10 files changed, 111 insertions, 55 deletions

diff --git a/doc/DETAILS b/doc/DETAILS
index a04269ede..583022113 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -532,6 +532,12 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
     --assert-signer is used.  The fingerprint is printed with
     uppercase hex digits.
 
+*** ASSERT_PUBKEY_ALGO <fingerprint> <state> <algostr>
+    This is emitted when option --assert-pubkey-algo is used and the
+    signing algorithms is accepted according to that list if state is
+    1 or denied if state is 0.  The fingerprint is printed with
+    uppercase hex digits.
+
 *** SIG_ID  <radix64_string>  <sig_creation_date>  <sig-timestamp>
     This is emitted only for signatures of class 0 or 1 which have
     been verified okay.  The string is a signature id and may be used
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 84f568692..420340ee3 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -172,7 +172,7 @@ socket.
 Set compatibility flags to work around certain problems or to emulate
 bugs.  The @var{flags} are given as a comma separated list of flag
 names and are OR-ed together.  The special flag "none" clears the list
-and allows to start over with an empty list.  To get a list of
+and allows one to start over with an empty list.  To get a list of
 available flags the sole word "help" can be used.
 
 @item --faked-system-time @var{epoch}
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 6e78558aa..1d531fb57 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -302,7 +302,7 @@ debugging.
 @item --steal-socket
 @opindex steal-socket
 In @option{--daemon} mode, gpg-agent detects an already running
-gpg-agent and does not allow to start a new instance. This option can
+gpg-agent and does not allow one to start a new instance. This option can
 be used to override this check: the new gpg-agent process will try to
 take over the communication sockets from the already running process
 and start anyway.  This option should in general not be used.
@@ -643,7 +643,7 @@ gpg-agent as a replacement for PuTTY's Pageant, the option
 In this mode of operation, the agent does not only implement the
 gpg-agent protocol, but also the agent protocol used by OpenSSH
 (through a separate socket or via Named Pipes) or the protocol used by
-PuTTY.  Consequently, this allows to use the gpg-agent as a drop-in
+PuTTY.  Consequently, this allows one to use the gpg-agent as a drop-in
 replacement for the ssh-agent.
 
 SSH keys, which are to be used through the agent, need to be added to
@@ -693,7 +693,7 @@ The order in which keys are presented to ssh are:
 @item Negative Use-for-ssh values
       If a key file has the attribute "Use-for-ssh" and its value is
       negative, these keys are presented first to ssh.  The negative
-      values are capped at -999 with -999 beeing lower ranked than -1.
+      values are capped at -999 with -999 being lower ranked than -1.
       These values can be used to prefer on-disk keys over keys taken
       from active cards.
 
diff --git a/doc/gpg-card.texi b/doc/gpg-card.texi
index 8787793f8..3a659e80f 100644
--- a/doc/gpg-card.texi
+++ b/doc/gpg-card.texi
@@ -226,7 +226,7 @@ OpenPGP or X.509 keys.
 @item LOGIN [--clear] [< @var{file}]
 @opindex login
 Set the login data object of OpenPGP cards.  If @var{file} is given
-the data is is read from that file.  This allows to store binary data
+the data is is read from that file.  This allows one to store binary data
 in the login field.  The option @option{--clear} deletes the login
 data object.
 
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 7e6420a49..cb4506049 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -716,7 +716,7 @@ inserted smartcard, the special string ``card'' can be used for
 will figure them out and creates an OpenPGP key consisting of the
 usual primary key and one subkey.  This works only with certain
 smartcards.  Note that the interactive @option{--full-gen-key} command
-allows to do the same but with greater flexibility in the selection of
+allows one to do the same but with greater flexibility in the selection of
 the smartcard keys.
 
 Note that it is possible to create a primary key and a subkey using
@@ -1290,19 +1290,22 @@ are usually found in the option file.
 
