diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:14:06 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:14:06 +0000 |
commit | eee068778cb28ecf3c14e1bf843a95547d72c42d (patch) | |
tree | 0e07b30ddc5ea579d682d5dbe57998200d1c9ab7 /doc | |
parent | Initial commit. (diff) | |
download | gnupg2-eee068778cb28ecf3c14e1bf843a95547d72c42d.tar.xz gnupg2-eee068778cb28ecf3c14e1bf843a95547d72c42d.zip |
Adding upstream version 2.2.40.upstream/2.2.40upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc')
98 files changed, 49854 insertions, 0 deletions
diff --git a/doc/ChangeLog-2011 b/doc/ChangeLog-2011 new file mode 100644 index 0000000..b830c0e --- /dev/null +++ b/doc/ChangeLog-2011 @@ -0,0 +1,871 @@ +2011-12-01 Werner Koch <wk@g10code.com> + + NB: ChangeLog files are no longer manually maintained. Starting + on December 1st, 2011 we put change information only in the GIT + commit log, and generate a top-level ChangeLog file from logs at + "make dist". See doc/HACKING for details. + +2011-10-12 Werner Koch <wk@g10code.com> + + * gpg.texi: Add a bunch of opindex items. + + * yat2m.c (parse_file): Add hack to allow table indentation. + +2011-08-12 Werner Koch <wk@g10code.com> + + * texi.css: Override some elements. + * gnupg-log-tr.png: New. + * gnupg.texi: Use transparent logo. + +2011-03-01 Werner Koch <wk@g10code.com> + + * gpgsm.texi (CSR and certificate creation): New. + * gpg.texi (Unattended GPG key generation): New. + +2010-10-29 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Configuration Options): Clarify that show-photos + doesn't work with --with-colons. --personal-digest-preferences + does not have a default any longer. + +2010-10-18 Werner Koch <wk@g10code.com> + + * DETAILS: Fix description of IMPORT_RES. Reported by Nicholas Cole. + +2010-10-11 Daniel Kahn Gillmor <dkg@fifthhorseman.net> (wk) + + * gpg.texi (GPG Configuration Options) <photo-viewer>: Describe %v + and %V. + +2010-10-05 Werner Koch <wk@g10code.com> + + * Makefile.am (faq.txt faq.html, faq-online): New. + +2010-10-04 Werner Koch <wk@g10code.com> + + * faq.org: New. + * FAQ: Make it a static file with a pointer to the online location. + * Makefile.am (EXTRA_DIST): Remove faq.raw and faq.html. + (FAQ, faq.html): Remove these targets + +2010-09-28 Werner Koch <wk@g10code.com> + + * Makefile.am (AM_MAKEINFOFLAGS): Add define gpgtwoone. + +2010-09-28 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (OpenPGP Options): Clarify that --force-v3-sigs + disables (not enables) v4 options. --force-v3-sigs defaults to + no. + +2010-08-18 Werner Koch <wk@g10code.com> + + * tools.texi (watchgnupg): Add examples section. + +2010-06-10 Werner Koch <wk@g10code.com> + + * Makefile.am (gnupg_TEXINFOS): Add dirmngr.texi. + (myman_sources): Ditto. + (myman_pages): Add dirmngr and dirmngr-client pages. + (noinst_MANS): Move gnupg.7 to man_MANS. + + * gnupg.texi: Include dirmngr.texi and add a menu entry. + * dirmngr.texi: New. Taken from the current SVN of the dirmngr + package and adjusted to fit into the GnuPG manual. Moved + dirmngr-cleint stuff to ... + * tools.texi (dirmngr-client): ... new. + +2009-11-18 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Key related Options): Describe + --skip-hidden-recipients. + +2009-10-19 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Configuration Options): Clarify that ca-cert-file + is a generic store, the details of which depend on the underlying + libraries. + +2009-08-24 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi: Suggested new ordering for --edit-key. + +2009-08-17 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (OpenPGP Options): Clarify that + personal-foo-preferences overrides recipient preferences (safely). + +2009-08-14 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Configuration Options): Document keyserver options + check-cert and ca-cert-file. + +2009-08-06 Werner Koch <wk@g10code.com> + + * DETAILS: Describe the new INV_SNDR and NO_SNDR.. + +2009-07-31 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (OpenPGP Options): Don't mention + --no-sk-comment (doesn't exist any longer). + +2009-07-23 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Configuration Options): LDAP uses DNS-SD to locate + a server before falling back to keys.{domain}. + +2009-07-23 Werner Koch <wk@g10code.com> + + * help.txt (gpgsm.crl-problem): New. + +2009-07-22 Werner Koch <wk@g10code.com> + + * scdaemon.texi, instguide.texi, gpgsm.texi, sysnotes.texi + * glossary.texi, howto-create-a-server-cert.texi, tools.texi + * gpg-agent.texi, gpg.texi, debugging.texi: Typo fixes. Reported + by Jeroen Schot. Fixes bug#1093. + + * gpg.texi (GPG Configuration Options): Tell what files to backup. + * sysnotes.texi: Remove some warning notes for W32. + +2009-07-20 Werner Koch <wk@g10code.com> + + * gpg.texi (Operational GPG Commands): Add a note for --send-keys. + Fixes bug#1090. + +2009-07-06 Werner Koch <wk@g10code.com> + + * debugging.texi (Common Problems): Add a note about corrupted + keys in --search-keys. + +2009-06-02 Werner Koch <wk@g10code.com> + + * tools.texi (watchgnupg): Typo fix. Fixes bug#1065. + + * gpg-agent.texi (Agent Commands): Update description of --daemon. + +2009-05-20 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Configuration Options): Explain new meaning of + --enable-dsa2. + +2009-03-16 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Configuration Options): Document keyserver-options + debug. + +2009-03-04 Werner Koch <wk@g10code.com> + + * help.txt (gpg.keygen.size): Add a link to web page. + +2009-03-03 Werner Koch <wk@g10code.com> + + * gpg.texi (Operational GPG Commands): "merge-only" is an + import-option. Reported by Joseph Oreste Bruni. + +2009-03-02 Werner Koch <wk@g10code.com> + + * gpg-agent.texi (Invoking GPG-AGENT): Modernized instructions. + (Agent Options): Fix spelling of option --lc-ctype. + +2009-01-12 Werner Koch <wk@g10code.com> + + * faq.raw: Fix bug reorting address. + +2008-12-12 Werner Koch <wk@g10code.com> + + * gpgsm.texi (General GPGSM Commands): Fix --help, --version and + --warranty wording. + +2008-12-08 Werner Koch <wk@g10code.com> + + * DETAILS: Clarify the use of "trust" and "validity" as suggested + by Daniel Kahn Gillmor. Fix some typos. Remove the outdated + sections on packet headers and pipemode. Point to the libgcrypt + manual for a description of the key generation. + +2008-11-12 Werner Koch <wk@g10code.com> + + * gpg-agent.texi (Agent Options): Use Posix $() instead of + backticks to avoid rendering problems. + +2008-10-13 Werner Koch <wk@g10code.com> + + * gpgsm.texi (Certificate Management): Explain hot to delete the + secret key. + +2008-10-01 Werner Koch <wk@g10code.com> + + * tools.texi (Controlling gpg-connect-agent): Describe /datafile. + +2008-09-23 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (OpenPGP Key Management): Clarify setpref a bit. + +2008-08-30 Werner Koch <wk@g10code.com> + + * yat2m.c (write_th): Print a note that this is generated source. + (VERSION): Bump up to 1.0. + +2008-07-30 Werner Koch <wk@g10code.com> + + * gpgsm.texi (GPGSM Configuration): Mention com-cert.pem. + +2008-06-25 Werner Koch <wk@g10code.com> + + * qualified.txt: Add new BnetzA certs 12R and 13R. + * com-certs.pem: Ditto. + * examples/trustlist.txt: Ditto. + +2008-06-19 Werner Koch <wk@g10code.com> + + * tools.texi (Listing options): Describe new complect gpgconf type + "alias list". + +2008-06-16 Werner Koch <wk@g10code.com> + + * DETAILS (group): Document %ask-passphrase. + +2008-05-26 Werner Koch <wk@g10code.com> + + * gpgv.texi: Minor fixes. Fixes bug#918. + + * opt-homedir.texi: Typo fixes. Fixes bug#917. + +2008-05-26 Marcus Brinkmann <marcus@g10code.de> + + * tools.texi (Invoking gpgconf): Document --list-dirs. + +2008-05-20 Marcus Brinkmann <marcus@g10code.de> + + * tools.texi (Invoking gpgconf): Add --dry-run and --check-options. + (Checking programs): Document --check-options. + +2008-05-15 Marcus Brinkmann <marcus@g10code.de> + + * gpg.texi (Operational GPG Commands): Mention the way to change + the default signing key. + +2008-05-06 Werner Koch <wk@g10code.com> + + * Makefile.am (myman_pages): Add gpg-zip.1. + + * tools.texi (gpg-zip): Add new section. + +2008-04-08 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Configuration Options): Change subkeys.pgp.net to + keys.gnupg.net. Describe --auto-key-locate mechanisms local and + nodefault. + +2008-04-03 Werner Koch <wk@g10code.com> + + * yat2m.c (proc_texi_cmd): Remove extra apostrophe from @samp and + use open and close quote to @file and @env. + +2008-04-02 Werner Koch <wk@g10code.com> + + * opt-homedir.texi: Remove special case for Registry key. + + * yat2m.c (proc_texi_cmd): Use the \(aq glyph for @samp. This is + bug#898. + (proc_texi_buffer): Handle backslashs correctly. + +2008-03-27 Werner Koch <wk@g10code.com> + + * Makefile.am (nobase_dist_doc_DATA, dist_html_DATA): New. Move + relevant files to here. + (install-html-local): Remove. + +2008-02-27 Marcus Brinkmann <marcus@g10code.de> + + * tools.texi (Listing options): Document new types. + +2008-02-26 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Configuration Options): Mention rfc4398. + +2008-02-05 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Esoteric Options): Tweak mention of Tempest font + to add a "claimed" in there. + +2008-01-29 Justin Pryzby <jpryzby+d@quoininc.com> (wk) + + * gpg-agent.texi (Agent Options): Grammar fixes + + * qualified.txt: Spelling fixes. + +2008-01-28 Justin Pryzby <jpryzby+d@quoininc.com> (wk) + + * gpg-agent.texi, yat2m.c, scdaemon.texi, qualified.txt + * tools.texi, gpgsm.texi: Typo fixes and minor grammer fixes. + +2008-01-10 Werner Koch <wk@g10code.com> + + * qualified.txt: Add missing country tag to the last entries. + Reported by Marcus Brinkmann. + +2008-01-10 Marcus Brinkmann <marcus@g10code.de> + + * tools.texi (gpgconf): Some clarifications. + +2008-01-02 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Esoteric Options): Mention --log-file. + +2007-12-13 Werner Koch <wk@g10code.com> + + * qualified.txt: Add 2 root certs from S-Trust for 2008-2012. + * examples/trustlist.txt: Ditto. + * com-certs.pem: Ditto. + + * gpgsm.texi (Esoteric Options): Document --extra-digest-algo. + +2007-12-12 Werner Koch <wk@g10code.com> + + * gpg.texi: Typo fixes. From Christer Andersson. + +2007-12-04 Werner Koch <wk@g10code.com> + + * help.txt: New online help file. + * help.be.txt, help.ca.txt, help.cs.txt, help.da.txt, help.de.txt + * help.el.txt, help.eo.txt, help.es.txt, help.et.txt, help.fi.txt + * help.fr.txt, help.gl.txt, help.hu.txt, help.id.txt, help.it.txt + * help.ja.txt, help.nb.txt, help.pl.txt, help.pt.txt + * help.pt_BR.txt, help.ro.txt, help.ru.txt, help.sk.txt + * help.sv.txt, help.tr.txt, help.zh_CN.txt, help.zh_TW.txt: New + online file, generated from teh current po files. + * Makefile.am (dist_pkgdata_DATA): Add them. + +2007-11-19 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Configuration Options): English Grammar fix. + Thanks to Gerg Troxel. + + * gpgsm.texi (Certificate Options): Document + --auto-issuer-key-retrieve. + +2007-11-15 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Configuration): Add PINENTRY_USER_DATA. + + * gpg-agent.texi (Agent Options): Add xauthority. + +2007-10-31 Marcus Brinkmann <marcus@g10code.de> + + * gpg-agent.texi (Agent Options): Fix typos, by Bernhard Reiter. + +2007-10-27 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi: Document --rfc4880 (the new --openpgp). + +2007-10-25 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi: Clarify --force-v3-sigs, --pgp2, and --pgp6 a bit. + +2007-10-23 Werner Koch <wk@g10code.com> + + * tools.texi (Listing global options): New. + +2007-10-19 Werner Koch <wk@g10code.com> + + * tools.texi (Controlling gpg-connect-agent): Updated. + +2007-08-29 Werner Koch <wk@g10code.com> + + * tools.texi (Checking programs): New. + +2007-08-27 Werner Koch <wk@g10code.com> + + * examples/pwpattern.list: New. + +2007-08-24 Werner Koch <wk@g10code.com> + + * debugging.texi (Common Problems): Add "A root certifciate does + not validate." + +2007-08-14 Werner Koch <wk@g10code.com> + + * glossary.texi (Glossary): Add a more items. + +2007-08-13 Werner Koch <wk@g10code.com> + + * yat2m.c (proc_texi_cmd): Do not put @samp content between two + newlines. + + * gpg-agent.texi (Agent Configuration): Explain the CM flag for + trustlist.txt. + +2007-08-09 Werner Koch <wk@g10code.com> + + * gpgsm.texi (Certificate Options): Describe --validation-model. + +2007-07-23 Werner Koch <wk@g10code.com> + + * scdaemon.texi (Scdaemon Commands): Remove obsolete --print-atr. + +2007-07-17 Werner Koch <wk@g10code.com> + + * gpgsm.texi (Input and Output): Document --default-key. + +2007-07-04 Werner Koch <wk@g10code.com> + + * gpl.texi: Updated to GPLv3. + +2007-06-22 Werner Koch <wk@g10code.com> + + * gpg.texi (Operational GPG Commands): Describe the flags used by + --check-sigs. + +2007-06-21 Werner Koch <wk@g10code.com> + + * gpgsm.texi (Certificate Management): Changed description of + --gen-key. + +2007-06-19 Werner Koch <wk@g10code.com> + + * glossary.texi (Glossary): Describe PSE. + +2007-06-18 Werner Koch <wk@g10code.com> + + * gpg-agent.texi (Agent GETINFO): New. + +2007-06-06 Werner Koch <wk@g10code.com> + + * Makefile.am (yat2m): Use a plain rule to build it for the sake + of cross-compiling. + + * yat2m.c (finish_page): Init SECT to NULL. + +2007-05-11 Werner Koch <wk@g10code.com> + + * gpgsm.texi (--export): Enhanced description. + +2007-05-09 Werner Koch <wk@g10code.com> + + * examples/gpgconf.conf: Remove active example line. + + * Makefile.am (online): Distinguish between released and svn manuals. + +2007-05-08 Werner Koch <wk@g10code.com> + + * howtos.texi: New. + * howto-create-a-server-cert.texi: New. + * Makefile.am (gnupg_TEXINFOS): Add new files. + + * gnupg.texi: Moved the logo for HTML more to the top. + * Makefile.am (install-html-local): New. + (DVIPS): Redefine to include srcdir. + +2007-05-04 Werner Koch <wk@g10code.com> + + * gnupg.texi (Top): Fix typo and a grammar issue. + * Makefile.am (EXTRA_DIST): Add gnupg-logo.png. Suggested by + Bernard Leak. + +2007-04-15 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (OpenPGP Options): Update the personal-foo-preferences + documentation a bit. + +2007-04-10 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Configuration Options): Document --batch, no-tty, + --yes and --no. + +2007-03-08 Werner Koch <wk@g10code.com> + + * gnupg-logo.png, gnupg-logo.eps, gnupg-logo.pdf: New. + * gnupg-badge-openpgp.eps, gnupg-badge-openpgp.eps + * gnupg-badge-openpgp.jpg: Removed. + * gnupg.texi: Use new logo. + +2007-03-07 Werner Koch <wk@g10code.com> + + * tools.texi (applygnupgdefaults): New. + +2007-03-06 Werner Koch <wk@g10code.com> + + * examples/gpgconf.conf: New. + +2007-03-04 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Esoteric Options): Document + --allow-multiple-messages. + +2007-02-26 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Configuration): Document envvar LANGUAGE. + (GPG Configuration Options): Document show-primary-uid-only. + +2007-02-18 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Esoteric Options): No card reader options for gpg2. + +2007-02-14 Werner Koch <wk@g10code.com> + + * gpg-agent.texi (Agent Options): Doc --pinentry-touch-file. + +2007-02-05 Werner Koch <wk@g10code.com> + + * debugging.texi (Common Problems): Tell how to export a private + key without a certificate. + +2007-01-30 Werner Koch <wk@g10code.com> + + * com-certs.pem: Added the current root certifcates of D-Trust and + S-Trust. + +2007-01-18 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi, specify-user-id.texi: Only some of the mentions of + exclamation marks have an example. Give examples to the rest. + +2007-01-17 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Configuration Options): Make http_proxy option + documentation match reality. + (BUGS): Warn about hibernate/safe-sleep/etc writing main RAM to + disk, despite locking. + +2006-12-08 Werner Koch <wk@g10code.com> + + * gnupg.texi (direntry): Rename gpg to gpg2. + +2006-12-04 Werner Koch <wk@g10code.com> + + * gpgv.texi: New. + * tools.texi: Include new file. + +2006-12-02 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi (GPG Esoteric Options): Document --passphrase-repeat. + +2006-11-14 Werner Koch <wk@g10code.com> + + * gpgsm.texi (GPGSM EXPORT): Document changes. + +2006-11-11 Werner Koch <wk@g10code.com> + + * gnupg.texi (Top): Move gpg-agent part before gpg. + +2006-11-05 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi: Reference to --s2k-count in --s2k-mode. + +2006-10-30 Werner Koch <wk@g10code.com> + + * faq.raw: Minor corrections. + +2006-10-12 Werner Koch <wk@g10code.com> + + * Makefile.am (man_MANS): Do not install gnupg.7 due to a conflict + with gpg1. + +2006-10-12 David Shaw <dshaw@jabberwocky.com> + + * gpg.texi: Document --s2k-count. + +2006-09-25 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Examples): Add markup to all options. This is + required to have the double dashs printed correclty. + +2006-09-22 Werner Koch <wk@g10code.com> + + * instguide.texi (Installation): New. + * assuan.texi (Assuan): Removed. Use the libassuan manual instead. + * gnupg.texi: Reflect these changes. + + * gpg.texi: Make some parts depend on the "gpgone" set + command. This allows us to use the same source for gpg1 and gpg2. + + * yat2m.c (parse_file): Better parsing of @ifset and ifclear. + (main): Allow definition of "-D gpgone". + (parse_file): Allow macro definitions. + (proc_texi_cmd): Expand macros. + (proc_texi_buffer): Process commands terminated by the closing + brace of the enclosing command. + +2006-09-20 Werner Koch <wk@g10code.com> + + * texi.css: New. Note that the current vesion of makeinfo has a + bug while copying the @import directive. A pacth has been send to + upstream. + +2006-09-19 Werner Koch <wk@g10code.com> + + * gpg.texi: Some restructuring. + + * Makefile.am (online): New target. + +2006-09-18 Werner Koch <wk@g10code.com> + + * com-certs.pem: New. + +2006-09-13 Werner Koch <wk@g10code.com> + + * gpg.texi (GPG Esoteric Options): Fixed typo in + --require-cross-certification and made it the default. + +2006-09-11 Werner Koch <wk@g10code.com> + + * HACKING: Cleaned up. + +2006-09-08 Werner Koch <wk@g10code.com> + + * yat2m.c (parse_file): Ignore @node lines immediately. + (proc_texi_cmd): No special @end ifset processing anymore. + + * specify-user-id.texi: New. Factored out of gpg.texi and ../README. + +2006-09-07 Werner Koch <wk@g10code.com> + + * scdaemon.texi (Scdaemon Configuration): New. + + * examples/scd-event: Event handler for sdaemon. + * examples/: New directory + +2006-08-22 Werner Koch <wk@g10code.com> + + * yat2m.c (parse_file): Added code to skip a line after @mansect. + + * gnupg7.texi: New. + +2006-08-21 Werner Koch <wk@g10code.com> + + * Makefile.am: Added other doc files from gpg 1.4. + +2006-08-17 Werner Koch <wk@g10code.com> + + * Makefile.am: Added rules to build man pages. + + * yat2m.c: New. + +2006-02-14 Werner Koch <wk@gnupg.org> + + * gpgsm.texi (GPGSM Configuration): New section. + +2005-11-14 Werner Koch <wk@g10code.com> + + * qualified.txt: Added real information. + +2005-11-13 Werner Koch <wk@g10code.com> + + * qualified.txt: New. + * Makefile.am (dist_pkgdata_DATA): New. + +2005-08-16 Werner Koch <wk@g10code.com> + + * gpg-agent.texi (Agent Options): Note default file name for + --write-env-file. + +2005-06-03 Werner Koch <wk@g10code.com> + + * debugging.texi (Architecture Details): New section, mostly empty. + * gnupg-card-architecture.fig: New. + * Makefile.am: Rules to build png and eps versions. + + * gpg-agent.texi (Agent UPDATESTARTUPTTY): New. + +2005-05-17 Werner Koch <wk@g10code.com> + + * gpg-agent.texi (Agent Options): Removed --disable-pth. + +2005-04-27 Werner Koch <wk@g10code.com> + + * tools.texi (symcryptrun): Added. + + * scdaemon.texi: Removed OpenSC specific options. + +2005-04-20 Werner Koch <wk@g10code.com> + + * gpg-agent.texi (Agent Configuration): New section. + +2005-02-24 Werner Koch <wk@g10code.com> + + * tools.texi (gpg-connect-agent): New. + +2005-02-14 Werner Koch <wk@g10code.com> + + * gpgsm.texi (Certificate Management): Document --import. + +2005-01-27 Moritz Schulte <moritz@g10code.com> + + * gpg-agent.texi: Document ssh-agent emulation layer. + +2005-01-04 Werner Koch <wk@g10code.com> + + * gnupg.texi: Updated to use @copying. + +2004-12-22 Werner Koch <wk@g10code.com> + + * gnupg.texi: Reordered. + * contrib.texi: Updated. + +2004-12-21 Werner Koch <wk@g10code.com> + + * tools.texi (gpg-preset-passphrase): New section. + + * gnupg-badge-openpgp.eps, gnupg-badge-openpgp.jpg: New + * gnupg.texi: Add a logo. + * sysnotes.texi: New. + +2004-11-05 Werner Koch <wk@g10code.com> + + * debugging.texi (Common Problems): Curses pinentry problem. + +2004-10-22 Werner Koch <wk@g10code.com> + + * tools.texi (Helper Tools): Document gpgsm-gencert.sh. + +2004-10-05 Werner Koch <wk@g10code.com> + + * gpg-agent.texi (Invoking GPG-AGENT): Tell that GPG_TTY needs to + be set in all cases. + +2004-09-30 Werner Koch <wk@g10code.com> + + * gpg.texi: New. + * gnupg.texi: Include gpg.texi + + * tools.texi: Add a few @command markups. + * gpgsm.texi: Ditto + * gpg-agent.texi: Ditto. + * scdaemon.texi: Ditto. + +2004-09-30 Marcus Brinkmann <marcus@g10code.de> + + * tools.texi (Changing options): Add documentation for gpgconf. + + * contrib.texi (Contributors): Add two missing periods. + +2004-09-29 Werner Koch <wk@g10code.com> + + * gpgsm.texi (Configuration Options): Add --log-file. + + * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the + expected pinentry filename. + + Changed license of the manual stuff to GPL. + + * gnupg.texi (Top): New menu item Helper Tools. + + * tools.texi (Helper Tools): New. + * Makefile.am (gnupg_TEXINFOS): Add tools.texi. + +2004-08-05 Werner Koch <wk@g10code.de> + + * scdaemon.texi (Card applications): New section. + +2004-06-22 Werner Koch <wk@g10code.com> + + * glossary.texi: New. + +2004-06-18 Werner Koch <wk@gnupg.org> + + * debugging.texi: New. + * gnupg.texi: Include it. + +2004-05-11 Werner Koch <wk@gnupg.org> + + * gpgsm.texi (Esoteric Options): Add --debug-allow-core-dump. + +2004-05-03 Werner Koch <wk@gnupg.org> + + * gpg-agent.texi (Agent Options): Add --allow-mark-trusted. + +2004-02-03 Werner Koch <wk@gnupg.org> + + * contrib.texi (Contributors): Updated from the gpg 1.2.3 thanks + list. + * gpgsm.texi, gpg-agent.texi, scdaemon.texi: Language cleanups. + +2003-12-01 Werner Koch <wk@gnupg.org> + + * gpgsm.texi (Certificate Options): Add --{enable,disable}-ocsp. + +2003-11-17 Werner Koch <wk@gnupg.org> + + * scdaemon.texi (Scdaemon Options): Added --allow-admin and + --deny-admin. + +2003-10-27 Werner Koch <wk@gnupg.org> + + * gpg-agent.texi (Agent GET_CONFIRMATION): New. + +2002-12-04 Werner Koch <wk@gnupg.org> + + * gpg-agent.texi (Agent Signals): New. + +2002-12-03 Werner Koch <wk@gnupg.org> + + * gpgsm.texi (Operational Commands): Add --passwd and + --call-protect-tool. + * gpg-agent.texi (Agent PASSWD): New + +2002-11-13 Werner Koch <wk@gnupg.org> + + * gpg-agent.texi (Invoking GPG-AGENT): Tell about GPG_TTY. + +2002-11-12 Werner Koch <wk@gnupg.org> + + * gpgsm.texi (Operational Commands): Add --call-dirmngr. + +2002-09-25 Werner Koch <wk@gnupg.org> + + * gpg-agent.texi (Agent Options): Add --keep-tty and --keep-display. + +2002-09-12 Werner Koch <wk@gnupg.org> + + * gpg-agent.texi (Invoking GPG-AGENT): Explained how to start only + one instance. + +2002-08-28 Werner Koch <wk@gnupg.org> + + * gpg-agent.texi (Agent Options): Explained more options. + * scdaemon.texi (Scdaemon Options): Ditto. + +2002-08-09 Werner Koch <wk@gnupg.org> + + * Makefile.am (gnupg_TEXINFOS): Include contrib.texi. + +2002-08-06 Werner Koch <wk@gnupg.org> + + * gpgsm.texi: Added more options. + +2002-07-26 Werner Koch <wk@gnupg.org> + + * assuan.texi: New. + * gpgsm.texi, scdaemon.texi, gpg-agent.texi: Documented the Assuan + protocol used. + +2002-07-22 Werner Koch <wk@gnupg.org> + + * gnupg.texi, scdaemon.texi, gpg-agent.texi: New. + * contrib.texi, gpl.texi, fdl.texi: New. + * gpgsm.texi: Made this an include file for gnupg.texi. + * Makefile.am: Build gnupg.info instead of gpgsm.info. + +2002-06-04 Werner Koch <wk@gnupg.org> + + * gpgsm.texi (Invocation): Described the various debug flags. + +2002-05-14 Werner Koch <wk@gnupg.org> + + * Makefile.am, gpgsm.texi: New. + + Copyright 2002, 2004, 2005, 2006, 2007, 2008, 2010 Free Software Foundation, Inc. + + This file is free software; as a special exception the author gives + unlimited permission to copy and/or distribute it, with or without + modifications, as long as this notice is preserved. + + This file is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +Local Variables: +buffer-read-only: t +End: @@ -0,0 +1,29 @@ +GnuPG Developer's Certificate of Origin. Version 1.0 +===================================================== + +By making a contribution to the GnuPG project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the free software license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the + best of my knowledge, is covered under an appropriate free + software license and I have the right under that license to + submit that work with modifications, whether created in whole + or in part by me, under the same free software license + (unless I am permitted to submit under a different license), + as indicated in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including + all personal information I submit with it, including my + sign-off) is maintained indefinitely and may be redistributed + consistent with this project or the free software license(s) + involved. + +Signed-off-by: [Your name and mail address] diff --git a/doc/DETAILS b/doc/DETAILS new file mode 100644 index 0000000..420f67d --- /dev/null +++ b/doc/DETAILS @@ -0,0 +1,1617 @@ +# doc/DETAILS -*- org -*- +#+TITLE: GnuPG Details +# Globally disable superscripts and subscripts: +#+OPTIONS: ^:{} +# + +# Note: This file uses org-mode; it should be easy to read as plain +# text but be aware of some markup peculiarities: Verbatim code is +# enclosed in #+begin-example, #+end-example blocks or marked by a +# colon as the first non-white-space character, words bracketed with +# equal signs indicate a monospace font, and the usual /italics/, +# *bold*, and _underline_ conventions are recognized. + +This is the DETAILS file for GnuPG which specifies some internals and +parts of the external API for GPG and GPGSM. + +* Format of the colon listings + + The format is a based on colon separated record, each recods starts + with a tag string and extends to the end of the line. Here is an + example: +#+begin_example +$ gpg --with-colons --list-keys \ + --with-fingerprint --with-fingerprint wk@gnupg.org +pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC: +fpr:::::::::ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013: +uid:f::::::::Werner Koch <wk@g10code.com>: +uid:f::::::::Werner Koch <wk@gnupg.org>: +sub:f:1536:16:06AD222CADF6A6E1:919537416:1036177416:::::e: +fpr:::::::::CF8BCC4B18DE08FCD8A1615906AD222CADF6A6E1: +sub:r:1536:20:5CE086B5B5A18FF4:899817788:1025961788:::::esc: +fpr:::::::::AB059359A3B81F410FCFF97F5CE086B5B5A18FF4: +#+end_example + +Note that new version of GnuPG or the use of certain options may add +new fields to the output. Parsers should not assume a limit on the +number of fields per line. Some fields are not yet used or only used +with certain record types; parsers should ignore fields they are not +aware of. New versions of GnuPG or the use of certain options may add +new types of records as well. Parsers should ignore any record whose +type they do not recognize for forward-compatibility. + +The double =--with-fingerprint= prints the fingerprint for the subkeys +too. Old versions of gpg used a slightly different format and required +the use of the option =--fixed-list-mode= to conform to the format +described here. + + +** Description of the fields +*** Field 1 - Type of record + + - pub :: Public key + - crt :: X.509 certificate + - crs :: X.509 certificate and private key available + - sub :: Subkey (secondary key) + - sec :: Secret key + - ssb :: Secret subkey (secondary key) + - uid :: User id + - uat :: User attribute (same as user id except for field 10). + - sig :: Signature + - rev :: Revocation signature + - rvs :: Recocation signature (standalone) [since 2.2.9] + - fpr :: Fingerprint (fingerprint is in field 10) + - fp2 :: SHA-256 fingerprint (fingerprint is in field 10) + - pkd :: Public key data [*] + - grp :: Keygrip + - rvk :: Revocation key + - tfs :: TOFU statistics [*] + - tru :: Trust database information [*] + - spk :: Signature subpacket [*] + - cfg :: Configuration data [*] + + Records marked with an asterisk are described at [[*Special%20field%20formats][*Special fields]]. + +*** Field 2 - Validity + + This is a letter describing the computed validity of a key. + Currently this is a single letter, but be prepared that additional + information may follow in some future versions. Note that GnuPG < + 2.1 does not set this field for secret key listings. + + - o :: Unknown (this key is new to the system) + - i :: The key is invalid (e.g. due to a missing self-signature) + - d :: The key has been disabled + (deprecated - use the 'D' in field 12 instead) + - r :: The key has been revoked + - e :: The key has expired + - - :: Unknown validity (i.e. no value assigned) + - q :: Undefined validity. '-' and 'q' may safely be treated as + the same value for most purposes + - n :: The key is not valid + - m :: The key is marginal valid. + - f :: The key is fully valid + - u :: The key is ultimately valid. This often means that the + secret key is available, but any key may be marked as + ultimately valid. + - w :: The key has a well known private part. + - s :: The key has special validity. This means that it might be + self-signed and expected to be used in the STEED system. + + If the validity information is given for a UID or UAT record, it + describes the validity calculated based on this user ID. If given + for a key record it describes the validity taken from the best + rated user ID. + + For X.509 certificates a 'u' is used for a trusted root + certificate (i.e. for the trust anchor) and an 'f' for all other + valid certificates. + + In "sig" records, this field may have one of these values as first + character: + + - ! :: Signature is good. + - - :: Signature is bad. + - ? :: No public key to verify signature or public key is not usable. + - % :: Other error verifying a signature + + More values may be added later. The field may also be empty if + gpg has been invoked in a non-checking mode (--list-sigs) or in a + fast checking mode. Since 2.2.7 '?' will also be printed by the + command --list-sigs if the key is not in the local keyring. + +*** Field 3 - Key length + + The length of key in bits. + +*** Field 4 - Public key algorithm + + The values here are those from the OpenPGP specs or if they are + greather than 255 the algorithm ids as used by Libgcrypt. + +*** Field 5 - KeyID + + This is the 64 bit keyid as specified by OpenPGP and the last 64 + bit of the SHA-1 fingerprint of an X.509 certifciate. + +*** Field 6 - Creation date + + The creation date of the key is given in UTC. For UID and UAT + records, this is used for the self-signature date. Note that the + date is usually printed in seconds since epoch, however, we are + migrating to an ISO 8601 format (e.g. "19660205T091500"). This is + currently only relevant for X.509. A simple way to detect the new + format is to scan for the 'T'. Note that old versions of gpg + without using the =--fixed-list-mode= option used a "yyyy-mm-tt" + format. + +*** Field 7 - Expiration date + + Key or UID/UAT expiration date or empty if it does not expire. + +*** Field 8 - Certificate S/N, UID hash, trust signature info + + Used for serial number in crt records. For UID and UAT records, + this is a hash of the user ID contents used to represent that + exact user ID. For trust signatures, this is the trust depth + separated by the trust value by a space. + +*** Field 9 - Ownertrust + + This is only used on primary keys. This is a single letter, but + be prepared that additional information may follow in future + versions. For trust signatures with a regular expression, this is + the regular expression value, quoted as in field 10. + +*** Field 10 - User-ID + + The value is quoted like a C string to avoid control characters + (the colon is quoted =\x3a=). For a "pub" record this field is + not used on --fixed-list-mode. A UAT record puts the attribute + subpacket count here, a space, and