7TlrnZPF99Es68+NXD6lQgc6U2fjnBfKMFw
	MfaTfrg3ykA8mBwqZ6hQdIoqha14uje9Ses2axrEF1FY+pU7JEKDozmo3HzgTfYA
	UFoHCu4Zbeu1IiHHJuVSRrwVy0BsY0nrq0Tjq2uYSbXyR9KylHCxztpzku5Gncy2
	Cl0sBUqv1uNWIt1v6yHdupzRM/fIZ3F95nPIomgM+uHmdpHaXyizM4D3doRGzNPH
	fOm6jWgKCllI8JHYJ1DUBUokYv8TYJLf0gOSaZLZmpEh88iXfBP52ZBlUIokeUN0
	aZlxSqawVMteeqcjCs7TNySBDzfTCZREHr77tnBz4+jINXi06mh+/Hz+LRA3YNRD
	Do5hyzvvFBg49rY0JzZPTC9J4bi+w1MPmmdz0OgQGG1Wiu+4LrSuBUOgiA0V+FyY
	/Md51ShFwRg/5zgcWS4hK1Eg4kKTKLF6Wjdu88PCKx2+gu9dYjXgdRuzZ6LUqqS2
	It/j3VptrXm8NwQFGM27HnqGwK5u+Ym3qLJ0FE4vWNbbxGlZtX3NS8SqZSqVfbqq
	TwIz4lXU3ipZJ5b42IanZ2nfWqKpdYn99C7yK6AbwA+qZf5zmy436dH+Rvo6PC6W
	+9MQcrrNgvq0tiAJvA39dzb77bhRjAKzL5cDiA40hPlcZs5+Q5g9XpYtKsSfzu7s
	FCFRnhXmhiBXoUqf5jsYNrm5dvtl27wPTaKvVQQ6SsVtXDZSWEbdAj8Xfeq7kev+
	jtvaOUmFRMaFevzu5t2uuLYzH7zufMB6p13chVUH9yRnWBzdha/Sqf78k57UQnZg
	EJwvXcDJ+uFbnd2sibgoASzDNljSfERK5RfD7Re3n5dK6W0PXzic+7ljGoSLedtd
	6DD11IzD6WjBlE/9Aiof6IUDdzuo2VZ0XtufBxmYHXUx9LF3/dgGOr8hvxz/wpMx
	nPnr9QDgF9svoCvYq1toUbtWgKd1LjXeVoprAhHXwbn4Z8hj7+/LpPYwR1X3u1ik
	wL916n0bOkLgWgqGjqsrgskk5Lk6ZzyrESZ0xd6/+dSrf2YxLivF8O4eCLfNxB3d
	=3akT
	-----END PGP MESSAGE-----

	'

	alpha_seckey='-----BEGIN PGP PRIVATE KEY BLOCK-----
	Version: GnuPG v1.4.8 (GNU/Linux)