 @item --default-key @var{name}
 @opindex default-key
-Use @var{name} as the default key to sign with. If this option is not
-used, the default key is the first key found in the secret keyring.
-Note that @option{-u} or @option{--local-user} overrides this option.
-This option may be given multiple times.  In this case, the last key
-for which a secret key is available is used.  If there is no secret
-key available for any of the specified values, GnuPG will not emit an
-error message but continue as if this option wasn't given.
+Use @var{name} as the default key to sign with.  It is suggested to
+use a fingerprint or at least a long keyID for @var{name}.  If this
+option is not used, the default key is the first key found in the
+secret keyring.  Note that @option{-u} or @option{--local-user}
+overrides this option.  This option may be given multiple times.  In
+this case, the last key for which a secret key is available is used.
+If there is no secret key available for any of the specified values,
+GnuPG will not emit an error message but continue as if this option
+wasn't given.
+
 
 @item --default-recipient @var{name}
 @opindex default-recipient
 Use @var{name} as default recipient if option @option{--recipient} is
 not used and don't ask if this is a valid one. @var{name} must be
-non-empty.
+non-empty and it is suggested to use a fingerprint for @var{name}.
 
 @item --default-recipient-self
 @opindex default-recipient-self
@@ -1773,7 +1776,9 @@ useful if you don't want to keep your secret keys (or one of them)
 online but still want to be able to check the validity of a given
 recipient's or signator's key.  If the given key is not locally
 available but an LDAP keyserver is configured the missing key is
-imported from that server.
+imported from that server.  The value "none" is explicitly allowed to
+distinguish between the use of any trusted-key option and no use of
+this option at all (e.g. due to the @option{--no-options} option).
 
 @item --add-desig-revoker [sensitive:]@var{fingerprint}
 @opindex add-desig-revoker
@@ -1914,6 +1919,29 @@ is guaranteed to return with an exit code of 0 if and only if a
 signature has been encountered, is valid, and the key matches one of
 the fingerprints given by this option.
 
+@item --assert-pubkey-algo @var{algolist}
+@opindex assert-pubkey-algo
+During data signature verification this options checks whether the
+used public key algorithm matches the algorithms given by
+@var{algolist}.  This option can be given multiple times to
+concatenate more algorithms to the list; the delimiter of the list are
+either commas or spaces.
+
+The algorithm names given in the list may either be verbatim names
+like "ed25519" with an optional leading single equal sign, or being
+prefixed with ">", ">=", "<=", or "<".  That prefix operator is
+applied to the number part of the algorithm name; for example 2048 in
+"rsa2048" or 384 in "brainpoolP384r1".  If the the leading non-digits
+in the name matches, the prefix operator is used to compare the number
+part, a trailing suffix is ignored in this case.  For example an
+algorithm list ">rsa3000, >=brainpool384r1, =ed25519" allows RSA
+signatures with more that 3000 bits, Brainpool curves 384 and 512,
+and the ed25519 algorithm.
+
+With this option gpg (and also gpgv) is guaranteed to return with an
+exit code of 0 if and only if all valid signatures on data are made
+using a matching algorithm from the given list.
+
 
 @item --auto-key-locate @var{mechanisms}
 @itemx --no-auto-key-locate
@@ -1947,20 +1975,20 @@ list.  The default is "local,wkd".
 
   @item ntds
   Locate the key using the Active Directory (Windows only).  This
-  method also allows to search by fingerprint using the command
+  method also allows one to search by fingerprint using the command
   @option{--locate-external-key}.  Note that this mechanism is
   actually a shortcut for the mechanism @samp{keyserver} but using
   "ldap:///" as the keyserver.
 
   @item keyserver
-  Locate a key using a keyserver.  This method also allows to search
+  Locate a key using a keyserver.  This method also allows one to search
   by fingerprint using the command @option{--locate-external-key} if
   any of the configured keyservers is an LDAP server.
 
   @item keyserver-URL
   In addition, a keyserver URL as used in the @command{dirmngr}
   configuration may be used here to query that particular keyserver.
-  This method also allows to search by fingerprint using the command
+  This method also allows one to search by fingerprint using the command
   @option{--locate-external-key} if the URL specifies an LDAP server.
 
   @item local
@@ -2336,19 +2364,21 @@ the key in this file is fully valid.
 @opindex encrypt-to
 Same as @option{--recipient} but this one is intended for use in the
 options file and may be used with your own user-id as an
-"encrypt-to-self". These keys are only used when there are other
-recipients given either by use of @option{--recipient} or by the asked
-user id.  No trust checking is performed for these user ids and even
-disabled keys can be used.
+"encrypt-to-self".  It is suggested to use a fingerprint or at least a
+long keyID for @var{name}.  These keys are only used when there are
+other recipients given either by use of @option{--recipient} or by the
+asked user id.  No trust checking is performed for these user ids and
+even disabled keys can be used.
 
 @item --hidden-encrypt-to @var{name}
 @opindex hidden-encrypt-to
-Same as @option{--hidden-recipient} but this one is intended for use in the
-options file and may be used with your own user-id as a hidden
-"encrypt-to-self". These keys are only used when there are other
-recipients given either by use of @option{--recipient} or by the asked user id.
-No trust checking is performed for these user ids and even disabled
-keys can be used.
+Same as @option{--hidden-recipient} but this one is intended for use
+in the options file and may be used with your own user-id as a hidden
+"encrypt-to-self".  It is suggested to use a fingerprint or at least a
+long keyID for @var{name}.  These keys are only used when there are
+other recipients given either by use of @option{--recipient} or by the
+asked user id.  No trust checking is performed for these user ids and
+even disabled keys can be used.
 
 @item --no-encrypt-to
 @opindex no-encrypt-to
@@ -2899,24 +2929,6 @@ done with @code{--with-colons}.
 
 @table @gnupgtabopt
 
-@item -t, --textmode
-@itemx --no-textmode
-@opindex textmode
-Treat input files as text and store them in the OpenPGP canonical text
-form with standard "CRLF" line endings. This also sets the necessary
-flags to inform the recipient that the encrypted or signed data is text
-and may need its line endings converted back to whatever the local
-system uses. This option is useful when communicating between two
-platforms that have different line ending conventions (UNIX-like to Mac,
-Mac to Windows, etc). @option{--no-textmode} disables this option, and
-is the default.
-
-@item --force-v3-sigs
-@itemx --no-force-v3-sigs
-@item --force-v4-certs
-@itemx --no-force-v4-certs
-These options are obsolete and have no effect since GnuPG 2.1.
-
 @item --force-ocb
 @itemx --force-aead
 @opindex force-ocb
@@ -3151,7 +3163,7 @@ Prompt before overwriting any files.
 Set compatibility flags to work around problems due to non-compliant
 keys or data.  The @var{flags} are given as a comma separated
 list of flag names and are OR-ed together.  The special flag "none"
-clears the list and allows to start over with an empty list.  To get a
+clears the list and allows one to start over with an empty list.  To get a
 list of available flags the sole word "help" can be used.
 
 @item --debug-level @var{level}
@@ -3207,7 +3219,7 @@ and may thus be changed or removed at any time without notice.
 
 @item --debug-allow-large-chunks
 @opindex debug-allow-large-chunks
-To facilitate software tests and experiments this option allows to
+To facilitate software tests and experiments this option allows one to
 specify a limit of up to 4 EiB (@code{--chunk-size 62}).
 
 @item --debug-ignore-expiration
@@ -3378,9 +3390,23 @@ to display the message. This option overrides @option{--set-filename}.
 @itemx --no-use-embedded-filename
 @opindex use-embedded-filename
 Try to create a file with a name as embedded in the data. This can be
-a dangerous option as it enables overwriting files.  Defaults to no.
+a dangerous option as it enables overwriting files by giving the
+sender control on how to store files.  Defaults to no.
 Note that the option @option{--output} overrides this option.
 
+A better approach than using this option is to decrypt to a temporary
+filename and then rename that file to the embedded file name after
+checking that the embedded filename is harmless.  When using the
+@option{--status-fd} option gpg tells the filename as part of the
+PLAINTEXT status message.  If the filename is important, the use of
+@command{gpgtar} is another option because gpgtar will never overwrite
+a file but decrypt the files to a new directory.
+
+Note also that unless a modern version 5 signature is used the
+embedded filename is not part of the signed data.
+
+
+
 @item --cipher-algo @var{name}
 @opindex cipher-algo
 Use @var{name} as cipher algorithm. Running the program with the
@@ -3646,7 +3672,7 @@ not need to be listed explicitly.
 @opindex allow-weak-key-signatures
 To avoid a minor risk of collision attacks on third-party key
 signatures made using SHA-1, those key signatures are considered
-invalid.  This options allows to override this restriction.
+invalid.  This options allows one to override this restriction.
 
 @item --override-compliance-check
 This was a temporary introduced option and has no more effect.
@@ -3891,6 +3917,25 @@ all on Windows.
 
 @table @gnupgtabopt
 
+@item -t, --textmode
+@itemx --no-textmode
+@opindex textmode
+Treat input files as text and store them in the OpenPGP canonical text
+form with standard "CRLF" line endings. This also sets the necessary
+flags to inform the recipient that the encrypted or signed data is text
+and may need its line endings converted back to whatever the local
+system uses. This option was useful when communicating between two
+platforms with different line ending conventions (UNIX-like to Mac,
+Mac to Windows, etc). @option{--no-textmode} disables this option, and
+is the default.  Note that this is a legacy option which should not
+anymore be used by any modern software.
+
+@item --force-v3-sigs
+@itemx --no-force-v3-sigs
+@item --force-v4-certs
+@itemx --no-force-v4-certs
+These options are obsolete and have no effect since GnuPG 2.1.
+
 @item --show-photos
 @itemx --no-show-photos
 @opindex show-photos
@@ -4111,7 +4156,7 @@ Operation is further controlled by a few environment variables:
 
   @item GNUPG_EXEC_DEBUG_FLAGS
   @efindex GNUPG_EXEC_DEBUG_FLAGS
-  This variable allows to enable diagnostics for process management.
+  This variable allows one to enable diagnostics for process management.
   A numeric decimal value is expected.  Bit 0 enables general
   diagnostics, bit 1 enables certain warnings on Windows.
 
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 0d4fb2fcc..71cfa1e8a 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -767,7 +767,7 @@ is given as fingerprint or keygrip.
 Set compatibility flags to work around problems due to non-compliant
 certificates or data.  The @var{flags} are given as a comma separated
 list of flag names and are OR-ed together.  The special flag "none"
-clears the list and allows to start over with an empty list.  To get a
+clears the list and allows one to start over with an empty list.  To get a
 list of available flags the sole word "help" can be used.
 
 @item --debug-level @var{level}
diff --git a/doc/gpgv.texi b/doc/gpgv.texi
index 1cf699b70..cbaea40e5 100644
--- a/doc/gpgv.texi
+++ b/doc/gpgv.texi
@@ -140,6 +140,10 @@ This option enables a mode in which filenames of the form
 @file{-&n}, where n is a non-negative decimal number,
 refer to the file descriptor n and not to a file with that name.
 
+@item --assert-pubkey-algo @var{algolist}
+@opindex assert-pubkey-algo
+This option works in the same way as described for @command{gpg}.
+
 @end table
 
 @mansect return value
@@ -198,4 +202,3 @@ the allowed keys, using a legacy format.
 @mansect see also
 @command{gpg}(1)
 @include see-also-note.texi
-
diff --git a/doc/scdaemon.texi b/doc/scdaemon.texi
index 264f71301..cbb22225d 100644
--- a/doc/scdaemon.texi
+++ b/doc/scdaemon.texi
@@ -309,7 +309,7 @@ with lower priority should be used by default.
 
 @item --application-priority @var{namelist}
 @opindex application-priority
-This option allows to change the order in which applications of a card
+This option allows one to change the order in which applications of a card
 a tried if no specific application was requested.  @var{namelist} is a
 space or comma delimited list of application names.  Unknown names are
 simply skipped.  Applications not mentioned in the list are put in the
diff --git a/doc/tools.texi b/doc/tools.texi
index 2f60a46dd..26c4c5f3d 100644
--- a/doc/tools.texi
+++ b/doc/tools.texi
@@ -400,7 +400,7 @@ expected in the current GnuPG home directory.  This command is usually
 not required because GnuPG is able to detect and remove stale lock
 files.  Before using the command make sure that the file protected by
 the lock file is actually not in use.  The lock command may be used to
-lock an accidently removed lock file.  Note that the commands have no
+lock an accidentally removed lock file.  Note that the commands have no
 effect on Windows because the mere existence of a lock file does not
 mean that the lock is active.
 
diff --git a/doc/wks.texi b/doc/wks.texi
index 8c5fc557c..bfdd069f2 100644
--- a/doc/wks.texi
+++ b/doc/wks.texi
@@ -136,6 +136,8 @@ The command @option{--print-wkd-url} prints the URLs used to fetch the
 key for the given user-ids from WKD.  The meanwhile preferred format
 with sub-domains is used here.
 
+All commands may also be given without the two leading dashes.
+
 @mansect options
 @noindent
 @command{gpg-wks-client} understands these options: