18 files changed, 49 insertions, 246 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 2d45f378e..390153c76 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -22,18 +22,9 @@ AM_CPPFLAGS =
 include $(top_srcdir)/am/cmacros.am
 
 examples = examples/README examples/scd-event examples/trustlist.txt	\
-	   examples/VS-NfD.prf examples/Automatic.prf                   \
-           examples/debug.prf  examples/qualified.txt                   \
+           examples/qualified.txt                                       \
 	   examples/common.conf                                         \
            examples/gpgconf.rnames examples/gpgconf.conf                \
-	   examples/systemd-user/README 				\
-	   examples/systemd-user/dirmngr.service 			\
-	   examples/systemd-user/dirmngr.socket				\
-	   examples/systemd-user/gpg-agent.service 			\
-	   examples/systemd-user/gpg-agent.socket 			\
-	   examples/systemd-user/gpg-agent-ssh.socket 			\
-	   examples/systemd-user/gpg-agent-browser.socket		\
-	   examples/systemd-user/gpg-agent-extra.socket 		\
 	   examples/pwpattern.list
 
 helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
@@ -44,8 +35,6 @@ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
             help.pt_BR.txt help.ro.txt help.ru.txt help.sk.txt		\
             help.sv.txt help.tr.txt help.zh_CN.txt help.zh_TW.txt
 
-profiles =
-
 EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem \
 	     gnupg-logo.pdf gnupg-logo.png gnupg-logo-tr.png \
 	     gnupg-module-overview.png gnupg-module-overview.pdf \
@@ -61,7 +50,7 @@ BUILT_SOURCES = gnupg-module-overview.png gnupg-module-overview.pdf \
 
 info_TEXINFOS = gnupg.texi
 
-dist_pkgdata_DATA =  $(helpfiles) $(profiles)
+dist_pkgdata_DATA =  $(helpfiles)
 
 nobase_dist_doc_DATA = FAQ DETAILS HACKING DCO TRANSLATE OpenPGP KEYSERVER \
                        $(examples)
@@ -85,7 +74,7 @@ DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips
 AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css
 
 YAT2M_OPTIONS = -I $(srcdir) \
-        --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.3"
+        --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.4"
 
 myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
 	        dirmngr.texi scdaemon.texi tools.texi wks.texi \
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index aaa30ec50..8e0979c3e 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -311,16 +311,16 @@ Use @var{name} as your keyserver.  This is the server that @command{gpg}
 communicates with to receive keys, send keys, and search for
 keys.  The format of the @var{name} is a URI:
 `scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
-"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP
-keyservers, or "mailto" for the Graff email keyserver. Note that your
-particular installation of GnuPG may have other keyserver types
-available as well. Keyserver schemes are case-insensitive. After the
-keyserver name, optional keyserver configuration options may be
-provided.  These are the same as the @option{--keyserver-options} of
-@command{gpg}, but apply only to this particular keyserver.
-
-Most keyservers synchronize with each other, so there is generally no
-need to send keys to more than one server. Somes keyservers use round
+"hkp" for the HTTP (or compatible) keyservers or "ldap" for the LDAP
+keyservers. Note that your particular installation of GnuPG may have
+other keyserver types available as well. Keyserver schemes are
+case-insensitive. After the keyserver name, optional keyserver
+configuration options may be provided.  These are the same as the
+@option{--keyserver-options} of @command{gpg}, but apply only to this
+particular keyserver.
+
+Some keyservers synchronize with each other, so there is not always a
+need to send keys to more than one server. Some keyservers use round
 robin DNS to give a different keyserver each time you use it.
 
 If exactly two keyservers are configured and only one is a Tor hidden
@@ -751,7 +751,7 @@ allow-ocsp
 To make sure that new options are read or that after the installation
 of a new GnuPG versions the right dirmngr version is running, you
 should kill an existing dirmngr so that a new instance is started as
-needed by the otehr components:
+needed by the other components:
 
 @example
 gpgconf --kill dirmngr
diff --git a/doc/examples/README b/doc/examples/README
index 67508c471..cd341ab57 100644
--- a/doc/examples/README
+++ b/doc/examples/README
@@ -8,8 +8,6 @@ trustlist.txt   A list of trustworthy root certificates
 
 gpgconf.conf    A sample configuration file for gpgconf.
 
-systemd-user    Sample files for a Linux-only init system.
-
 qualified.txt   Sample file for qualified.txt.
 
 common.conf     Sample file for common options.
diff --git a/doc/examples/VS-NfD.prf b/doc/examples/VS-NfD.prf
deleted file mode 100644
index edb9e018e..000000000
--- a/doc/examples/VS-NfD.prf
+++ /dev/null
@@ -1,24 +0,0 @@
-# VS-NfD.prf - Configure options for the VS-NfD mode           -*- conf -*-
-#
-# The options for each tool are configured in a section ("[TOOL]");
-# see the respective man page for a description of these options and
-# the gpgconf manpage for a description of this file's syntax.
-
-[gpg]
-compliance de-vs
-
-[gpgsm]
-compliance de-vs
-enable-crl-checks
-
-[gpg-agent]
-default-cache-ttl 900
-max-cache-ttl 3600
-no-allow-mark-trusted
-no-allow-external-cache
-enforce-passphrase-constraints
-min-passphrase-len 9
-min-passphrase-nonalpha 0
-
-[dirmngr]
-allow-ocsp
diff --git a/doc/examples/debug.prf b/doc/examples/debug.prf
deleted file mode 100644
index f635fc88e..000000000
--- a/doc/examples/debug.prf
+++ /dev/null
@@ -1,29 +0,0 @@
-# debug.prf - Configure options for easier debugging       -*- conf -*-
-#
-# Note that the actual debug options for each component need to be set
-# manually.  Running the component with "--debug help" shows a list of
-# supported values.  To watch the logs this command can be used:
-#
-#   watchgnupg --time-only --force $(gpgconf --list-dirs socketdir)/S.log
-#
-
-[gpg]
-log-file socket://
-verbose
-#debug ipc
-
-[gpgsm]
-log-file socket://
-verbose
-#debug ipc
-
-[gpg-agent]
-log-file socket://
-verbose
-#debug ipc
-#debug-pinentry
-
-[dirmngr]
-log-file socket://
-verbose
-#debug ipc,dns
diff --git a/doc/examples/gpgconf.conf b/doc/examples/gpgconf.conf
index a61d4d453..314b955b9 100644
--- a/doc/examples/gpgconf.conf
+++ b/doc/examples/gpgconf.conf
@@ -1,5 +1,9 @@
 # gpgconf.conf - configuration for gpgconf
 #----------------------------------------------------------------------
+#
+# === The use of this feature is deprecated ===
+# == Please use the more powerful global options. ==
+#
 # This file is read by gpgconf(1) to setup defaults for all or
 # specified users and groups.  It may be used to change the hardwired
 # defaults in gpgconf and to enforce certain values for the various
diff --git a/doc/examples/systemd-user/README b/doc/examples/systemd-user/README
deleted file mode 100644
index 43122f568..000000000
--- a/doc/examples/systemd-user/README
+++ /dev/null
@@ -1,66 +0,0 @@
-Socket-activated dirmngr and gpg-agent with systemd
-===================================================
-
-When used on a GNU/Linux system supervised by systemd, you can ensure
-that the GnuPG daemons dirmngr and gpg-agent are launched
-automatically the first time they're needed, and shut down cleanly at
-session logout.  This is done by enabling user services via
-socket-activation.
-
-System distributors
--------------------
-
-The *.service and *.socket files (from this directory) should be
-placed in /usr/lib/systemd/user/ alongside other user-session services
-and sockets.
-
-To enable socket-activated dirmngr for all accounts on the system,
-use:
-
-    systemctl --user --global enable dirmngr.socket
-
-To enable socket-activated gpg-agent for all accounts on the system,
-use:
-
-    systemctl --user --global enable gpg-agent.socket
-
-Additionally, you can enable socket-activated gpg-agent ssh-agent
-emulation for all accounts on the system with:
-
-    systemctl --user --global enable gpg-agent-ssh.socket
-
-You can also enable restricted ("--extra-socket"-style) gpg-agent
-sockets for all accounts on the system with:
-
-    systemctl --user --global enable gpg-agent-extra.socket
-
-Individual users
-----------------
-
-A user on a system with systemd where this has not been installed
-system-wide can place these files in ~/.config/systemd/user/ to make
-them available.
-
-If a given service isn't installed system-wide, or if it's installed
-system-wide but not globally enabled, individual users will still need
-to enable them.  For example, to enable socket-activated dirmngr for
-all future sessions:
-
-    systemctl --user enable dirmngr.socket
-
-To enable socket-activated gpg-agent with ssh support, do:
-
-    systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
-
-These changes won't take effect until your next login after you've
-fully logged out (be sure to terminate any running daemons before
-logging out).
-
-If you'd rather try a socket-activated GnuPG daemon in an
-already-running session without logging out (with or without enabling
-it for all future sessions), kill any existing daemon and start the
-user socket directly.  For example, to set up socket-activated dirmgnr
-in the current session:
-
-    gpgconf --kill dirmngr
-    systemctl --user start dirmngr.socket
diff --git a/doc/examples/systemd-user/dirmngr.service b/doc/examples/systemd-user/dirmngr.service
deleted file mode 100644
index 3c060cde5..000000000
--- a/doc/examples/systemd-user/dirmngr.service
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=GnuPG network certificate management daemon
-Documentation=man:dirmngr(8)
-Requires=dirmngr.socket
-
-[Service]
-ExecStart=/usr/bin/dirmngr --supervised
-ExecReload=/usr/bin/gpgconf --reload dirmngr
diff --git a/doc/examples/systemd-user/dirmngr.socket b/doc/examples/systemd-user/dirmngr.socket
deleted file mode 100644
index ebabf896a..000000000
--- a/doc/examples/systemd-user/dirmngr.socket
+++ /dev/null
@@ -1,11 +0,0 @@
-[Unit]
-Description=GnuPG network certificate management daemon
-Documentation=man:dirmngr(8)
-
-[Socket]
-ListenStream=%t/gnupg/S.dirmngr
-SocketMode=0600
-DirectoryMode=0700
-
-[Install]
-WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-browser.socket b/doc/examples/systemd-user/gpg-agent-browser.socket
deleted file mode 100644
index bc8d344e1..000000000
--- a/doc/examples/systemd-user/gpg-agent-browser.socket
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
-Documentation=man:gpg-agent(1)
-
-[Socket]
-ListenStream=%t/gnupg/S.gpg-agent.browser
-FileDescriptorName=browser
-Service=gpg-agent.service
-SocketMode=0600
-DirectoryMode=0700
-
-[Install]
-WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-extra.socket b/doc/examples/systemd-user/gpg-agent-extra.socket
deleted file mode 100644
index 5b87d09df..000000000
--- a/doc/examples/systemd-user/gpg-agent-extra.socket
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=GnuPG cryptographic agent and passphrase cache (restricted)
-Documentation=man:gpg-agent(1)
-
-[Socket]
-ListenStream=%t/gnupg/S.gpg-agent.extra
-FileDescriptorName=extra
-Service=gpg-agent.service
-SocketMode=0600
-DirectoryMode=0700
-
-[Install]
-WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-ssh.socket b/doc/examples/systemd-user/gpg-agent-ssh.socket
deleted file mode 100644
index 798c1d967..000000000
--- a/doc/examples/systemd-user/gpg-agent-ssh.socket
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=GnuPG cryptographic agent (ssh-agent emulation)
-Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
-
-[Socket]
-ListenStream=%t/gnupg/S.gpg-agent.ssh
-FileDescriptorName=ssh
-Service=gpg-agent.service
-SocketMode=0600
-DirectoryMode=0700
-
-[Install]
-WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent.service b/doc/examples/systemd-user/gpg-agent.service
deleted file mode 100644
index a050fccdc..000000000
--- a/doc/examples/systemd-user/gpg-agent.service
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=GnuPG cryptographic agent and passphrase cache
-Documentation=man:gpg-agent(1)
-Requires=gpg-agent.socket
-
-[Service]
-ExecStart=/usr/bin/gpg-agent --supervised
-ExecReload=/usr/bin/gpgconf --reload gpg-agent
diff --git a/doc/examples/systemd-user/gpg-agent.socket b/doc/examples/systemd-user/gpg-agent.socket
deleted file mode 100644
index 4257c2c80..000000000
--- a/doc/examples/systemd-user/gpg-agent.socket
+++ /dev/null
@@ -1,12 +0,0 @@
-[Unit]
-Description=GnuPG cryptographic agent and passphrase cache
-Documentation=man:gpg-agent(1)
-
-[Socket]
-ListenStream=%t/gnupg/S.gpg-agent
-FileDescriptorName=std
-SocketMode=0600
-DirectoryMode=0700
-
-[Install]
-WantedBy=sockets.target
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 97abbed59..921522d53 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -175,7 +175,7 @@ listening sockets.  This option is deprecated and not supported on
 Windows.
 
 If in @file{common.conf} the option @option{no-autostart} is set, any
-start attemps will be ignored.
+start attempts will be ignored.
 
 In --supervised mode, different file descriptors can be provided for
 use as different socket types (e.g. ssh, extra) as long as they are
diff --git a/doc/gpg-card.texi b/doc/gpg-card.texi
index c21516791..33cdbd96d 100644
--- a/doc/gpg-card.texi
+++ b/doc/gpg-card.texi
@@ -153,7 +153,7 @@ Command completion in the interactive mode is also supported.
 @item AUTHENTICATE [--setkey] [--raw] [< @var{file}]|@var{key}]
 @itemx AUTH
 @opindex authenticate
-Authenticate to the card.  Perform a mutual autentication either by
+Authenticate to the card.  Perform a mutual authentication either by
 reading the key from @var{file} or by taking it from the command line
 as @var{key}.  Without the option @option{--raw} the key is expected
 to be hex encoded.  To install a new administration key
@@ -242,7 +242,7 @@ a @var{pinref} a menu is presented for certain cards."  In
 non-interactive mode and without a @var{pinref} a default value i used
 for these cards.  The option @option{--reset} is used with TCOS cards
 to reset the PIN using the PUK or vice versa; the option
-@var{--nullpin} is used for these cards to set the intial PIN.
+@var{--nullpin} is used for these cards to set the initial PIN.
 
 @item PRIVATEDO [--clear] @var{n} [< @var{file}]
 @opindex privatedo
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 1a3cb9e25..47aa0a4d0 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -616,7 +616,7 @@ Emit @var{count} random bytes of the given quality level 0, 1 or 2. If
 @var{count} is not given or zero, an endless sequence of random bytes
 will be emitted.  If used with @option{--armor} the output will be
 base64 encoded.  The special level 16 uses a quality level of 1 and
-outpust end endless stream of hex-encoded octets.  The special level
+outputs an endless stream of hex-encoded octets.  The special level
 30 outputs random as 30 zBase-32 characters.
 
 @item --gen-prime @var{mode}  @var{bits}
@@ -635,11 +635,11 @@ The @option{--dearmor} command can also be used to dearmor PEM armors.
 
 @item --unwrap
 @opindex unwrap
-This command is similar to @option{--decrypt} with the change that the
+This command is similar to @option{--decrypt} with the difference that the
 output is not the usual plaintext but the original message with the
-decryption layer removed.  Thus the output will be an OpenPGP data
+encryption layer removed.  Thus the output will be an OpenPGP data
 structure which often means a signed OpenPGP message.  Note that this
-command may or may not remove a compression layer which is often found
+option may or may not remove a compression layer which is often found
 beneath the encryption layer.
 
 @item --tofu-policy @{auto|good|unknown|bad|ask@}  @var{keys}
@@ -860,9 +860,10 @@ line.
   @opindex keyedit:tsign
   Make a trust signature. This is a signature that combines the notions
   of certification (like a regular signature), and trust (like the
-  "trust" command). It is generally only useful in distinct communities
-  or groups.  For more information please read the sections
-  ``Trust Signature'' and ``Regular Expression'' in RFC-4880.
+  "trust" command). It is generally useful in distinct communities
+  or groups to implement the concept of a Trusted Introducer.  For
+  more information please read the sections ``Trust Signature'' and
+  ``Regular Expression'' in RFC-4880.
 @end table
 
 @c man:.RS
@@ -1341,7 +1342,7 @@ Assume "no" on most questions.  Should not be used in an option file.
 @item --list-filter @{select=@var{expr}@}
 @opindex list-filter
 A list filter can be used to output only certain keys during key
-listsin command. For the availbale property names, see the description
+listing commands. For the available property names, see the description
 of @option{--import-filter}.
 
 
@@ -1658,6 +1659,16 @@ for the BZIP2 compression algorithm (defaulting to 6 as well). This is a
 different option from @option{--compress-level} since BZIP2 uses a
 significant amount of memory for each additional compression level.
 @option{-z} sets both. A value of 0 for @var{n} disables compression.
+A value of -1 forces compression using the default level.
+
+Except for the @option{--store} command compression is always used
+unless @command{gpg} detects that the input is already compressed.  To
+inhibit the use of compression use @option{-z0}; to force compression
+use @option{-z-1} or option @option{z} with another compression level
+than the default as indicated by -1.  Note that this overriding of the
+default deection works only with @option{z} and not with the long
+variant of this option.
+
 
 @item --bzip2-decompress-lowmem
 @opindex bzip2-decompress-lowmem
@@ -1754,7 +1765,8 @@ Set what trust model GnuPG should follow. The models are:
   @item tofu
   @opindex trust-model:tofu
   @anchor{trust-model-tofu}
-  TOFU stands for Trust On First Use.  In this trust model, the first
+  TOFU stands for Trust On First Use.  In this experimental trust
+  model, the first
   time a key is seen, it is memorized.  If later another key with a
   user id with the same email address is seen, both keys are marked as
   suspect.  In that case, the next time either is used, a warning is
@@ -1803,7 +1815,8 @@ Set what trust model GnuPG should follow. The models are:
 
   @item tofu+pgp
   @opindex trust-model:tofu+pgp
-  This trust model combines TOFU with the Web of Trust.  This is done
+  This experimental trust model combines TOFU with the Web of Trust.
+  This is done
   by computing the trust level for each model and then taking the
   maximum trust level where the trust levels are ordered as follows:
   @code{unknown < undefined < marginal < fully < ultimate < expired <
@@ -2048,7 +2061,7 @@ are available for all keyserver types, some common options are:
 The default list of options is: "self-sigs-only, import-clean,
 repair-keys, repair-pks-subkey-bug, export-attributes". However, if
 the actual used source is an LDAP server "no-self-sigs-only" is
-assumed unless "self-sigs-only" has been explictly configured.
+assumed unless "self-sigs-only" has been explicitly configured.
 
 
 @item --completes-needed @var{n}
@@ -3546,13 +3559,7 @@ signatures made using SHA-1, those key signatures are considered
 invalid.  This options allows to override this restriction.
 
 @item --override-compliance-check
-@opindex --override-compliance-check
-The signature verification only allows the use of keys suitable in the
-current compliance mode.  If the compliance mode has been forced by a
-global option, there might be no way to check certain signature.  This
-option allows to override this and prints an extra warning in such a
-case.  This option is ignored in --batch mode so that no accidental
-unattended verification may happen.
+This was a temporary introduced option and has no more effect.
 
 @item --no-default-keyring
 @opindex no-default-keyring
diff --git a/doc/wks.texi b/doc/wks.texi
index a7805a34a..39e345f15 100644
--- a/doc/wks.texi
+++ b/doc/wks.texi
@@ -189,7 +189,9 @@ fields are (future versions may specify additional fields):
 @itemx -o
 @opindex output
 Write the created mail to @var{file} instead of stdout.  Note that the
-value @code{-} for @var{file} is the same as writing to stdout.
+value @code{-} for @var{file} is the same as writing to stdout.  If
+this option is used with the @option{--check} command and a key was
+found it is written to the given file.
 
 @item --status-fd @var{n}
 @opindex status-fd