10 files changed, 344 insertions, 93 deletions
diff --git a/doc/DETAILS b/doc/DETAILS
index 74a63ef00..3046523da 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -1572,6 +1572,7 @@ Description of some debug flags:
    | ecc/*   | 11 | ECC (set your own capabilities) |
    | ecc/e   | 12 | ECC (encrypt only)              |
    | keygrip | 13 | Existing key                    |
+   | cardkey | 14 | Existing key from card          |
 
    If one of the "foo/*" names are used a "keygen.flags" prompt needs
    to be answered as well.  Instead of toggling the predefined flags,
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 0720dd366..0c44217d0 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -95,7 +95,7 @@ myman_pages   = gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 \
                 watchgnupg.1 gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \
 		gpg-connect-agent.1 gpgparsemail.1 symcryptrun.1 gpgtar.1 \
 		applygnupgdefaults.8 gpg-wks-client.1 gpg-wks-server.1 \
-		dirmngr-client.1 gpg-card.1
+		dirmngr-client.1 gpg-card.1 gpg-check-pattern.1
 if USE_GPG2_HACK
 myman_pages += gpg2.1 gpgv2.1
 else
@@ -121,6 +121,7 @@ mkdefsinc: mkdefsinc.c Makefile ../config.h
 	$(CC_FOR_BUILD) -I. -I.. -I$(srcdir) $(AM_CPPFLAGS) \
                         -o $@ $(srcdir)/mkdefsinc.c
 
+if MAINTAINER_MODE
 .svg.eps:
 	convert `test -f '$<' || echo '$(srcdir)/'`$< $@
 
@@ -141,6 +142,7 @@ mkdefsinc: mkdefsinc.c Makefile ../config.h
 
 .fig.pdf:
 	fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@
+endif
 
 
 yat2m-stamp: $(myman_sources) defs.inc
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index f5910a884..eb49ad96c 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -251,7 +251,7 @@ The option @option{--use-tor} switches Dirmngr and thus GnuPG into
 ``Tor mode'' to route all network access via Tor (an anonymity
 network).  Certain other features are disabled in this mode.  The
 effect of @option{--use-tor} cannot be overridden by any other command
-or even be reloading gpg-agent.  The use of @option{--no-use-tor}
+or even by reloading dirmngr.  The use of @option{--no-use-tor}
 disables the use of Tor.  The default is to use Tor if it is available
 on startup or after reloading dirmngr.
 
@@ -1178,5 +1178,3 @@ as a binary blob.
 @c used for this.  The first one starts a search and the second one is
 @c used to retrieve certificate after certificate.
 @c
-
-
diff --git a/doc/gpg-card.texi b/doc/gpg-card.texi
index aa49f81e7..fcc1792f1 100644
--- a/doc/gpg-card.texi
+++ b/doc/gpg-card.texi
@@ -8,9 +8,9 @@
 @node Smart Card Tool
 @chapter Smart Card Tool
 
-GnuPG comes with tool to administrate smart cards and USB tokens.  This
-tool is an extension of the @option{--edit-key} command available with
-@command{gpg}.
+GnuPG comes with a tool to administrate smart cards and USB tokens.
+This tool is an enhanced version of the @option{--edit-key} command
+available with @command{gpg}.
 
 @menu
 * gpg-card::             Administrate smart cards.
@@ -135,7 +135,7 @@ featuring the PIV application (requires Yubikey-5).  We assume that
 the credentials have not yet been changed and thus are:
 @table @asis
 @item Authentication key
-This is a 24 byte key described by the hex string
+This is a 24 byte key described by the hex string @*
 @code{010203040506070801020304050607080102030405060708}.
 @item PIV Application PIN
 This is the string @code{123456}.
@@ -164,11 +164,13 @@ Version ..........: 2.1
 [...]
 @end example
 
-It can be seen by the ``Application type'' line that GnuPG selected the
-OpenPGP application of the Yubikey.  This is because GnuPG assigns the
-highest priority to the OpenPGP application.  To use the PIV
-application of the Yubikey, the OpenPGP application needs to be
-disabled:
+It can be seen by the ``Application type'' line that GnuPG selected
+the OpenPGP application of the Yubikey.  This is because GnuPG assigns
+the highest priority to the OpenPGP application.  To use the PIV
+application of the Yubikey several methods can be used:
+
+With a Yubikey 5 or later the OpenPGP application on the Yubikey can
+be disabled:
 
 @example
 gpg/card> yubikey disable all opgp
@@ -186,8 +188,32 @@ gpg/card> reset
 
 The @code{reset} is required so that the GnuPG system rereads the
 card.  Note that disabled applications keep all their data and can at
-any time be re-enabled (see @emph{help yubikey}).  Now a @emph{list}
-command shows this:
+any time be re-enabled (use @kbd{help yubikey}).
+
+Another option, which works for all Yubikey versions, is to disable
+the support for OpenPGP cards in scdaemon.  This is done by adding the
+line
+
+@smallexample
+disable-application openpgp
+@end smallexample
+
+to @file{~/.gnupg/scdaemon.conf} and by restarting scdaemon, either by
+killing the process or by using @kbd{gpgconf --kill scdaemon}.  Finally
+the default order in which card applications are tried by scdaemon can
+be changed.   For example to prefer PIV over OpenPGP it is sufficient
+to add
+
+@smallexample
+application-priority piv
+@end smallexample
+
+to @file{~/.gnupg/scdaemon.conf} and to restart @command{scdaemon}.
+This has an effect only on tokens which support both, PIV and OpenPGP,
+but does not hamper the use of OpenPGP only tokens.
+
+With one of these methods employed the @code{list} command of
+@command{gpg-card} shows this:
 
 @example
 gpg/card> list
@@ -210,7 +236,12 @@ Key management ...: [none]
       keyref .....: PIV.9D
 @end example
 
-Note that the ``Displayed s/sn'' is printed on the token and also
+In case several tokens are plugged into the computer, gpg-card will
+show only one.  To show another token the number of the token (0, 1,
+2, ...) can be given as an argument to the @code{list} command.  The
+command @kbd{list --cards} prints a list of all inserted tokens.
+
+Note that the ``Displayed s/n'' is printed on the token and also
 shown in Pinentry prompts asking for the PIN.  The four standard key
 slots are always shown, if other key slots are initialized they are
 shown as well.  The @emph{PIV authentication} key (internal reference
@@ -231,11 +262,11 @@ which needs to be provided only once so that decryption operations can
 then be done until the card is reset or removed from the reader or USB
 port.
 
-We now generate tree of the four keys.  Note that GnuPG does currently
-not use the the @emph{Card authentication} key but because it is
-mandatory by the specs we create it anyway.  Key generation requires
-that we authenticate to the card.  This can be done either on the
-command line (which would reveal the key):
+We now generate three of the four keys.  Note that GnuPG does
+currently not use the the @emph{Card authentication} key; however,
+that key is mandatory by the PIV standard and thus we create it too.
+Key generation requires that we authenticate to the card.  This can be
+done either on the command line (which would reveal the key):
 
 @example
 gpg/card> auth 010203040506070801020304050607080102030405060708
@@ -360,7 +391,7 @@ gpgsm: total number processed: 1
 gpgsm:               imported: 1
 @end example
 
-Note the last steps which imported the created certificate.  If you
+Note the last step which imported the created certificate.  If you
 you instead created a certificate signing request (CSR) instead of a
 self-signed certificate and sent this off to a CA you would do the
 same import step with the certificate received from the CA.  Take note
@@ -507,7 +538,111 @@ As usual use ssh-add with the uppercase @samp{-L} to list the public
 ssh key.  To use the certificates with Thunderbird or Mozilla, please
 consult the Scute manual for details.
 
+If you want to use the same PIV keys also for OpenPGP (for example on
+a Yubikey to avoid switching between OpenPGP and PIV), this is also
+possible:
+
+@example
+$ gpgsm --learn
+$ gpg --full-gen-key
+Please select what kind of key you want:
+   (1) RSA and RSA (default)
+   (2) DSA and Elgamal
+   (3) DSA (sign only)
+   (4) RSA (sign only)
+  (14) Existing key from card
+Your selection? 14
+Serial number of the card: FF020001008A77C1
+Available keys:
+   (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384 (auth)
+   (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256 (auth)
+   (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048 (cert,sign)
+   (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048 (encr)
+Your selection? 3
+Please specify how long the key should be valid.
+         0 = key does not expire
+      <n>  = key expires in n days
+      <n>w = key expires in n weeks
+      <n>m = key expires in n months
+      <n>y = key expires in n years
+Key is valid for? (0)
+Key does not expire at all
+Is this correct? (y/N) y
+
+GnuPG needs to construct a user ID to identify your key.
+
+Real name:
+Email address: otto@@example.net
+Comment:
+You selected this USER-ID:
+    "otto@@example.net"
+
+Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
+gpg: key C3AFA9ED971BB365 marked as ultimately trusted
+gpg: revocation certificate stored as '[...]D971BB365.rev'
+public and secret key created and signed.
+
+Note that this key cannot be used for encryption.  You may want to use
+the command "--edit-key" to generate a subkey for this purpose.
+pub   rsa2048 2019-04-04 [SC]
+      7F899AE2FB73159DD68A1B20C3AFA9ED971BB365
+uid                      otto@@example.net
+@end example
+
+Note that you will be asked two times to enter the PIN of your PIV
+card.  If you run @command{gpg} in @option{--expert} mode you will
+also ge given the option to change the usage flags of the key.  The next
+typescript shows how to add the encryption subkey:
+
+@example
+$ gpg --edit-key 7F899AE2FB73159DD68A1B20C3AFA9ED971BB365
+Secret key is available.
+
+sec  rsa2048/C3AFA9ED971BB365
+     created: 2019-04-04  expires: never       usage: SC
+     card-no: FF020001008A77C1
+     trust: ultimate      validity: ultimate
+[ultimate] (1). otto@@example.net
+gpg> addkey
+Secret parts of primary key are stored on-card.
+Please select what kind of key you want:
+   (3) DSA (sign only)
+   (4) RSA (sign only)
+   (5) Elgamal (encrypt only)
+   (6) RSA (encrypt only)
+  (14) Existing key from card
+Your selection? 14
+Serial number of the card: FF020001008A77C1
+Available keys:
+   (1) 213D1825FDE0F8240CB4E4229F01AF90AC658C2E PIV.9A nistp384 (auth)
+   (2) 7A53E6CFFE7220A0E646B4632EE29E5A7104499C PIV.9E nistp256 (auth)
+   (3) 32A6C6FAFCB8421878608AAB452D5470DD3223ED PIV.9C rsa2048 (cert,sign)
+   (4) 34798AAFE0A7565088101CC4AE31C5C8C74461CB PIV.9D rsa2048 (encr)
+Your selection? 4
+Please specify how long the key should be valid.
+         0 = key does not expire
+      <n>  = key expires in n days
+      <n>w = key expires in n weeks
+      <n>m = key expires in n months
+      <n>y = key expires in n years
+Key is valid for? (0)
+Key does not expire at all
+Is this correct? (y/N) y
+Really create? (y/N) y
+
+sec  rsa2048/C3AFA9ED971BB365
+     created: 2019-04-04  expires: never       usage: SC
+     card-no: FF020001008A77C1
+     trust: ultimate      validity: ultimate
+ssb  rsa2048/7067860A98FCE6E1
+     created: 2019-04-04  expires: never       usage: E
+     card-no: FF020001008A77C1
+[ultimate] (1). otto@@example.net
+
+gpg> save
+@end example
 
+Now you can use your PIV card also with @command{gpg}.
 
 @c @mansect examples
 
diff --git a/doc/gpg.texi b/doc/gpg.texi
index e6829b911..80c7f48f5 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -346,12 +346,17 @@ numbers 1-9 or "T" for 10 and above to indicate trust signature levels
 
 
 @item --locate-keys
+@itemx --locate-external-keys
 @opindex locate-keys
+@opindex locate-external-keys
 Locate the keys given as arguments.  This command basically uses the
-same algorithm as used when locating keys for encryption or signing and
-may thus be used to see what keys @command{@gpgname} might use.  In
-particular external methods as defined by @option{--auto-key-locate} may
-be used to locate a key.  Only public keys are listed.
+same algorithm as used when locating keys for encryption or signing
+and may thus be used to see what keys @command{@gpgname} might use.
+In particular external methods as defined by
+@option{--auto-key-locate} may be used to locate a key.  Only public
+keys are listed.  The variant @option{--locate-external-keys} does not
+consider a locally existing key and can thus be used to force the
+refresh of a key via the defined external methods.
 
 @item --show-keys
 @opindex show-keys
@@ -404,7 +409,10 @@ functionality is also available as the subcommand "passwd" with the
 @opindex delete-keys
 Remove key from the public keyring. In batch mode either @option{--yes} is
 required or the key must be specified by fingerprint. This is a
-safeguard against accidental deletion of multiple keys.
+safeguard against accidental deletion of multiple keys.  If the
+exclamation mark syntax is used with the fingerprint of a subkey only
+that subkey is deleted; if the exclamation mark is used with the
+fingerprint of the primary key the entire public key is deleted.
 
 @item --delete-secret-keys @var{name}
 @opindex delete-secret-keys
@@ -413,7 +421,10 @@ specified by fingerprint.  The option @option{--yes} can be used to
 advice gpg-agent not to request a confirmation.  This extra
 pre-caution is done because @command{@gpgname} can't be sure that the
 secret key (as controlled by gpg-agent) is only used for the given
-OpenPGP public key.
+OpenPGP public key.  If the exclamation mark syntax is used with the
+fingerprint of a subkey only the secret part of that subkey is
+deleted; if the exclamation mark is used with the fingerprint of the
+primary key only the secret part of the primary key is deleted.
 
 
 @item --delete-secret-and-public-key @var{name}
@@ -434,9 +445,8 @@ file given with option @option{--output}.  Use together with
 @item --send-keys @var{keyIDs}
 @opindex send-keys
 Similar to @option{--export} but sends the keys to a keyserver.
-Fingerprints may be used instead of key IDs.  Option
-@option{--keyserver} must be used to give the name of this
-keyserver. Don't send your complete keyring to a keyserver --- select
+Fingerprints may be used instead of key IDs.
+Don't send your complete keyring to a keyserver --- select
 only those keys which are new or changed by you.  If no @var{keyIDs}
 are given, @command{@gpgname} does nothing.
 
@@ -491,27 +501,25 @@ signatures, user-IDs and subkeys.
 @opindex receive-keys
 @itemx --recv-keys @var{keyIDs}
 @opindex recv-keys
-Import the keys with the given @var{keyIDs} from a keyserver. Option
-@option{--keyserver} must be used to give the name of this keyserver.
+Import the keys with the given @var{keyIDs} from a keyserver.
 
 @item --refresh-keys
 @opindex refresh-keys
 Request updates from a keyserver for keys that already exist on the
 local keyring. This is useful for updating a key with the latest
 signatures, user IDs, etc. Calling this with no arguments will refresh
-the entire keyring. Option @option{--keyserver} must be used to give the
-name of the keyserver for all keys that do not have preferred keyservers
-set (see @option{--keyserver-options honor-keyserver-url}).
+the entire keyring.
 
 @item --search-keys @var{names}
 @opindex search-keys
-Search the keyserver for the given @var{names}. Multiple names given here will
-be joined together to create the search string for the keyserver.
-Option @option{--keyserver} must be used to give the name of this
-keyserver.  Keyservers that support different search methods allow using
-the syntax specified in "How to specify a user ID" below. Note that
-different keyserver types support different search methods. Currently
-only LDAP supports them all.
+Search the keyserver for the given @var{names}. Multiple names given
+here will be joined together to create the search string for the
+keyserver.  Note that keyservers search for @var{names} in a different
+and simpler way than gpg does.  The best choice is to use a mail
+address.  Due to data privacy reasons keyservers may even not even
+allow searching by user id or mail address and thus may only return
+results when being used with the @option{--recv-key} command to
+search by key fingerprint or keyid.
 
 @item --fetch-keys @var{URIs}
 @opindex fetch-keys
@@ -1330,8 +1338,8 @@ give the opposite meaning.  The options are:
 
   @item show-only-fpr-mbox
   @opindex list-options:show-only-fpr-mbox
-  For each valid user-id which also has a valid mail address print
-  only the fingerprint and the mail address.
+  For each user-id which has a valid mail address print
+  only the fingerprint followed by the mail address.
 @end table
 
 @item --verify-options @var{parameters}
@@ -1429,19 +1437,24 @@ viewed (e.g. "f"), "%V" for the calculated validity as a string (e.g.
 and "%%" for an actual percent sign. If neither %i or %I are present,
 then the photo will be supplied to the viewer on standard input.
 
-The default viewer is "xloadimage -fork -quiet -title 'KeyID 0x%k'
-STDIN". Note that if your image viewer program is not secure, then
-executing it from GnuPG does not make it secure.
+On Unix the default viewer is
+@code{xloadimage -fork -quiet -title 'KeyID 0x%k' STDIN}
+with a fallback to
+@code{display -title 'KeyID 0x%k' %i}
+and finally to
+@code{xdg-open %i}.
+On Windows
+@code{!ShellExecute 400 %i} is used; here the command is a meta
+command to use that API call followed by a wait time in milliseconds
+which is used to give the viewer time to read the temporary image file
+before gpg deletes it again.  Note that if your image viewer program
+is not secure, then executing it from gpg does not make it secure.
 
 @item --exec-path @var{string}
 @opindex exec-path
 @efindex PATH
-Sets a list of directories to search for photo viewers and keyserver
-helpers. If not provided, keyserver helpers use the compiled-in
-default directory, and photo viewers use the @code{PATH} environment
-variable.
-Note, that on W32 system this value is ignored when searching for
-keyserver helpers.
+Sets a list of directories to search for photo viewers If not provided
+photo viewers use the @code{PATH} environment variable.
 
 @item --keyring @var{file}
 @opindex keyring
@@ -1766,12 +1779,11 @@ list.  The default is "local,wkd".
   PGP Universal method of checking @samp{ldap://keys.(thedomain)}.
 
   @item keyserver
-  Locate a key using whatever keyserver is defined using the
-  @option{--keyserver} option.
+  Locate a key using a keyserver.
 
   @item keyserver-URL
-  In addition, a keyserver URL as used in the @option{--keyserver} option
-  may be used here to query that particular keyserver.
+  In addition, a keyserver URL as used in the @command{dirmngr}
+  configuration may be used here to query that particular keyserver.
 
   @item local
   Locate the key using the local keyrings.  This mechanism allows the user to
@@ -1802,10 +1814,26 @@ These options enable or disable the automatic retrieving of keys from
 a keyserver when verifying signatures made by keys that are not on the
 local keyring.  The default is @option{--no-auto-key-retrieve}.
 
-If the method "wkd" is included in the list of methods given to
-@option{auto-key-locate}, the signer's user ID is part of the
-signature, and the option @option{--disable-signer-uid} is not used,
-the "wkd" method may also be used to retrieve a key.
+The order of methods tried to lookup the key is:
+
+1. If a preferred keyserver is specified in the signature and the
+option @option{honor-keyserver-url} is active (which is not the
+default), that keyserver is tried.  Note that the creator of the
+signature uses the option @option{--sig-keyserver-url} to specify the
+preferred keyserver for data signatures.
+
+2. If the signature has the Signer's UID set (e.g. using
+@option{--sender} while creating the signature) a Web Key Directory
+(WKD) lookup is done.  This is the default configuration but can be
+disabled by removing WKD from the auto-key-locate list or by using the
+option @option{--disable-signer-uid}.
+
+3. If the option @option{honor-pka-record} is active, the legacy PKA
+method is used.
+
+4. If any keyserver is configured and the Issuer Fingerprint is part
+of the signature (since GnuPG 2.1.16), the configured keyservers are
+tried.
 
 Note that this option makes a "web bug" like behavior possible.
 Keyserver or Web Key Directory operators can see which keys you
@@ -1905,6 +1933,11 @@ are available for all keyserver types, some common options are:
 
 @end table
 
+The default list of options is: "self-sigs-only, import-clean,
+repair-keys, repair-pks-subkey-bug, export-attributes,
+honor-pka-record".
+
+
 @item --completes-needed @var{n}
 @opindex compliant-needed
 Number of completely trusted users to introduce a new
@@ -2334,7 +2367,16 @@ opposite meaning. The options are:
   can be used to update only the subkeys or other non-user id related
   information.
 
-  @item repair-keys.  After import, fix various problems with the
+  @item self-sigs-only
+  Accept only self-signatures while importing a key.  All other
+  key-signatures are skipped at an early import stage.  This option
+  can be used with @code{keyserver-options} to mitigate attempts to
+  flood a key with bogus signatures from a keyserver.  The drawback is
+  that all other valid key-signatures, as required by the Web of Trust
+  are also not imported.
+
+  @item repair-keys
+  After import, fix various problems with the
   keys.  For example, this reorders signatures, and strips duplicate
   signatures.  Defaults to yes.
 
@@ -2628,11 +2670,11 @@ legacy non-MDC message is exceptionally required, the option
 
 @item --disable-signer-uid
 @opindex disable-signer-uid
-By default the user ID of the signing key is embedded in the data
-signature.  As of now this is only done if the signing key has been
-specified with @option{local-user} using a mail address.  This
-information can be helpful for verifier to locate the key; see
-option @option{--auto-key-retrieve}.
+By default the user ID of the signing key is embedded in the data signature.
+As of now this is only done if the signing key has been specified with
+@option{local-user} using a mail address, or with @option{sender}.  This
+information can be helpful for verifier to locate the key; see option
+@option{--auto-key-retrieve}.
 
 @item --personal-cipher-preferences @var{string}
 @opindex personal-cipher-preferences
@@ -3021,7 +3063,8 @@ to display the message. This option overrides @option{--set-filename}.
 @itemx --no-use-embedded-filename
 @opindex use-embedded-filename
 Try to create a file with a name as embedded in the data. This can be
-a dangerous option as it enables overwriting files. Defaults to no.
+a dangerous option as it enables overwriting files.  Defaults to no.
+Note that the option @option{--output} overrides this option.
 
 @item --cipher-algo @var{name}
 @opindex cipher-algo
@@ -3080,10 +3123,14 @@ the same thing.
 @opindex cert-digest-algo
 Use @var{name} as the message digest algorithm used when signing a
 key. Running the program with the command @option{--version} yields a
-list of supported algorithms. Be aware that if you choose an algorithm
-that GnuPG supports but other OpenPGP implementations do not, then some
-users will not be able to use the key signatures you make, or quite
-possibly your entire key.
+list of supported algorithms.  Be aware that if you choose an
+algorithm that GnuPG supports but other OpenPGP implementations do
+not, then some users will not be able to use the key signatures you
+make, or quite possibly your entire key.  Note also that a public key
+algorithm must be compatible with the specified digest algorithm; thus
+selecting an arbitrary digest algorithm may result in error messages
+from lower crypto layers or lead to security flaws.
+
 
 @item --disable-cipher-algo @var{name}
 @opindex disable-cipher-algo
@@ -3288,7 +3335,8 @@ secret keyrings.
 
 @item --no-keyring
 @opindex no-keyring
-Do not add use any keyrings even if specified as options.
+Do not use any keyring at all.  This overrides the default and all
+options which specify keyrings.
 
 @item --skip-verify
 @opindex skip-verify
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 1736ff111..75ccdc3ba 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -349,7 +349,8 @@ verbose commands to @command{gpgsm}, such as @samp{-vv}.
 
 @item --policy-file @var{filename}
 @opindex policy-file
-Change the default name of the policy file to @var{filename}.
+Change the default name of the policy file to @var{filename}.  The
+default name is @file{policies.txt}.
 
 @item --agent-program @var{file}
 @opindex agent-program
diff --git a/doc/scdaemon.texi b/doc/scdaemon.texi
index 81af28105..21c3fd826 100644
--- a/doc/scdaemon.texi
+++ b/doc/scdaemon.texi
@@ -288,17 +288,9 @@ To get a list of available CCID readers you may use this command:
 
 @item --card-timeout @var{n}
 @opindex card-timeout
-If @var{n} is not 0 and no client is actively using the card, the card
-will be powered down after @var{n} seconds.  Powering down the card
-avoids a potential risk of damaging a card when used with certain
-cheap readers.  This also allows applications that are not aware of
-Scdaemon to access the card.  The disadvantage of using a card timeout
-is that accessing the card takes longer and that the user needs to
-enter the PIN again after the next power up.
-
-Note that with the current version of Scdaemon the card is powered
-down immediately at the next timer tick for any value of @var{n} other
-than 0.
+This option is deprecated.  In GnuPG 2.0, it used to be used for
+DISCONNECT command to control timing issue.  Since DISCONNECT command
+works synchronously, it has no effect.
 
 @item --enable-pinpad-varlen
 @opindex enable-pinpad-varlen
@@ -332,6 +324,21 @@ This option disables the use of the card application named
 @var{name}.  This is mainly useful for debugging or if a application
 with lower priority should be used by default.
 
+@item --application-priority @var{namelist}
+@opindex application-priority
+This option allows to change the order in which applications of a card
+a tried if no specific application was requested.  @var{namelist} is a
+space or comma delimited list of application names.  Unknown names are
+simply skipped.  Applications not mentioned in the list are put in the
+former order at the end of the new priority list.
+
+To get the list of current active applications, use
+@cartouche
+@smallexample
+    gpg-connect-agent 'scd getinfo app_list' /bye
+@end smallexample
+@end cartouche
+
 @end table
 
 All the long options may also be given in the configuration file after
@@ -767,4 +774,3 @@ length up to N bytes.  If N is not given a default value is used
 @command{gpg2}(1)
 @end ifset
 @include see-also-note.texi
-
diff --git a/doc/tools.texi b/doc/tools.texi
index 119f698d6..460030038 100644
--- a/doc/tools.texi
+++ b/doc/tools.texi
@@ -21,6 +21,7 @@ GnuPG comes with a couple of smaller tools:
 * gpgparsemail::          Parse a mail message into an annotated format
 * symcryptrun::           Call a simple symmetric encryption tool.
 * gpgtar::                Encrypt or sign files into an archive.
+* gpg-check-pattern::     Check a passphrase on stdin against the patternfile.
 @end menu
 
 @c
@@ -352,11 +353,12 @@ may use this command to ensure that they are started.  Using "all" for
 
 @item --kill [@var{component}]
 @opindex kill
-Kill the given component.  Components which support killing are
-@command{gpg-agent} and @command{scdaemon}.  Components which don't
-support reloading are ignored.  Using "all" for @var{component} kills
-all components running as daemons.  Note that as of now reload and
-kill have the same effect for @command{scdaemon}.
+Kill the given component that runs as a daemon, including
+@command{gpg-agent}, @command{dirmngr}, and @command{scdaemon}.  A
+@command{component} which does not run as a daemon will be ignored.
+Using "all" for @var{component} kills all components running as
+daemons.  Note that as of now reload and kill have the same effect for
+@command{scdaemon}.
 
 @item --create-socketdir
 @opindex create-socketdir
@@ -392,6 +394,8 @@ extends numerical field values by human-readable descriptions.
 @opindex quiet
 Try to be as quiet as possible.
 
+@include opt-homedir.texi
+
 @item -n
 @itemx --dry-run
 Do not actually change anything.  This is currently only implemented
@@ -2107,3 +2111,50 @@ gpgtar --list-archive test1
 @command{tar}(1),
 @end ifset
 @include see-also-note.texi
+
+@c
+@c  GPG-CHECK-PATTERN
+@c
+@manpage gpg-check-pattern.1
+@node gpg-check-pattern
+@section Check a passphrase on stdin against the patternfile
+@ifset manverb
+.B gpg-check-pattern
+\- Check a passphrase on stdin against the patternfile
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg\-check\-pattern
+.RI [ options ]
+.I patternfile
+@end ifset
+
+@mansect description
+@command{gpg-check-pattern} checks a passphrase given on stdin against
+a specified pattern file.
+
+@mansect options
+@noindent
+
+@table @gnupgtabopt
+
+@item --verbose
+@opindex verbose
+Enable extra informational output.
+
+@item --check
+@opindex check
+Run only a syntax check on the patternfile.
+
+@item --null
+@opindex null
+Input is expected to be null delimited.
+
+@end table
+
+@mansect see also
+@ifset isman
+@command{gpg}(1),
+@end ifset
+@include see-also-note.texi
diff --git a/doc/wks.texi b/doc/wks.texi
index f132b3186..9f1fff2a8 100644
--- a/doc/wks.texi
+++ b/doc/wks.texi
@@ -101,6 +101,14 @@ fingerprint and the mailbox separated by a space.  The command
 @option{--remove-key} removes a key from that directory, its only
 argument is a user-id.
 
+The command @option{--print-wkd-hash} prints the WKD user-id identifiers
+and the corresponding mailboxes from the user-ids given on the command
+line or via stdin (one user-id per line).
+
+The command @option{--print-wkd-url} prints the URLs used to fetch the
+key for the given user-ids from WKD.  The meanwhile preferred format
+with sub-domains is used here.
+
 @command{gpg-wks-client} is not commonly invoked directly and thus it
 is not installed in the bin directory.  Here is an example how it can
 be invoked manually to check for a Web Key Directory entry for
diff --git a/doc/yat2m.c b/doc/yat2m.c
index be0ef17fd..2d6f54ea2 100644
--- a/doc/yat2m.c
+++ b/doc/yat2m.c
@@ -724,7 +724,8 @@ proc_texi_cmd (FILE *fp, const char *command, const char *rest, size_t len,
     { "url",     0, "\\fB", "\\fR" },
     { "sc",      0, "\\fB", "\\fR" },
     { "var",     0, "\\fI", "\\fR" },
-    { "samp",    0, "\\(aq", "\\(aq"  },
+    { "samp",    0, "\\(oq", "\\(cq"  },
+    { "kbd",     0, "\\(oq", "\\(cq"  },
     { "file",    0, "\\(oq\\fI","\\fR\\(cq" },
     { "env",     0, "\\(oq\\fI","\\fR\\(cq" },
     { "acronym", 0 },