	lQHhBDbjjp4RBAC2ZbFDX0wmJI8yLDYQdIiZeAuHLmfyHsqXaLGUMZtWiAvn/hNp
	ctwahmzKm5oXinHUvUkLOQ0s8rOlu15nhw4azc30rTP1LsIkn5zORNnFdgYC6RKy
	hOeim/63+/yGtdnTm49lVfaCqwsEmBCEkXaeWDGq+ie1b89J89T6n/JquwCgoQkj
	VeVGG+B/SzJ6+yifdHWQVkcD/RXDyLXX4+WHGP2aet51XlKojWGwsZmc9LPPYhwU
	/RcUO7ce1QQb0XFlUVFBhY0JQpM/ty/kNi+aGWFzigbQ+HAWZkUvA8+VIAVneN+p
	+SHhGIyLTXKpAYTq46AwvllZ5Cpvf02Cp/+W1aVyA0qnBWMyeIxXmR9HOi6lxxn5
	cjajA/9VZufOXWqCXkBvz4Oy3Q5FbjQQ0/+ty8rDn8OTaiPi41FyUnEi6LO+qyBS
	09FjnZj++PkcRcXW99SNxmEJRY7MuNHt5wIvEH2jNEOJ9lszzZFBDbuwsjXHK35+
	lPbGEy69xCP26iEafysKKbRXJhE1C+tk8SnK+Gm62sivmK/5av4CAwKcF1Qep+Pf
	ssOqtJhr+klruUBf55onBJi4vkk0gK3m32p/05YB2bbMURGz8R4JxUZfUxjdDk73
	LaNYRbQpQWxwaGEgVGVzdCAoZGVtbyBrZXkpIDxhbHBoYUBleGFtcGxlLm5ldD6I
	VQQTEQIAFQUCNuOOngMLCgMDFQMCAxYCAQIXgAAKCRAtcnzHaGl3NDl4AJ4rouHB
	+LpCkNi5C59jHEa1kbANzACgmddtrNSj1yPyTCwUwRghPUomECS0EEFsaWNlIChk
	ZW1vIGtleSmIVQQTEQIAFQUCNuO2qwMLCgMDFQMCAxYCAQIXgAAKCRAtcnzHaGl3
	NCeMAJ9MeUVrago5Jc6PdwdeN5OMwby37QCghW65cZTQlD1bBlIq/QM8bz9AN4G0
	J0FsZmEgVGVzdCAoZGVtbyBrZXkpIDxhbGZhQGV4YW1wbGUubmV0PohVBBMRAgAV
	BQI247hYAwsKAwMVAwIDFgIBAheAAAoJEC1yfMdoaXc0t8IAoJPwa6j+Vm5Vi3Nv
	uo8JZri4PJ/DAJ9dqbmaJdB8FdJnHfGh1rXK3y/Jcp0BuAQ2448PEAQAnI3XH1f0
	uyN9fZnw72zsHMw706g7EW29nD4UDQG4OzRZViSrUa5n39eI7QrfTO+1meVvs0y8
	F/PvFst5jH68rPLnGSrXz4sTl1T4cop1FBkquvCAKwPLy0lE7jjtCyItOSwIOo8x
	oTfY4JEEXmcqsbm+KHv9yYSF/YK4Cf7bIzcAAwcD/Rnl5jKxoucDA96pD2829TKs
	LFQSau+Xiy8bvOSSDdlyABsOkNBSaeKO3eAQEKgDM7dzjVNTnAlpQ0EQ8Y9Z8pxO
	WYEQYlaMrnRBC4DZ2IadzEhLlIOz5BVp/jfhrr8oVVBwKZXsrz9PZLz+e4Yn+siU
	Uvlei9boD9L2ZgSOHakP/gIDApwXVB6n49+yw6e5k2VJBGTFDkQbxpgi4oslePpT
	7Tc2qjAke4zO8JHkgKSokEgnMpMz412q9otFX/3qC5MpPG5P8f4r00Kfy9Am/thk
	ri01WTIUqF8L/VZXJxLKVoRAabSXudG0eavfah14fN5/+Bw5i8vSHhc/xmQEKTya
	2X8Nt1F5zMrE1LAGVVCL9i/DUygnJYOZzAd1Ct0RJ4kFj7lOBICF2IWWiEYEGBEC
	AAYFAjbjjw8ACgkQLXJ8x2hpdzQgqQCgn81AaW8W/lyVwMh/UBeMuVMUb24An2uz
	wg7Md81a5RI3F2FG8747t9gX
	=VM1e
	-----END PGP PRIVATE KEY BLOCK-----
	'

	# Bug 1179 solved 2010-05-12:
	-# It occured for messages of a multiple of the iobuf block size where
	+# It occurred for messages of a multiple of the iobuf block size where
	# the last line had no pad character. Due to premature poppng of thea
	# rmor filter gpg swalled the CRC line and passed the '-----END...'
	# line on to the decryption layer.

	i=alpha_seckey
	info "importing: $i"
	eval "(IFS=; echo \"\$$i\")" >x
	$GPG --import x \|\| true

	i=nopad_armored_msg
	info "checking: $i"
	eval "(IFS=; echo \"\$$i\")" >x
	if $GPG -o - x > /dev/null ; then
	:
	else
	error "bug#1179 is back in town"
	fi

	diff --git a/tools/gpgsplit.c b/tools/gpgsplit.c
	index 2451ab33f..93dd8edf8 100644
	--- a/tools/gpgsplit.c
	+++ b/tools/gpgsplit.c
	@@ -1,890 +1,890 @@
	/* gpgsplit.c - An OpenPGP packet splitting tool
	* Copyright (C) 2001, 2002, 2003 Free Software Foundation, Inc.
	*
	* This file is part of GnuPG.
	*
	* GnuPG is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License as published by
	* the Free Software Foundation; either version 3 of the License, or
	* (at your option) any later version.
	*
	* GnuPG is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with this program; if not, see <http://www.gnu.org/licenses/>.
	*/

	#include <config.h>
	#include <errno.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <ctype.h>
	#include <unistd.h>
	#include <assert.h>
	#include <sys/types.h>
	#ifdef HAVE_DOSISH_SYSTEM
	# include <fcntl.h> /* for setmode() */
	#endif
	#ifdef HAVE_ZIP
	# include <zlib.h>
	#endif
	#ifdef HAVE_BZIP2
	# include <bzlib.h>
	#endif /* HAVE_BZIP2 */
	#if defined(__riscos__) && defined(USE_ZLIBRISCOS)
	# include "zlib-riscos.h"
	#endif

	#define INCLUDED_BY_MAIN_MODULE 1
	#include "util.h"
	#include "openpgpdefs.h"

	static int opt_verbose;
	static const char *opt_prefix = "";
	static int opt_uncompress;
	static int opt_secret_to_public;
	static int opt_no_split;

	static void g10_exit( int rc );
	static void split_packets (const char *fname);


	enum cmd_and_opt_values {
	aNull = 0,
	oVerbose = 'v',
	oPrefix = 'p',
	oUncompress = 500,
	oSecretToPublic,
	oNoSplit,

	aTest
	};


	static ARGPARSE_OPTS opts[] = {

	{ 301, NULL, 0, "@Options:\n " },

	{ oVerbose, "verbose", 0, "verbose" },
	{ oPrefix, "prefix", 2, "\|STRING\|Prepend filenames with STRING" },
	{ oUncompress, "uncompress", 0, "uncompress a packet"},
	{ oSecretToPublic, "secret-to-public", 0, "convert secret keys to public keys"},
	{ oNoSplit, "no-split", 0, "write to stdout and don't actually split"},
	{0} };


	static const char *
	my_strusage (int level)
	{
	const char *p;
	switch (level)
	{
	case 11: p = "gpgsplit (@GNUPG@)";
	break;
	case 13: p = VERSION; break;
	case 17: p = PRINTABLE_OS_NAME; break;
	case 19: p = "Please report bugs to <@EMAIL@>.\n"; break;

	case 1:
	case 40: p =
	"Usage: gpgsplit [options] [files] (-h for help)";
	break;
	case 41: p =
	"Syntax: gpgsplit [options] [files]\n"
	"Split an OpenPGP message into packets\n";
	break;

	default: p = NULL;
	}
	return p;
	}



	int
	main (int argc, char **argv)
	{
	ARGPARSE_ARGS pargs;

	#ifdef HAVE_DOSISH_SYSTEM
	setmode( fileno(stdin), O_BINARY );
	setmode( fileno(stdout), O_BINARY );
	#endif
	log_set_prefix ("gpgsplit", GPGRT_LOG_WITH_PREFIX);
	set_strusage (my_strusage);

	pargs.argc = &argc;
	pargs.argv = &argv;
	pargs.flags= 1; /* do not remove the args */
	while (optfile_parse( NULL, NULL, NULL, &pargs, opts))
	{
	switch (pargs.r_opt)
	{
	case oVerbose: opt_verbose = 1; break;
	case oPrefix: opt_prefix = pargs.r.ret_str; break;
	case oUncompress: opt_uncompress = 1; break;
	case oSecretToPublic: opt_secret_to_public = 1; break;
	case oNoSplit: opt_no_split = 1; break;
	default : pargs.err = 2; break;
	}
	}

	if (log_get_errorcount(0))
	g10_exit (2);

	if (!argc)
	split_packets (NULL);
	else
	{
	for ( ;argc; argc--, argv++)
	split_packets (*argv);
	}

	g10_exit (0);
	return 0;
	}


	static void
	g10_exit (int rc)
	{
	rc = rc? rc : log_get_errorcount(0)? 2 : 0;
	exit(rc );
	}

	static const char *
	pkttype_to_string (int pkttype)
	{
	const char *s;

	switch (pkttype)
	{
	case PKT_PUBKEY_ENC : s = "pk_enc"; break;
	case PKT_SIGNATURE : s = "sig"; break;
	case PKT_SYMKEY_ENC : s = "sym_enc"; break;
	case PKT_ONEPASS_SIG : s = "onepass_sig"; break;
	case PKT_SECRET_KEY : s = "secret_key"; break;
	case PKT_PUBLIC_KEY : s = "public_key"; break;
	case PKT_SECRET_SUBKEY : s = "secret_subkey"; break;
	case PKT_COMPRESSED :
	s = opt_uncompress? "uncompressed":"compressed";
	break;
	case PKT_ENCRYPTED : s = "encrypted"; break;
	case PKT_MARKER : s = "marker"; break;
	case PKT_PLAINTEXT : s = "plaintext"; break;
	case PKT_RING_TRUST : s = "ring_trust"; break;
	case PKT_USER_ID : s = "user_id"; break;
	case PKT_PUBLIC_SUBKEY : s = "public_subkey"; break;
	case PKT_OLD_COMMENT : s = "old_comment"; break;
	case PKT_ATTRIBUTE : s = "attribute"; break;
	case PKT_ENCRYPTED_MDC : s = "encrypted_mdc"; break;
	case PKT_MDC : s = "mdc"; break;
	case PKT_COMMENT : s = "comment"; break;
	case PKT_GPG_CONTROL : s = "gpg_control"; break;
	default: s = "unknown"; break;
	}
	return s;
	}


	/*
	* Create a new filename and a return a pointer to a statically
	* allocated buffer
	*/
	static char *
	create_filename (int pkttype)
	{
	static unsigned int partno = 0;
	static char *name;

	if (!name)
	name = xmalloc (strlen (opt_prefix) + 100 );

	assert (pkttype < 1000 && pkttype >= 0 );
	partno++;
	sprintf (name, "%s%06u-%03d" EXTSEP_S "%.40s",
	opt_prefix, partno, pkttype, pkttype_to_string (pkttype));
	return name;
	}

	static int
	read_u16 (FILE fp, size_t rn)
	{
	int c;

	if ( (c = getc (fp)) == EOF )
	return -1;
	*rn = c << 8;
	if ( (c = getc (fp)) == EOF )
	return -1;
	*rn \|= c;
	return 0;
	}

	static int
	read_u32 (FILE fp, unsigned long rn)
	{
	size_t tmp;

	if (read_u16 (fp, &tmp))
	return -1;
	*rn = tmp << 16;
	if (read_u16 (fp, &tmp))
	return -1;
	*rn \|= tmp;
	return 0;
	}

	static int
	write_old_header (FILE *fp, int pkttype, unsigned int len)
	{
	int ctb = (0x80 \| ((pkttype & 15)<<2));

	if (len < 256)
	;
	else if (len < 65536)
	ctb \|= 1;
	else
	ctb \|= 2;

	if ( putc ( ctb, fp) == EOF )
	return -1;

	if ( (ctb & 2) )
	{
	if (putc ((len>>24), fp) == EOF)
	return -1;
	if (putc ((len>>16), fp) == EOF)
	return -1;
	}
	if ( (ctb & 3) )
	{
	if (putc ((len>>8), fp) == EOF)
	return -1;
	}
	if (putc ((len&0xff), fp) == EOF)
	return -1;
	return 0;
	}

	static int
	write_new_header (FILE *fp, int pkttype, unsigned int len)
	{
	if ( putc ((0xc0 \| (pkttype & 0x3f)), fp) == EOF )
	return -1;

	if (len < 192)
	{
	if (putc (len, fp) == EOF)
	return -1;
	}
	else if (len < 8384)
	{
	len -= 192;
	if (putc ((len/256)+192, fp) == EOF)
	return -1;
	if (putc ((len%256), fp) == EOF)
	return -1;
	}
	else
	{
	if (putc ( 0xff, fp) == EOF)
	return -1;
	if (putc ( (len >> 24), fp) == EOF)
	return -1;
	if (putc ( (len >> 16), fp) == EOF)
	return -1;
	if (putc ( (len >> 8), fp) == EOF)
	return -1;
	if (putc ( (len & 0xff), fp) == EOF)
	return -1;
	}
	return 0;
	}

	/* Return the length of the public key given BUF of BUFLEN with a
	secret key. */
	static int
	public_key_length (const unsigned char *buf, size_t buflen)
	{
	const unsigned char *s;
	int nmpis;

	/* byte version number (3 or 4)
	u32 creation time
	[u16 valid days (version 3 only)]
	byte algorithm
	n MPIs (n and e) */
	if (!buflen)
	return 0;
	if (buf[0] < 2 \|\| buf[0] > 4)
	return 0; /* wrong version number */
	if (buflen < (buf[0] == 4? 6:8))
	return 0;
	s = buf + (buf[0] == 4? 6:8);
	buflen -= (buf[0] == 4? 6:8);
	switch (s[-1])
	{
	case 1:
	case 2:
	case 3:
	nmpis = 2;
	break;
	case 16:
	case 20:
	nmpis = 3;
	break;
	case 17:
	nmpis = 4;
	break;
	default:
	return 0;
	}

	for (; nmpis; nmpis--)
	{
	unsigned int nbits, nbytes;

	if (buflen < 2)
	return 0;
	nbits = (s[0] << 8) \| s[1];
	s += 2; buflen -= 2;
	nbytes = (nbits+7) / 8;
	if (buflen < nbytes)
	return 0;
	s += nbytes; buflen -= nbytes;
	}

	return s - buf;
	}

	#ifdef HAVE_ZIP
	static int
	handle_zlib(int algo,FILE fpin,FILE fpout)
	{
	z_stream zs;
	byte inbuf, outbuf;
	unsigned int inbufsize, outbufsize;
	int c,zinit_done, zrc, nread, count;
	size_t n;

	memset (&zs, 0, sizeof zs);
	inbufsize = 2048;
	inbuf = xmalloc (inbufsize);
	outbufsize = 8192;
	outbuf = xmalloc (outbufsize);
	zs.avail_in = 0;
	zinit_done = 0;

	do
	{
	if (zs.avail_in < inbufsize)
	{
	n = zs.avail_in;
	if (!n)
	zs.next_in = (Bytef *) inbuf;
	count = inbufsize - n;
	for (nread=0;
	nread < count && (c=getc (fpin)) != EOF;
	nread++)
	inbuf[n+nread] = c;

	n += nread;
	if (nread < count && algo == 1)
	{
	inbuf[n] = 0xFF; /* chew dummy byte */
	n++;
	}
	zs.avail_in = n;
	}
	zs.next_out = (Bytef *) outbuf;
	zs.avail_out = outbufsize;

	if (!zinit_done)
	{
	zrc = (algo == 1? inflateInit2 ( &zs, -13)
	: inflateInit ( &zs ));
	if (zrc != Z_OK)
	{
	log_fatal ("zlib problem: %s\n", zs.msg? zs.msg :
	zrc == Z_MEM_ERROR ? "out of core" :
	zrc == Z_VERSION_ERROR ?
	"invalid lib version" :
	"unknown error" );
	}
	zinit_done = 1;
	}
	else
	{
	#ifdef Z_SYNC_FLUSH
	zrc = inflate (&zs, Z_SYNC_FLUSH);
	#else
	zrc = inflate (&zs, Z_PARTIAL_FLUSH);
	#endif
	if (zrc == Z_STREAM_END)
	; /* eof */
	else if (zrc != Z_OK && zrc != Z_BUF_ERROR)
	{
	if (zs.msg)
	log_fatal ("zlib inflate problem: %s\n", zs.msg );
	else
	log_fatal ("zlib inflate problem: rc=%d\n", zrc );
	}
	for (n=0; n < outbufsize - zs.avail_out; n++)
	{
	if (putc (outbuf[n], fpout) == EOF )
	return 1;
	}
	}
	}
	while (zrc != Z_STREAM_END && zrc != Z_BUF_ERROR);
	{
	int i;

	fputs ("Left over bytes:", stderr);
	for (i=0; i < zs.avail_in; i++)
	fprintf (stderr, " %02X", zs.next_in[i]);
	putc ('\n', stderr);

	}
	inflateEnd (&zs);

	return 0;
	}
	#endif /HAVE_ZIP/

	#ifdef HAVE_BZIP2
	static int
	handle_bzip2(int algo,FILE fpin,FILE fpout)
	{
	bz_stream bzs;
	byte inbuf, outbuf;
	unsigned int inbufsize, outbufsize;
	int c,zinit_done, zrc, nread, count;
	size_t n;

	memset (&bzs, 0, sizeof bzs);
	inbufsize = 2048;
	inbuf = xmalloc (inbufsize);
	outbufsize = 8192;
	outbuf = xmalloc (outbufsize);
	bzs.avail_in = 0;
	zinit_done = 0;

	do
	{
	if (bzs.avail_in < inbufsize)
	{
	n = bzs.avail_in;
	if (!n)
	bzs.next_in = inbuf;
	count = inbufsize - n;
	for (nread=0;
	nread < count && (c=getc (fpin)) != EOF;
	nread++)
	inbuf[n+nread] = c;

	n += nread;
	if (nread < count && algo == 1)
	{
	inbuf[n] = 0xFF; /* chew dummy byte */
	n++;
	}
	bzs.avail_in = n;
	}
	bzs.next_out = outbuf;
	bzs.avail_out = outbufsize;

	if (!zinit_done)
	{
	zrc = BZ2_bzDecompressInit(&bzs,0,0);
	if (zrc != BZ_OK)
	log_fatal ("bz2lib problem: %d\n",zrc);
	zinit_done = 1;
	}
	else
	{
	zrc = BZ2_bzDecompress(&bzs);
	if (zrc == BZ_STREAM_END)
	; /* eof */
	else if (zrc != BZ_OK && zrc != BZ_PARAM_ERROR)
	log_fatal ("bz2lib inflate problem: %d\n", zrc );
	for (n=0; n < outbufsize - bzs.avail_out; n++)
	{
	if (putc (outbuf[n], fpout) == EOF )
	return 1;
	}
	}
	}
	while (zrc != BZ_STREAM_END && zrc != BZ_PARAM_ERROR);
	BZ2_bzDecompressEnd(&bzs);

	return 0;
	}
	#endif /* HAVE_BZIP2 */

	/* hdr must point to a buffer large enough to hold all header bytes */
	static int
	write_part (FILE *fpin, unsigned long pktlen,
	int pkttype, int partial, unsigned char *hdr, size_t hdrlen)
	{
	FILE *fpout;
	int c, first;
	unsigned char *p;
	const char *outname = create_filename (pkttype);

	#if defined(__riscos__) && defined(USE_ZLIBRISCOS)
	static int initialized = 0;

	if (!initialized)
	initialized = riscos_load_module("ZLib", zlib_path, 1);
	#endif
	if (opt_no_split)
	fpout = stdout;
	else
	{
	if (opt_verbose)
	log_info ("writing '%s'\n", outname);
	fpout = fopen (outname, "wb");
	if (!fpout)
	{
	log_error ("error creating '%s': %s\n", outname, strerror(errno));
	/* stop right now, otherwise we would mess up the sequence
	of the part numbers */
	g10_exit (1);
	}
	}

	if (opt_secret_to_public
	&& (pkttype == PKT_SECRET_KEY \|\| pkttype == PKT_SECRET_SUBKEY))
	{
	unsigned char *blob = xmalloc (pktlen);
	int i, len;

	pkttype = pkttype == PKT_SECRET_KEY? PKT_PUBLIC_KEY:PKT_PUBLIC_SUBKEY;

	for (i=0; i < pktlen; i++)
	{
	c = getc (fpin);
	if (c == EOF)
	goto read_error;
	blob[i] = c;
	}
	len = public_key_length (blob, pktlen);
	if (!len)
	{
	- log_error ("error calcualting public key length\n");
	+ log_error ("error calculating public key length\n");
	g10_exit (1);
	}
	if ( (hdr[0] & 0x40) )
	{
	if (write_new_header (fpout, pkttype, len))
	goto write_error;
	}
	else
	{
	if (write_old_header (fpout, pkttype, len))
	goto write_error;
	}

	for (i=0; i < len; i++)
	{
	if ( putc (blob[i], fpout) == EOF )
	goto write_error;
	}

	goto ready;
	}


	if (!opt_uncompress)
	{
	for (p=hdr; hdrlen; p++, hdrlen--)
	{
	if ( putc (*p, fpout) == EOF )
	goto write_error;
	}
	}

	first = 1;
	while (partial)
	{
	size_t partlen;

	if (partial == 1)
	{ /* openpgp */
	if (first )
	{
	c = pktlen;
	assert( c >= 224 && c < 255 );
	first = 0;
	}
	else if ((c = getc (fpin)) == EOF )
	goto read_error;
	else
	hdr[hdrlen++] = c;

	if (c < 192)
	{
	pktlen = c;
	partial = 0; /* (last segment may follow) */
	}
	else if (c < 224 )
	{
	pktlen = (c - 192) * 256;
	if ((c = getc (fpin)) == EOF)
	goto read_error;
	hdr[hdrlen++] = c;
	pktlen += c + 192;
	partial = 0;
	}
	else if (c == 255)
	{
	if (read_u32 (fpin, &pktlen))
	goto read_error;
	hdr[hdrlen++] = pktlen >> 24;
	hdr[hdrlen++] = pktlen >> 16;
	hdr[hdrlen++] = pktlen >> 8;
	hdr[hdrlen++] = pktlen;
	partial = 0;
	}
	else
	{ /* next partial body length */
	for (p=hdr; hdrlen; p++, hdrlen--)
	{
	if ( putc (*p, fpout) == EOF )
	goto write_error;
	}
	partlen = 1 << (c & 0x1f);
	for (; partlen; partlen--)
	{
	if ((c = getc (fpin)) == EOF)
	goto read_error;
	if ( putc (c, fpout) == EOF )
	goto write_error;
	}
	}
	}
	else if (partial == 2)
	{ /* old gnupg */
	assert (!pktlen);
	if ( read_u16 (fpin, &partlen) )
	goto read_error;
	hdr[hdrlen++] = partlen >> 8;
	hdr[hdrlen++] = partlen;
	for (p=hdr; hdrlen; p++, hdrlen--)
	{
	if ( putc (*p, fpout) == EOF )
	goto write_error;
	}
	if (!partlen)
	partial = 0; /* end of packet */
	for (; partlen; partlen--)
	{
	c = getc (fpin);
	if (c == EOF)
	goto read_error;
	if ( putc (c, fpout) == EOF )
	goto write_error;
	}
	}
	else
	{ /* compressed: read to end */
	pktlen = 0;
	partial = 0;
	hdrlen = 0;
	if (opt_uncompress)
	{
	if ((c = getc (fpin)) == EOF)
	goto read_error;

	if (0)
	;
	#ifdef HAVE_ZIP
	else if(c==1 \|\| c==2)
	{
	if(handle_zlib(c,fpin,fpout))
	goto write_error;
	}
	#endif /* HAVE_ZIP */
	#ifdef HAVE_BZIP2
	else if(c==3)
	{
	if(handle_bzip2(c,fpin,fpout))
	goto write_error;
	}
	#endif /* HAVE_BZIP2 */
	else
	{
	log_error("invalid compression algorithm (%d)\n",c);
	goto read_error;
	}
	}
	else
	{
	while ( (c=getc (fpin)) != EOF )
	{
	if ( putc (c, fpout) == EOF )
	goto write_error;
	}
	}
	if (!feof (fpin))
	goto read_error;
	}
	}

	for (p=hdr; hdrlen; p++, hdrlen--)
	{
	if ( putc (*p, fpout) == EOF )
	goto write_error;
	}

	/* standard packet or last segment of partial length encoded packet */
	for (; pktlen; pktlen--)
	{
	c = getc (fpin);
	if (c == EOF)
	goto read_error;
	if ( putc (c, fpout) == EOF )
	goto write_error;
	}

	ready:
	if ( !opt_no_split && fclose (fpout) )
	log_error ("error closing '%s': %s\n", outname, strerror (errno));
	return 0;

	write_error:
	log_error ("error writing '%s': %s\n", outname, strerror (errno));
	if (!opt_no_split)
	fclose (fpout);
	return 2;

	read_error:
	if (!opt_no_split)
	{
	int save = errno;
	fclose (fpout);
	errno = save;
	}
	return -1;
	}



	static int
	do_split (FILE *fp)
	{
	int c, ctb, pkttype;
	unsigned long pktlen = 0;
	int partial = 0;
	unsigned char header[20];
	int header_idx = 0;

	ctb = getc (fp);
	if (ctb == EOF)
	return 3; /* ready */
	header[header_idx++] = ctb;

	if (!(ctb & 0x80))
	{
	log_error("invalid CTB %02x\n", ctb );
	return 1;
	}
	if ( (ctb & 0x40) )
	{ /* new CTB */
	pkttype = (ctb & 0x3f);
	if( (c = getc (fp)) == EOF )
	return -1;
	header[header_idx++] = c;

	if ( c < 192 )
	pktlen = c;
	else if ( c < 224 )
	{
	pktlen = (c - 192) * 256;
	if( (c = getc (fp)) == EOF )
	return -1;
	header[header_idx++] = c;
	pktlen += c + 192;
	}
	else if ( c == 255 )
	{
	if (read_u32 (fp, &pktlen))
	return -1;
	header[header_idx++] = pktlen >> 24;
	header[header_idx++] = pktlen >> 16;
	header[header_idx++] = pktlen >> 8;
	header[header_idx++] = pktlen;
	}
	else
	{ /* partial body length */
	pktlen = c;
	partial = 1;
	}
	}
	else
	{
	int lenbytes;

	pkttype = (ctb>>2)&0xf;
	lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
	if (!lenbytes )
	{
	pktlen = 0; /* don't know the value */
	if( pkttype == PKT_COMPRESSED )
	partial = 3;
	else
	partial = 2; /* the old GnuPG partial length encoding */
	}
	else
	{
	for ( ; lenbytes; lenbytes-- )
	{
	pktlen <<= 8;
	if( (c = getc (fp)) == EOF )
	return -1;
	header[header_idx++] = c;

	pktlen \|= c;
	}
	}
	}

	return write_part (fp, pktlen, pkttype, partial, header, header_idx);
	}


	static void
	split_packets (const char *fname)
	{
	FILE *fp;
	int rc;

	if (!fname \|\| !strcmp (fname, "-"))
	{
	fp = stdin;
	fname = "-";
	}
	else if ( !(fp = fopen (fname,"rb")) )
	{
	log_error ("can't open '%s': %s\n", fname, strerror (errno));
	return;
	}

	while ( !(rc = do_split (fp)) )
	;
	if ( rc > 0 )
	; /* error already handled */
	else if ( ferror (fp) )
	log_error ("error reading '%s': %s\n", fname, strerror (errno));
	else
	log_error ("premature EOF while reading '%s'\n", fname );

	if ( fp != stdin )
	fclose (fp);
	}

File Metadata

Mime Type: text/x-diff
Expires: Fri, Dec 12, 11:37 AM (1 d, 22 h)
Storage Engine: local-disk
Storage Format: Raw Data
Storage Handle: cf/06/7d470d6cd5623974837b98cce1e4

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions