Finished preparations for 2.0.17gnupg-2.0.17

13 files changed, 468 insertions, 88 deletions

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 1bf530a2f..7dae4ca9b 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,9 @@
+2011-01-13  Werner Koch  <[email protected]>
+
+	* FAQ: Make it a static file with a pointer to the online location.
+	* Makefile.am (EXTRA_DIST): Remove faq.raw and faq.html.
+	(FAQ, faq.html): Remove these targets
+
 2010-03-05  Werner Koch  <[email protected]>
 
 	* gpg.texi (GPG Configuration Options): Mention that
diff --git a/doc/DETAILS b/doc/DETAILS
index bcea9f1d2..2e1d92bb7 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -34,7 +34,7 @@ record; gpg2 does this by default and the option is a dummy.
             rev = revocation signature
 	    fpr = fingerprint: (fingerprint is in field 10)
 	    pkd = public key data (special field format, see below)
-            grp = reserved for gpgsm
+            grp = keygrip
             rvk = revocation key
             tru = trust database information
             spk = signature subpacket
@@ -221,12 +221,13 @@ more arguments in future versions.
 
     GOODSIG  <long_keyid_or_fpr>  <username>
 	The signature with the keyid is good.  For each signature only
-        one of the three codes GOODSIG, BADSIG or ERRSIG will be
-        emitted and they may be used as a marker for a new signature.
-        The username is the primary one encoded in UTF-8 and %XX
-        escaped. The fingerprint may be used instead of the long keyid
-        if it is available.  This is the case with CMS and might
-        eventually also be available for OpenPGP.
+        one of the codes GOODSIG, BADSIG, EXPSIG, EXPKEYSIG, REVKEYSIG
+        or ERRSIG will be emitted.  In the past they were used as a
+        marker for a new signature; new code should use the NEWSIG
+        status instead.  The username is the primary one encoded in
+        UTF-8 and %XX escaped. The fingerprint may be used instead of
+        the long keyid if it is available.  This is the case with CMS
+        and might eventually also be available for OpenPGP.
 
     EXPSIG  <long_keyid_or_fpr>  <username>
 	The signature with the keyid is good, but the signature is
@@ -464,7 +465,8 @@ more arguments in future versions.
           4 := "Error storing certificate".
 
     IMPORT_RES <count> <no_user_id> <imported> <imported_rsa> <unchanged>
-	<n_uids> <n_subk> <n_sigs> <n_revoc> <sec_read> <sec_imported> <sec_dups> <not_imported>
+	<n_uids> <n_subk> <n_sigs> <n_revoc> <sec_read> <sec_imported>
+        <sec_dups> <skipped_new_keys> <not_imported>
 	Final statistics on import process (this is one long line)
 
     FILE_START <what> <filename>
@@ -585,7 +587,8 @@ more arguments in future versions.
           8 := "Policy mismatch"
           9 := "Not a secret key"
 	 10 := "Key not trusted"
-         11 := "Missing certificate"  (e.g. intermediate or root cert.)
+         11 := "Missing certificate" 
+         12 := "Missing issuer certificate"
 
         Note that for historical reasons the INV_RECP status is also
         used for gpgsm's SIGNER command where it relates to signer's
@@ -616,6 +619,12 @@ more arguments in future versions.
         prefixed with a numerical error code and an underscore; e.g.:
         "151011327_EOF".
 
+    SUCCESS [<location>]
+        Postive confirimation that an operation succeeded.  <location>
+        is optional but if given should not contain spaces. 
+        Used only with a few commands.
+            
+
     ATTRIBUTE <fpr> <octets> <type> <index> <count>
 	      <timestamp> <expiredate> <flags>
 	This is one long line issued for each attribute subpacket when
@@ -680,6 +689,11 @@ more arguments in future versions.
         A backup key named FNAME has been created for the key with
         KEYID.
 
+    MOUNTPOINT <name>
+        NAME is a percent-plus escaped filename describing the
+        mountpoint for the current operation (e.g. g13 --mount).  This
+        may either be the specified mountpoint or one randomly choosen
+        by g13.
 
 
 Format of the "--attribute-fd" output
@@ -724,7 +738,9 @@ version: the third field contains the version of GnuPG.
 
 pubkey: the third field contains the public key algorithmdcaiphers
 	this version of GnuPG supports, separated by semicolons.  The
-	algorithm numbers are as specified in RFC-4880.
+	algorithm numbers are as specified in RFC-4880.  Note that in
+	contrast to the --status-fd interface these are _not_ the
+	Libgcrypt identifiers.
 
    cfg:pubkey:1;2;3;16;17
 
@@ -801,7 +817,8 @@ The format of this file is as follows:
 	The filename is used until a new filename is used (at commit points)
 	and all keys are written to that file.	If a new filename is given,
 	this file is created (and overwrites an existing one).
-	Both control statements must be given.
+        GnuPG < 2.1:  Both control statements must be given.
+        GnuPG >= 2.1: "%secring" is now a no-op.
     %ask-passphrase
         Enable a mode where the command "passphrase" is ignored and
         instead the usual passphrase dialog is used.  This does not
@@ -811,6 +828,19 @@ The format of this file is as follows:
         entry code.  This is a global option.
     %no-ask-passphrase
         Disable the ask-passphrase mode.        
+    %no-protection
+        With GnuPG 2.1 it is not anymore possible to specify a
+        passphrase for unattended key generation.  The passphrase
+        command is simply ignored and %ask-passpharse is thus
+        implicitly enabled.  Using this option allows to the creation
+        of keys without any passphrases.  This option is mainly
+        intended for regression tests.
+    %transient-key
+        If given the keys are created using a faster and a somewhat
+        less secure random number generator.  This option may be used
+        for keys which are only used for a short time and do not
+        require full cryptographic strength.  It takes only effect if
+        used together with the option no-protection.
 
    o The order of the parameters does not matter except for "Key-Type"
      which must be the first parameter.  The parameters are only for the
diff --git a/doc/FAQ b/doc/FAQ
new file mode 100644
index 000000000..32d074426
--- /dev/null
+++ b/doc/FAQ
@@ -0,0 +1,13 @@
+GnuPG Frequently Asked Questions
+
+A FAQ is a fast moving target and thus we don't distribute it anymore
+with GnuPG.  You may retrieve the current FAQ in HTML format at
+
+  http://www.gnupg.org/faq/GnuPG-FAQ.html
+
+or in plain text format at the FTP server:
+
+  ftp://ftp.gnupg.org/gcrypt/gnupg/GnuPG-FAQ.txt
+
+
+
diff --git a/doc/Makefile.am b/doc/Makefile.am
index f7dee4056..c0e225138 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -32,12 +32,12 @@ EXTRA_DIST = samplekeys.asc \
 	     gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png \
              gnupg-card-architecture.eps gnupg-card-architecture.png \
              gnupg-card-architecture.pdf \
-             faq.raw FAQ faq.html gnupg7.texi \
+             FAQ gnupg7.texi \
              opt-homedir.texi see-also-note.texi specify-user-id.texi \
 	     gpgv.texi texi.css  yat2m.c
 
 BUILT_SOURCES = gnupg-card-architecture.eps gnupg-card-architecture.png \
-                gnupg-card-architecture.pdf FAQ faq.html
+                gnupg-card-architecture.pdf
 
 info_TEXINFOS = gnupg.texi
 
@@ -46,8 +46,6 @@ dist_pkgdata_DATA = qualified.txt com-certs.pem $(helpfiles)
 nobase_dist_doc_DATA = FAQ DETAILS HACKING TRANSLATE OpenPGP KEYSERVER \
                        $(examples)	
 
-dist_html_DATA = faq.html 
-
 
 gnupg_TEXINFOS = \
 	gpg.texi gpgsm.texi gpg-agent.texi scdaemon.texi instguide.texi \
@@ -75,7 +73,7 @@ noinst_MANS = gnupg.7
 watchgnupg_SOURCE = gnupg.texi
 
 
-CLEANFILES = faq.raw.xref yat2m
+CLEANFILES = yat2m faq.txt
 
 DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \
 		 $(myman_pages) gnupg.7
@@ -83,7 +81,6 @@ DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \
 yat2m: yat2m.c
 	$(CC_FOR_BUILD) -o $@ $(srcdir)/yat2m.c
 
-
 .fig.png:
 	fig2dev -L png `test -f '$<' || echo '$(srcdir)/'`$< $@
 
@@ -96,32 +93,15 @@ yat2m: yat2m.c
 .fig.pdf:
 	fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@
 
-
-FAQ : faq.raw
-if WORKING_FAQPROG
-	$(FAQPROG) -f $<  $@ || $(FAQPROG) -f $< $@
-else
-	: Warning: missing faqprog.pl, cannot make $@
-	echo "No $@ due to missing faqprog.pl" > $@
-	echo "See ftp://ftp.gnupg.org/gcrypt/contrib/faqprog.pl" >> $@
-endif
-
-faq.html : faq.raw
-if WORKING_FAQPROG
-	$(FAQPROG) -h -f $< $@ 2>&1 || $(FAQPROG) -h -f $< $@
-else
-	: Warning: missing faqprog.pl, cannot make $@
-	echo "No $@ due to missing faqprog.pl" > $@
-	echo "See ftp://ftp.gnupg.org/gcrypt/contrib/faqprog.pl" >> $@
-endif
-
-
+# Note that yatm --store has a bug in that the @ifset gpgtwoone still
+# creates a dirmngr-client page from tools.texi.
 yat2m-stamp: $(myman_sources)
 	@rm -f yat2m-stamp.tmp
 	@touch yat2m-stamp.tmp
 	for file in $(myman_sources) ; do \
               ./yat2m $(YAT2M_OPTIONS) --store \
 	          `test -f '$$file' || echo '$(srcdir)/'`$$file ; done
+	@test -f dirmngr-client.1 && rm dirmngr-client.1
 	@mv -f yat2m-stamp.tmp $@
 
 yat2m-stamp: yat2m
diff --git a/doc/contrib.texi b/doc/contrib.texi
index 28ea2e1d3..bb558bd1a 100644
--- a/doc/contrib.texi
+++ b/doc/contrib.texi
@@ -97,7 +97,7 @@ IIDA, Yoshihiro Kajiki and Gerlinde Klaes.
 This software has been made possible by the previous work of Chris
 Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellmann
 Paul Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson,
-Taher ElGamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
+Taher Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
 mathematicians and all the folks who have worked hard to create
 complete and free operating systems.
 
diff --git a/doc/debugging.texi b/doc/debugging.texi
index df71009d6..c83ab1ef9 100644
--- a/doc/debugging.texi
+++ b/doc/debugging.texi
@@ -103,6 +103,17 @@ used.  Using the keyserver debug option as in
 is thus often helpful.  Note that the actual output depends on the
 backend and may change from release to release.
 
+@ifset gpgtwoone
+@item Logging on WindowsCE
+
+For development, the best logging method on WindowsCE is the use of
+remote debugging using a log file name of @file{tcp://<ip-addr>:<port>}.
+The command @command{watchgnupg} may be used on the remote host to listen
+on the given port. (@pxref{option watchgnupg --tcp}).  For in the field
+tests it is better to make use of the logging facility provided by the
+@command{gpgcedev} driver (part of libassuan); this is enabled by using
+a log file name of @file{GPG2:}. (@pxref{option --log-file}).
+@end ifset
 
 @end itemize
 
@@ -194,7 +205,7 @@ or other purposes and don't have a corresponding certificate.
 @item A root certificate does not verify
 
 A common problem is that the root certificate misses the required
-basicConstrains attribute and thus @command{gpgsm} rejects this
+basicConstraints attribute and thus @command{gpgsm} rejects this
 certificate.  An error message indicating ``no value'' is a sign for
 such a certificate.  You may use the @code{relax} flag in
 @file{trustlist.txt} to accept the certificate anyway.  Note that the
diff --git a/doc/gnupg.texi b/doc/gnupg.texi
index 6f3f0b74e..7bb54af51 100644
--- a/doc/gnupg.texi
+++ b/doc/gnupg.texi
@@ -34,7 +34,7 @@ Published by the Free Software Foundation@*
 Boston, MA 02110-1301 USA
 @end iftex
 
-Copyright @copyright{} 2002, 2004, 2005, 2006, 2007 Free Software Foundation, Inc.
+Copyright @copyright{} 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
 
 @quotation
 Permission is granted to copy, distribute and/or modify this document
@@ -50,6 +50,11 @@ section entitled ``Copying''.
 @direntry
 * gpg2: (gnupg).           OpenPGP encryption and signing tool.
 * gpgsm: (gnupg).          S/MIME encryption and signing tool.
+* gpg-agent: (gnupg).      The secret key daemon.
+@ifset gpgtwoone
+* dirmngr: (gnupg).        X.509 CRL and OCSP server.
+* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
+@end ifset
 @end direntry
 
 
@@ -121,6 +126,9 @@ the administration and the architecture.
 * Installation::        A short installation guide.
 
 * Invoking GPG-AGENT::  How to launch the secret key daemon.
+@ifset gpgtwoone
+* Invoking DIRMNGR::    How to launch the CRL and OCSP daemon.
+@end ifset
 * Invoking GPG::        Using the OpenPGP protocol.
 * Invoking GPGSM::      Using the S/MIME protocol.
 * Invoking SCDAEMON::   How to handle Smartcards.
@@ -152,6 +160,9 @@ the administration and the architecture.
 @include instguide.texi
 
 @include gpg-agent.texi
+@ifset gpgtwoone
+@include dirmngr.texi
+@end ifset
 @include gpg.texi
 @include gpgsm.texi
 @include scdaemon.texi
@@ -194,6 +205,18 @@ the administration and the architecture.
 @c Epilogue
 @c ---------------------------------------------------------------------
 
+@c @node History
+@c @unnumbered History
+@c 
+@c Here are the notices from the old dirmngr manual: 
+@c
+@c @itemize
+@c @item Using DirMngr, 2002, Steffen Hansen, Klar"alvdalens Datakonsult AB.
+@c @item Using DirMngr, 2004, 2005, 2006, 2008 Werner Koch, g10 Code GmbH.
+@c @end itemize
+@c 
+
+
 @bye
 
 
diff --git a/doc/gnupg7.texi b/doc/gnupg7.texi
index 33b99b747..c48dca96f 100644
--- a/doc/gnupg7.texi
+++ b/doc/gnupg7.texi
@@ -23,6 +23,7 @@ daemon which may also emulate the @command{ssh-agent}.
 @command{gpgv}(1), 
 @command{gpgsm}(1), 
 @command{gpg-agent}(1), 
+@command{dirmngr}(8), 
 @command{scdaemon}(1)
 @include see-also-note.texi
 @end ifset
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 1d9ab70f1..cb5f7d732 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -2,6 +2,11 @@
 @c This is part of the GnuPG manual.
 @c For copying conditions, see the file gnupg.texi.
 
+@c Note that we use this texinfo file for all versions of GnuPG: 
+@c 2.0 and 2.1.  The macro "gpgtwoone" controls parts which are only
+@c valid for GnuPG 2.1 and later.
+
+
 @node Invoking GPG-AGENT
 @chapter Invoking GPG-AGENT
 @cindex GPG-AGENT command options
@@ -47,13 +52,24 @@ independently from any protocol.  It is used as a backend for
 @command{gpg} and @command{gpgsm} as well as for a couple of other
 utilities.
 
+@ifset gpgtwoone
+The agent is usualy started on demand by @command{gpg}, @command{gpgsm},
+@command{gpgconf} or @command{gpg-connect-agent}.  Thus there is no
+reason to start it manually.  In case you want to use the included
+Secure Shell Agent you may start the agent using:
+
+@example
+gpg-connect-agent /bye
+@end example
+@end ifset
+
+@ifclear gpgtwoone
 @noindent
 The usual way to run the agent is from the @code{~/.xsession} file:
 
 @example
 eval $(gpg-agent --daemon)
 @end example
-
 @noindent
 If you don't use an X server, you can also put this into your regular
 startup file @code{~/.profile} or @code{.bash_profile}.  It is best not
@@ -83,13 +99,13 @@ if [ -f "$@{HOME@}/.gpg-agent-info" ]; then
   . "$@{HOME@}/.gpg-agent-info"
   export GPG_AGENT_INFO
   export SSH_AUTH_SOCK
-  export SSH_AGENT_PID
 fi
 @end smallexample
 
 @noindent
 It reads the data out of the file and exports the variables.  If you
 don't use Secure Shell, you don't need the last two export statements.
+@end ifclear
  
 @noindent
 You should always add the following lines to your @code{.bashrc} or
@@ -136,18 +152,18 @@ only one command is allowed.
 @table @gnupgtabopt
 @item --version
 @opindex version
-Print the program version and licensing information.  Not that you can
+Print the program version and licensing information.  Note that you cannot
 abbreviate this command.
 
 @item --help
 @itemx -h
 @opindex help
 Print a usage message summarizing the most useful command-line options.
-Not that you can abbreviate this command.
+Note that you cannot abbreviate this command.
 
 @item --dump-options
 @opindex dump-options
-Print a list of all available options and commands.  Not that you can
+Print a list of all available options and commands.  Note that you cannot
 abbreviate this command.
 
 @item --server
@@ -315,10 +331,15 @@ eval $(cut -d= -f 1 < @var{file} | xargs echo export)
 Tell the pinentry not to grab the keyboard and mouse.  This option
 should in general not be used to avoid X-sniffing attacks.
 
+@anchor{option --log-file}
 @item --log-file @var{file}
 @opindex log-file
-Append all logging output to @var{file}.  This is very helpful in
-seeing what the agent actually does.
+Append all logging output to @var{file}.  This is very helpful in seeing
+what the agent actually does.  If neither a log file nor a log file
+descriptor has been set on a Windows platform, the Registry entry
+@code{HKCU\Software\GNU\GnuPG:DefaultLogFile}, if set, is used to specify
+the logging output.
+
 
 @anchor{option --allow-mark-trusted}
 @item --allow-mark-trusted
@@ -399,7 +420,7 @@ This option does nothing yet.
 @item --pinentry-program @var{filename}
 @opindex pinentry-program
 Use program @var{filename} as the PIN entry.  The default is installation
-dependent and can be shown with the @code{--version} command.
+dependent.
 
 @item --pinentry-touch-file @var{filename}
 @opindex pinentry-touch-file
@@ -415,7 +436,7 @@ modification and access time.
 @item --scdaemon-program @var{filename}
 @opindex scdaemon-program
 Use program @var{filename} as the Smartcard daemon.  The default is
-installation dependent and can be shown with the @code{--version}
+installation dependent and can be shown with the @command{gpgconf}
 command.
 
 @item --disable-scdaemon
@@ -435,13 +456,20 @@ a random socket below a temporary directory.  Tools connecting to
 environment variable @var{GPG_AGENT_INFO} and then fall back to this
 socket.  This option may not be used if the home directory is mounted on
 a remote file system which does not support special files like fifos or
-sockets.  Note, that @option{--use-standard-socket} is the
-default on Windows systems.  The default may be changed at build time.
-It is possible to test at runtime whether the agent has been configured
-for use with the standard socket by issuing the command
-@command{gpg-agent --use-standard-socket-p} which returns success if the
-standard socket option has been enabled.
-
+sockets.
+@ifset gpgtwoone
+Note, that @option{--use-standard-socket} is the default on all
+systems since GnuPG 2.1.
+@end ifset
+@ifclear gpgtwoone
+Note, that @option{--use-standard-socket} is the default on
+Windows systems.
+@end ifclear
+The default may be changed at build time.  It is
+possible to test at runtime whether the agent has been configured for
+use with the standard socket by issuing the command @command{gpg-agent
+--use-standard-socket-p} which returns success if the standard socket
+option has been enabled.
 
 @item --display @var{string}
 @itemx --ttyname @var{string}
@@ -470,7 +498,7 @@ pinentry to pop up at the @code{tty} or display you started the agent.
 @item --enable-ssh-support
 @opindex enable-ssh-support
 
-Enable emulation of the OpenSSH Agent protocol.
+Enable the OpenSSH Agent protocol.
 
 In this mode of operation, the agent does not only implement the
 gpg-agent protocol, but also the agent protocol used by OpenSSH
@@ -497,10 +525,20 @@ has been started.  To switch this display to the current one, the
 following command may be used:
 
 @smallexample
-echo UPDATESTARTUPTTY | gpg-connect-agent
+gpg-connect-agent updatestartuptty /bye
 @end smallexample
 
+Although all GnuPG components try to start the gpg-agent as needed, this
+is not possible for the ssh support because ssh does not know about it.
+Thus if no GnuPG tool which accesses the agent has been run, there is no
+guarantee that ssh is abale to use gpg-agent for authentication.  To fix
+this you may start gpg-agent if needed using this simple command:
+
+@smallexample
+gpg-connect-agent /bye
+@end smallexample
 
+Adding the @option{--verbose} shows the progress of starting the agent.
 
 @end table
 
@@ -573,10 +611,13 @@ It is possible to add further flags after the @code{S} for use by the
 caller:
 
 @table @code
+
 @item relax
-Relax checking of some root certificate requirements.  This is for
-example required if the certificate is missing the basicConstraints
-attribute (despite that it is a MUST for CA certificates).
+@cindex relax
+Relax checking of some root certificate requirements.  As of now this
+flag allows the use of root certificates with a missing basicConstraints
+attribute (despite that it is a MUST for CA certificates) and disables
+CRL checking for the root certificate.
 
 @item cm
 If validation of a certificate finally issued by a CA with this flag set
@@ -586,7 +627,7 @@ fails, try again using the chain validation model.
 
   
 @item sshcontrol
-
+@cindex sshcontrol
 This file is used when support for the secure shell agent protocol has
 been enabled (@pxref{option --enable-ssh-support}). Only keys present in
 this file are used in the SSH protocol.  You should backup this file.
@@ -709,7 +750,6 @@ and add something like (for Bourne shells)
     . "$@{HOME@}/.gpg-agent-info"
     export GPG_AGENT_INFO
     export SSH_AUTH_SOCK
-    export SSH_AGENT_PID
   fi
 @end example
 @end cartouche
@@ -1149,11 +1189,13 @@ This can be used to see whether a secret key is available.  It does
 not return any information on whether the key is somehow protected.
 
 @example
-  HAVEKEY @var{keygrip}
+  HAVEKEY @var{keygrips}
 @end example
 
-The Agent answers either with OK or @code{No_Secret_Key} (208).  The
-caller may want to check for other error codes as well.
+The agent answers either with OK or @code{No_Secret_Key} (208).  The
+caller may want to check for other error codes as well.  More than one
+keygrip may be given.  In this case the command returns success if at
+least one of the keygrips corresponds to an available secret key.
 
 
 @node Agent LEARN
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 9b2fc480d..63cc7b64c 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -3,6 +3,11 @@
 @c This is part of the GnuPG manual.
 @c For copying conditions, see the file gnupg.texi.
 
+@c Note that we use this texinfo file for all versions of GnuPG: 1.4.x,
+@c 2.0 and 2.1.  The macro "gpgone" controls parts which are only valid
+@c for GnuPG 1.4, the macro "gpgtwoone" controls parts which are only
+@c valid for GnupG 2.1 and later.
+
 @node Invoking GPG
 @chapter Invoking GPG
 @cindex GPG command options
@@ -68,18 +73,19 @@ implementation.
 
 @ifset gpgone
 This is the standalone version of @command{gpg}.  For desktop use you
-should consider using @command{gpg2}.
+should consider using @command{gpg2} @footnote{On some platforms gpg2 is
+installed under the name @command{gpg}}.
 @end ifset
 
 @ifclear gpgone
 In contrast to the standalone version @command{gpg}, which is more
-suited for server and embedded platforms, this version is installed
-under the name @command{gpg2} and more targeted to the desktop as it
-requires several other modules to be installed.  The standalone version
-will be kept maintained and it is possible to install both versions on
-the same system.  If you need to use different configuration files, you
-should make use of something like @file{gpg.conf-2} instead of just
-@file{gpg.conf}.
+suited for server and embedded platforms, this version is commonly
+installed under the name @command{gpg2} and more targeted to the desktop
+as it requires several other modules to be installed.  The standalone
+version will be kept maintained and it is possible to install both
+versions on the same system.  If you need to use different configuration
+files, you should make use of something like @file{gpg.conf-2} instead
+of just @file{gpg.conf}.
 @end ifclear
 
 @manpause
@@ -1023,9 +1029,11 @@ give the opposite meaning.  The options are:
 @item show-photos
 @opindex list-options:show-photos
 Causes @option{--list-keys}, @option{--list-sigs},
-@option{--list-public-keys}, and @option{--list-secret-keys} to display
-any photo IDs attached to the key.  Defaults to no. See also
-@option{--photo-viewer}.
+@option{--list-public-keys}, and @option{--list-secret-keys} to
+display any photo IDs attached to the key.  Defaults to no. See also
+@option{--photo-viewer}.  Does not work with @option{--with-colons}:
+see @option{--attribute-fd} for the appropriate way to get photo data
+for scripts and other frontends.
 
 @item show-policy-urls
 @opindex list-options:show-policy-urls
@@ -1135,6 +1143,9 @@ same, except the file will not be deleted once the viewer exits.
 Other flags are "%k" for the key ID, "%K" for the long key ID, "%f"
 for the key fingerprint, "%t" for the extension of the image type
 (e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"),
+"%v" for the single-character calculated validity of the image being
+viewed (e.g. "f"), "%V" for the calculated validity as a string (e.g.
+"full"),
 and "%%" for an actual percent sign. If neither %i or %I are present,
 then the photo will be supplied to the viewer on standard input.
 
@@ -1773,13 +1784,27 @@ Remove all entries from the @option{--group} list.
 Use @var{name} as the key to sign with. Note that this option overrides
 @option{--default-key}.
 
+@ifset gpgtwoone
+@item --try-secret-key @var{name}
+@opindex try-secret-key
+For hidden recipients GPG needs to know the keys to use for trial
+decryption.  The key set with @option{--default-key} is always tried
+first, but this is often not sufficient.  This option allows to set more
+keys to be used for trial decryption.  Although any valid user-id
+specification may be used for @var{name} it makes sense to use at least
+the long keyid to avoid ambiguities.  Note that gpg-agent might pop up a
+pinentry for a lot keys to do the trial decryption.  If you want to stop
+all further trial decryption you may use close-window button instead of
+the cancel button.
+@end ifset
+
 @item --try-all-secrets
 @opindex try-all-secrets
 Don't look at the key ID as stored in the message but try all secret
 keys in turn to find the right decryption key. This option forces the
 behaviour as used by anonymous recipients (created by using
-@option{--throw-keyids}) and might come handy in case where an encrypted
-message contains a bogus key ID.
+@option{--throw-keyids} or @option{--hidden-recipient}) and might come
+handy in case where an encrypted message contains a bogus key ID.
 
 @item --skip-hidden-recipients
 @itemx --no-skip-hidden-recipients
@@ -1939,6 +1964,11 @@ obsolete; it does not harm to use it though.
 Same as the command @option{--fingerprint} but changes only the format
 of the output and may be used together with another command.
 
+@ifset gpgtwoone
+@item --with-keygrip
+@opindex with-keygrip
+Include the keygrip in the key listings.
+@end ifset
 
 @end table
 
@@ -2014,8 +2044,7 @@ to safely override the algorithm chosen by the recipient key
 preferences, as GPG will only select an algorithm that is usable by
 all recipients.  The most highly ranked digest algorithm in this list
 is also used when signing without encryption
-(e.g. @option{--clearsign} or @option{--sign}). The default value is
-SHA-1.
+(e.g. @option{--clearsign} or @option{--sign}).
 
 @item --personal-compress-preferences @code{string}
 Set the list of personal compression preferences to @code{string}.
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index f94450257..530169a99 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -450,7 +450,7 @@ However the standard model (shell) is in that case always tried first.
 @opindex ignore-cert-extension
 Add @var{oid} to the list of ignored certificate extensions.  The
 @var{oid} is expected to be in dotted decimal form, like
-@code{2.5.29.3}.  This option may used more than once.  Critical
+@code{2.5.29.3}.  This option may be used more than once.  Critical
 flagged certificate extensions matching one of the OIDs in the list
 are treated as if they are actually handled and thus the certificate
 won't be rejected due to an unknown critical extension.  Use this
@@ -554,6 +554,10 @@ This option is therefore useful to simply verify a certificate.
 For standard key listings, also print the MD5 fingerprint of the
 certificate.
 
+@item --with-keygrip
+Include the keygrip in standard key listings.  Note that the keygrip is
+always listed in --with-colons mode.
+
 @end table
 
 @c *******************************************
diff --git a/doc/instguide.texi b/doc/instguide.texi
index f63c715ba..d6815e209 100644
--- a/doc/instguide.texi
+++ b/doc/instguide.texi
@@ -6,7 +6,6 @@
 @node Installation
 @chapter A short installation guide.
 
-
 Unfortunately the installation guide has not been finished in time.
 Instead of delaying the release of GnuPG 2.0 even further, I decided to
 release without that guide.  The chapter on gpg-agent and gpgsm do
@@ -16,6 +15,31 @@ meantime you may search the GnuPG mailing list archives or ask on the
 gnupg-users mailing listsfor advise on how to solve problems or how to
 get that whole thing up and running. 
 
+** Building the software
+
+Building the software is decribed in the file @file{INSTALL}.  Given
+that you are already reading this documentation we can only give some
+extra hints
+
+To comply with the rules on GNU systems you should have build time
+configured @command{dirmngr} using:
+
+@example
+./configure --sysconfdir=/etc --localstatedir=/var
+@end example
+
+This is to make sure that system wide configuration files are searched
+in the directory @file{/etc/gnupg} and variable data below @file{/var};
+the default would be to also install them below @file{/usr/local} where
+the binaries get installed.  If you selected to use the
+@option{--prefix=/} you obviously don't need those option as they are
+the default then.
+
+
+
+** Explain how to setup a root CA key as trusted
+
+
 Such questions may also help to write a proper installation guide.
 
 [to be written]
diff --git a/doc/tools.texi b/doc/tools.texi
index e974cc453..c85f9e243 100644
--- a/doc/tools.texi
+++ b/doc/tools.texi
@@ -16,6 +16,9 @@ GnuPG comes with a couple of smaller tools:
 * gpgsm-gencert.sh::      Generate an X.509 certificate request.
 * gpg-preset-passphrase:: Put a passphrase into the cache.
 * gpg-connect-agent::     Communicate with a running agent.
+@ifset gpgtwoone
+* dirmngr-client::        How to use the Dirmngr client tool.
+@end ifset
 * gpgparsemail::          Parse a mail message into an annotated format
 * symcryptrun::           Call a simple symmetric encryption tool.
 * gpg-zip::               Encrypt or sign files into an archive.
@@ -41,11 +44,12 @@ GnuPG comes with a couple of smaller tools:
 @end ifset
 
 @mansect description
-Most of the main utilities are able to write their log files to a
-Unix Domain socket if configured that way.  @command{watchgnupg} is a simple
-listener for such a socket.  It ameliorates the output with a time
-stamp and makes sure that long lines are not interspersed with log
-output from other utilities.
+Most of the main utilities are able to write their log files to a Unix
+Domain socket if configured that way.  @command{watchgnupg} is a simple
+listener for such a socket.  It ameliorates the output with a time stamp
+and makes sure that long lines are not interspersed with log output from
+other utilities.  This tool is not available for Windows.
+
 
 @noindent
 @command{watchgnupg} is commonly invoked as
@@ -69,6 +73,11 @@ This starts it on the current terminal for listening on the socket
 @opindex force
 Delete an already existing socket file.
 
+@anchor{option watchgnupg --tcp}
+@item --tcp @var{n}
+Instead of reading from a local socket, listen for connects on TCP port
+@var{n}.
+
 @item --verbose
 @opindex verbose
 Enable extra informational output.
@@ -83,6 +92,41 @@ Display a brief help page and exit.
 
 @end table
 
+@noindent
+@mansect examples
+@chapheading Examples
+
+@example
+$ watchgnupg --force /home/foo/.gnupg/S.log
+@end example
+
+This waits for connections on the local socket
+@file{/home/foo/.gnupg/S.log} and shows all log entries.  To make this
+work the option @option{log-file} needs to be used with all modules
+which logs are to be shown.  The value for that option must be given
+with a special prefix (e.g. in the conf file):
+
+@example
+log-file socket:///home/foo/.gnupg/S.log
+@end example
+
+For debugging purposes it is also possible to do remote logging.  Take
+care if you use this feature because the information is send in the
+clear over the network.  Use this syntax in the conf files:
+
+@example
+log-file tcp://192.168.1.1:4711
+@end example
+
+You may use any port and not just 4711 as shown above; only IP addresses
+are supported (v4 and v6) and no host names.  You need to start
+@command{watchgnupg} with the @option{tcp} option.  Note that under
+Windows the registry entry @var{HKCU\Software\GNU\GnuPG:DefaultLogFile}
+can be used to change the default log output from @code{stderr} to
+whatever is given by that entry.  However the only useful entry is a TCP
+name for remote debugging.
+
+
 @mansect see also
 @ifset isman
 @command{gpg}(1), 
@@ -255,6 +299,12 @@ List the global configuration file in a colon separated format.  If
 Run a syntax check on the global configuration file.  If @var{filename}
 is given, check that file instead.
 
+@item --reload [@var{component}]
+@opindex reload
+Reload all or the given component. This is basically the sam as sending
+a SIGHUP to the component.  Components which don't support reloading are
+ignored.
+
 @end table
 
 
@@ -1129,6 +1179,11 @@ Try to be as quiet as possible.
 
 @include opt-homedir.texi
 
+@item --agent-program @var{file}
+@opindex agent-program
+Specify the agent program to be started if none is running.
+
+
 @item -S
 @itemx --raw-socket @var{name}
 @opindex S        
@@ -1381,6 +1436,168 @@ Print a list of available control commands.
 @include see-also-note.texi
 @end ifset
 
+@ifset gpgtwoone
+@c
+@c   DIRMNGR-CLIENT
+@c
+@node dirmngr-client
+@section The Dirmngr Client Tool
+
+@manpage dirmngr-client.1
+@ifset manverb
+.B dirmngr-client
+\- Tool to access the Dirmngr services
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B  dirmngr-client
+.RI [ options ]  
+.RI [ certfile | pattern ]  
+@end ifset
+
+@mansect description
+The @command{dirmngr-client} is a simple tool to contact a running
+dirmngr and test whether a certificate has been revoked --- either by
+being listed in the corresponding CRL or by running the OCSP protocol.
+If no dirmngr is running, a new instances will be started but this is
+in general not a good idea due to the huge performance overhead.
+
+@noindent
+The usual way to run this tool is either:
+
+@example
+dirmngr-client @var{acert}
+@end example
+
+@noindent
+or
+
+@example
+dirmngr-client <@var{acert}
+@end example
+
+Where @var{acert} is one DER encoded (binary) X.509 certificates to be
+tested. 
+@ifclear isman
+The return value of this command is
+@end ifclear
+
+@mansect return value
+@ifset isman
+@command{dirmngr-client} returns these values:
+@end ifset
+@table @code
+
+@item 0 
+The certificate under question is valid; i.e. there is a valid CRL
+available and it is not listed tehre or teh OCSP request returned that
+that certificate is valid.
+
+@item 1
+The certificate has been revoked
+
+@item 2 (and other values)
+There was a problem checking the revocation state of the certificate.
+A message to stderr has given more detailed information.  Most likely
+this is due to a missing or expired CRL or due to a network problem.
+
+@end table
+
+@mansect options
+@noindent
+@command{dirmngr-client} may be called with the following options:
+
+
+@table @gnupgtabopt
+@item --version
+@opindex version
+Print the program version and licensing information.  Note that you cannot
+abbreviate this command.
+
+@item --help, -h
+@opindex help
+Print a usage message summarizing the most useful command-line options.
+Note that you cannot abbreviate this command.
+
+@item --quiet, -q
+@opindex quiet
+Make the output extra brief by suppressing any informational messages.
+
+@item -v
+@item --verbose
+@opindex v
+@opindex verbose
+Outputs additional information while running.
+You can increase the verbosity by giving several
+verbose commands to @sc{dirmngr}, such as @samp{-vv}.
+
+@item --pem
+@opindex pem
+Assume that the given certificate is in PEM (armored) format.
+
+@item --ocsp
+@opindex ocsp
+Do the check using the OCSP protocol and ignore any CRLs.
+
+@item --force-default-responder
+@opindex force-default-responder
+When checking using the OCSP protocl, force the use of the default OCSP
+responder.  That is not to use the Reponder as given by the certificate.
+
+@item --ping
+@opindex ping
+Check whether the dirmngr daemon is up and running.
+
+@item --cache-cert
+@opindex cache-cert
+Put the given certificate into the cache of a running dirmngr.  This is
+mainly useful for debugging.
+
+@item --validate
+@opindex validate
+Validate the given certificate using dirmngr's internal validation code.
+This is mainly useful for debugging.
+
+@item --load-crl
+@opindex load-crl
+This command expects a list of filenames with DER encoded CRL files.
+With the option @option{--url} URLs are expected in place of filenames
+and they are loaded directly from the given location.  All CRLs will be
+validated and then loaded into dirmngr's cache.
+
+@item --lookup
+@opindex lookup
+Take the remaining arguments and run a lookup command on each of them.
+The results are Base-64 encoded outputs (without header lines).  This
+may be used to retrieve certificates from a server. However the output
+format is not very well suited if more than one certificate is returned.
+
+@item --url
+@itemx -u
+@opindex url
+Modify the @command{lookup} and @command{load-crl} commands to take an URL.
+
+@item --local
+@itemx -l
+@opindex url
+Let the @command{lookup} command only search the local cache.
+
+@item --squid-mode
+@opindex squid-mode
+Run @sc{dirmngr-client} in a mode suitable as a helper program for
+Squid's @option{external_acl_type} option.
+
+
+@end table
+
+@ifset isman
+@mansect see also
+@command{dirmngr}(8),
+@command{gpgsm}(1)
+@include see-also-note.texi
+@end ifset
+@end ifset
 
 @c
 @c   GPGPARSEMAIL