then the total attribute + subpacket size. In gpgsm the issuer name comes here. The FPR and FP2 + records store the fingerprints here. The fingerprint of a + revocation key is stored here. + +*** Field 11 - Signature class + + Signature class as per RFC-4880. This is a 2 digit hexnumber + followed by either the letter 'x' for an exportable signature or + the letter 'l' for a local-only signature. The class byte of an + revocation key is also given here, 'x' and 'l' is used the same + way. This field if not used for X.509. + + "rev" and "rvs" may be followed by a comma and a 2 digit hexnumber + with the revocation reason. + +*** Field 12 - Key capabilities + + The defined capabilities are: + + - e :: Encrypt + - s :: Sign + - c :: Certify + - a :: Authentication + - ? :: Unknown capability + + A key may have any combination of them in any order. In addition + to these letters, the primary key has uppercase versions of the + letters to denote the _usable_ capabilities of the entire key, and + a potential letter 'D' to indicate a disabled key. + +*** Field 13 - Issuer certificate fingerprint or other info + + Used in FPR records for S/MIME keys to store the fingerprint of + the issuer certificate. This is useful to build the certificate + path based on certificates stored in the local key database it is + only filled if the issuer certificate is available. The root has + been reached if this is the same string as the fingerprint. The + advantage of using this value is that it is guaranteed to have + been built by the same lookup algorithm as gpgsm uses. + + For "uid" records this field lists the preferences in the same way + gpg's --edit-key menu does. + + For "sig", "rev" and "rvs" records, this is the fingerprint of the + key that issued the signature. Note that this may only be filled + if the signature verified correctly. Note also that for various + technical reasons, this fingerprint is only available if + --no-sig-cache is used. Since 2.2.7 this field will also be set + if the key is missing but the signature carries an issuer + fingerprint as meta data. + +*** Field 14 - Flag field + + Flag field used in the --edit menu output + +*** Field 15 - S/N of a token + + Used in sec/ssb to print the serial number of a token (internal + protect mode 1002) or a '#' if that key is a simple stub (internal + protect mode 1001). If the option --with-secret is used and a + secret key is available for the public key, a '+' indicates this. + +*** Field 16 - Hash algorithm + + For sig records, this is the used hash algorithm. For example: + 2 = SHA-1, 8 = SHA-256. + +*** Field 17 - Curve name + + For pub, sub, sec, and ssb records this field is used for the ECC + curve name. + +*** Field 18 - Compliance flags + + Space separated list of asserted compliance modes for this key. + + Valid values are: + + - 8 :: The key is compliant with RFC4880bis + - 23 :: The key is compliant with compliance mode "de-vs". + +*** Field 19 - Last update + + The timestamp of the last update of a key or user ID. The update + time of a key is defined a lookup of the key via its unique + identifier (fingerprint); the field is empty if not known. The + update time of a user ID is defined by a lookup of the key using a + trusted mapping from mail address to key. + +*** Field 20 - Origin + + The origin of the key or the user ID. This is an integer + optionally followed by a space and an URL. This goes along with + the previous field. The URL is quoted in C style. + +*** Field 21 - Comment + + This is currently only used in "rev" and "rvs" records to carry + the the comment field of the recocation reason. The value is + quoted in C style. + +** Special fields + +*** PKD - Public key data + + If field 1 has the tag "pkd", a listing looks like this: +#+begin_example +pkd:0:1024:B665B1435F4C2 .... FF26ABB: + ! ! !-- the value + ! !------ for information number of bits in the value + !--------- index (eg. DSA goes from 0 to 3: p,q,g,y) +#+end_example + +*** TFS - TOFU statistics + + This field may follows a UID record to convey information about + the TOFU database. The information is similar to a TOFU_STATS + status line. + + - Field 2 :: tfs record version (must be 1) + - Field 3 :: validity - A number with validity code. + - Field 4 :: signcount - The number of signatures seen. + - Field 5 :: encrcount - The number of encryptions done. + - Field 6 :: policy - A string with the policy + - Field 7 :: signture-first-seen - a timestamp or 0 if not known. + - Field 8 :: signature-most-recent-seen - a timestamp or 0 if not known. + - Field 9 :: encryption-first-done - a timestamp or 0 if not known. + - Field 10 :: encryption-most-recent-done - a timestamp or 0 if not known. + +*** TRU - Trust database information + Example for a "tru" trust base record: +#+begin_example + tru:o:0:1166697654:1:3:1:5 +#+end_example + + - Field 2 :: Reason for staleness of trust. If this field is + empty, then the trustdb is not stale. This field may + have multiple flags in it: + + - o :: Trustdb is old + - t :: Trustdb was built with a different trust model + than the one we are using now. + + - Field 3 :: Trust model + + - 0 :: Classic trust model, as used in PGP 2.x. + - 1 :: PGP trust model, as used in PGP 6 and later. + This is the same as the classic trust model, + except for the addition of trust signatures. + + GnuPG before version 1.4 used the classic trust model + by default. GnuPG 1.4 and later uses the PGP trust + model by default. + + - Field 4 :: Date trustdb was created in seconds since Epoch. + - Field 5 :: Date trustdb will expire in seconds since Epoch. + - Field 6 :: Number of marginally trusted users to introduce a new + key signer (gpg's option --marginals-needed). + - Field 7 :: Number of completely trusted users to introduce a new + key signer. (gpg's option --completes-needed) + + - Field 8 :: Maximum depth of a certification chain. (gpg's option + --max-cert-depth) + +*** SPK - Signature subpacket records + + - Field 2 :: Subpacket number as per RFC-4880 and later. + - Field 3 :: Flags in hex. Currently the only two bits assigned + are 1, to indicate that the subpacket came from the + hashed part of the signature, and 2, to indicate the + subpacket was marked critical. + - Field 4 :: Length of the subpacket. Note that this is the + length of the subpacket, and not the length of field + 5 below. Due to the need for %-encoding, the length + of field 5 may be up to 3x this value. + - Field 5 :: The subpacket data. Printable ASCII is shown as + ASCII, but other values are rendered as %XX where XX + is the hex value for the byte. + +*** CFG - Configuration data + + --list-config outputs information about the GnuPG configuration + for the benefit of frontends or other programs that call GnuPG. + There are several list-config items, all colon delimited like the + rest of the --with-colons output. The first field is always "cfg" + to indicate configuration information. The second field is one of + (with examples): + + - version :: The third field contains the version of GnuPG. + + : cfg:version:1.3.5 + + - pubkey :: The third field contains the public key algorithms + this version of GnuPG supports, separated by + semicolons. The algorithm numbers are as specified in + RFC-4880. Note that in contrast to the --status-fd + interface these are _not_ the Libgcrypt identifiers. + Using =pubkeyname= prints names instead of numbers. + + : cfg:pubkey:1;2;3;16;17 + + - cipher :: The third field contains the symmetric ciphers this + version of GnuPG supports, separated by semicolons. + The cipher numbers are as specified in RFC-4880. + Using =ciphername= prints names instead of numbers. + + : cfg:cipher:2;3;4;7;8;9;10 + + - digest :: The third field contains the digest (hash) algorithms + this version of GnuPG supports, separated by + semicolons. The digest numbers are as specified in + RFC-4880. Using =digestname= prints names instead of + numbers. + + : cfg:digest:1;2;3;8;9;10 + + - compress :: The third field contains the compression algorithms + this version of GnuPG supports, separated by + semicolons. The algorithm numbers are as specified + in RFC-4880. + + : cfg:compress:0;1;2;3 + + - group :: The third field contains the name of the group, and the + fourth field contains the values that the group expands + to, separated by semicolons. + + For example, a group of: + : group mynames = paige 0x12345678 joe patti + would result in: + : cfg:group:mynames:patti;joe;0x12345678;paige + + - curve :: The third field contains the curve names this version + of GnuPG supports, separated by semicolons. Using + =curveoid= prints OIDs instead of numbers. + + : cfg:curve:ed25519;nistp256;nistp384;nistp521 + + +* Format of the --status-fd output + + Every line is prefixed with "[GNUPG:] ", followed by a keyword with + the type of the status line and some arguments depending on the type + (maybe none); an application should always be willing to ignore + unknown keywords that may be emitted by future versions of GnuPG. + Also, new versions of GnuPG may add arguments to existing keywords. + Any additional arguments should be ignored for forward-compatibility. + +** General status codes +*** NEWSIG [<signers_uid>] + Is issued right before a signature verification starts. This is + useful to define a context for parsing ERROR status messages. + If SIGNERS_UID is given and is not "-" this is the percent-escaped + value of the OpenPGP Signer's User ID signature sub-packet. + +*** GOODSIG <long_keyid_or_fpr> <username> + The signature with the keyid is good. For each signature only one + of the codes GOODSIG, BADSIG, EXPSIG, EXPKEYSIG, REVKEYSIG or + ERRSIG will be emitted. In the past they were used as a marker + for a new signature; new code should use the NEWSIG status + instead. The username is the primary one encoded in UTF-8 and %XX + escaped. The fingerprint may be used instead of the long keyid if + it is available. This is the case with CMS and might eventually + also be available for OpenPGP. + +*** EXPSIG <long_keyid_or_fpr> <username> + The signature with the keyid is good, but the signature is + expired. The username is the primary one encoded in UTF-8 and %XX + escaped. The fingerprint may be used instead of the long keyid if + it is available. This is the case with CMS and might eventually + also be available for OpenPGP. + +*** EXPKEYSIG <long_keyid_or_fpr> <username> + The signature with the keyid is good, but the signature was made + by an expired key. The username is the primary one encoded in + UTF-8 and %XX escaped. The fingerprint may be used instead of the + long keyid if it is available. This is the case with CMS and + might eventually also be available for OpenPGP. + +*** REVKEYSIG <long_keyid_or_fpr> <username> + The signature with the keyid is good, but the signature was made + by a revoked key. The username is the primary one encoded in UTF-8 + and %XX escaped. The fingerprint may be used instead of the long + keyid if it is available. This is the case with CMS and might + eventually also beñ available for OpenPGP. + +*** BADSIG <long_keyid_or_fpr> <username> + The signature with the keyid has not been verified okay. The + username is the primary one encoded in UTF-8 and %XX escaped. The + fingerprint may be used instead of the long keyid if it is + available. This is the case with CMS and might eventually also be + available for OpenPGP. + +*** ERRSIG <keyid> <pkalgo> <hashalgo> <sig_class> <time> <rc> <fpr> + It was not possible to check the signature. This may be caused by + a missing public key or an unsupported algorithm. A RC of 4 + indicates unknown algorithm, a 9 indicates a missing public + key. The other fields give more information about this signature. + sig_class is a 2 byte hex-value. The fingerprint may be used + instead of the long_keyid_or_fpr if it is available. This is the + case with gpgsm and might eventually also be available for + OpenPGP. The ERRSIG line has FPR filed which is only available + since 2.2.7; that FPR may either be missing or - if the signature + has no fingerprint as meta data. + + Note, that TIME may either be the number of seconds since Epoch or + an ISO 8601 string. The latter can be detected by the presence of + the letter 'T'. + +*** VALIDSIG <args> + + The args are: + + - <fingerprint_in_hex> + - <sig_creation_date> + - <sig-timestamp> + - <expire-timestamp> + - <sig-version> + - <reserved> + - <pubkey-algo> + - <hash-algo> + - <sig-class> + - [ <primary-key-fpr> ] + + This status indicates that the signature is cryptographically + valid. This is similar to GOODSIG, EXPSIG, EXPKEYSIG, or REVKEYSIG + (depending on the date and the state of the signature and signing + key) but has the fingerprint as the argument. Multiple status + lines (VALIDSIG and the other appropriate *SIG status) are emitted + for a valid signature. All arguments here are on one long line. + sig-timestamp is the signature creation time in seconds after the + epoch. expire-timestamp is the signature expiration time in + seconds after the epoch (zero means "does not + expire"). sig-version, pubkey-algo, hash-algo, and sig-class (a + 2-byte hex value) are all straight from the signature packet. + PRIMARY-KEY-FPR is the fingerprint of the primary key or identical + to the first argument. This is useful to get back to the primary + key without running gpg again for this purpose. + + The primary-key-fpr parameter is used for OpenPGP and not + available for CMS signatures. The sig-version as well as the sig + class is not defined for CMS and currently set to 0 and 00. + + Note, that *-TIMESTAMP may either be a number of seconds since + Epoch or an ISO 8601 string which can be detected by the presence + of the letter 'T'. + +*** SIG_ID <radix64_string> <sig_creation_date> <sig-timestamp> + This is emitted only for signatures of class 0 or 1 which have + been verified okay. The string is a signature id and may be used + in applications to detect replay attacks of signed messages. Note + that only DLP algorithms give unique ids - others may yield + duplicated ones when they have been created in the same second. + + Note, that SIG-TIMESTAMP may either be a number of seconds since + Epoch or an ISO 8601 string which can be detected by the presence + of the letter 'T'. + +*** ENC_TO <long_keyid> <keytype> <keylength> + The message is encrypted to this LONG_KEYID. KEYTYPE is the + numerical value of the public key algorithm or 0 if it is not + known, KEYLENGTH is the length of the key or 0 if it is not known + (which is currently always the case). Gpg prints this line + always; Gpgsm only if it knows the certificate. + +*** BEGIN_DECRYPTION + Mark the start of the actual decryption process. This is also + emitted when in --list-only mode. +*** END_DECRYPTION + Mark the end of the actual decryption process. This are also + emitted when in --list-only mode. +*** DECRYPTION_KEY <fpr> <fpr2> <otrust> + This line is emitted when a public key decryption succeeded in + providing a session key. <fpr> is the hexified fingerprint of the + actual key used for descryption. <fpr2> is the fingerprint of the + primary key. <otrust> is the letter with the ownertrust; this is + in general a 'u' which stands for ultimately trusted. +*** DECRYPTION_INFO <mdc_method> <sym_algo> [<aead_algo>] + Print information about the symmetric encryption algorithm and the + MDC method. This will be emitted even if the decryption fails. + For an AEAD algorithm AEAD_ALGO is not 0. + +*** DECRYPTION_FAILED + The symmetric decryption failed - one reason could be a wrong + passphrase for a symmetrical encrypted message. + +*** DECRYPTION_OKAY + The decryption process succeeded. This means, that either the + correct secret key has been used or the correct passphrase for a + symmetric encrypted message was given. The program itself may + return an errorcode because it may not be possible to verify a + signature for some reasons. + +*** SESSION_KEY <algo>:<hexdigits> + The session key used to decrypt the message. This message will + only be emitted if the option --show-session-key is used. The + format is suitable to be passed as value for the option + --override-session-key. It is not an indication that the + decryption will or has succeeded. + +*** BEGIN_ENCRYPTION <mdc_method> <sym_algo> + Mark the start of the actual encryption process. + +*** END_ENCRYPTION + Mark the end of the actual encryption process. + +*** FILE_START <what> <filename> + Start processing a file <filename>. <what> indicates the performed + operation: + - 1 :: verify + - 2 :: encrypt + - 3 :: decrypt + +*** FILE_DONE + Marks the end of a file processing which has been started + by FILE_START. + +*** BEGIN_SIGNING + Mark the start of the actual signing process. This may be used as + an indication that all requested secret keys are ready for use. + +*** ALREADY_SIGNED <long-keyid> + Warning: This is experimental and might be removed at any time. + +*** SIG_CREATED <type> <pk_algo> <hash_algo> <class> <timestamp> <keyfpr> + A signature has been created using these parameters. + Values for type <type> are: + - D :: detached + - C :: cleartext + - S :: standard + (only the first character should be checked) + + <class> are 2 hex digits with the OpenPGP signature class. + + Note, that TIMESTAMP may either be a number of seconds since Epoch + or an ISO 8601 string which can be detected by the presence of the + letter 'T'. + +*** NOTATION_ + There are actually three related status codes to convey notation + data: + + - NOTATION_NAME <name> + - NOTATION_FLAGS <critical> <human_readable> + - NOTATION_DATA <string> + + <name> and <string> are %XX escaped. The data may be split among + several NOTATION_DATA lines. NOTATION_FLAGS is emitted after + NOTATION_NAME and gives the critical and human readable flags; + the flag values are either 0 or 1. + +*** POLICY_URL <string> + Note that URL in <string> is %XX escaped. + +*** PLAINTEXT <format> <timestamp> <filename> + This indicates the format of the plaintext that is about to be + written. The format is a 1 byte hex code that shows the format of + the plaintext: 62 ('b') is binary data, 74 ('t') is text data with + no character set specified, and 75 ('u') is text data encoded in + the UTF-8 character set. The timestamp is in seconds since the + epoch. If a filename is available it gets printed as the third + argument, percent-escaped as usual. + +*** PLAINTEXT_LENGTH <length> + This indicates the length of the plaintext that is about to be + written. Note that if the plaintext packet has partial length + encoding it is not possible to know the length ahead of time. In + that case, this status tag does not appear. The length is only + exact for binary formats; other formats ('t', 'u') may do post + processing like line ending conversion so that the actual number + of bytes written may be differ. + +*** ATTRIBUTE <arguments> + The list or arguments are: + - <fpr> + - <octets> + - <type> + - <index> + - <count> + - <timestamp> + - <expiredate> + - <flags> + + This is one long line issued for each attribute subpacket when an + attribute packet is seen during key listing. <fpr> is the + fingerprint of the key. <octets> is the length of the attribute + subpacket. <type> is the attribute type (e.g. 1 for an image). + <index> and <count> indicate that this is the N-th indexed + subpacket of count total subpackets in this attribute packet. + <timestamp> and <expiredate> are from the self-signature on the + attribute packet. If the attribute packet does not have a valid + self-signature, then the timestamp is 0. <flags> are a bitwise OR + of: + - 0x01 :: this attribute packet is a primary uid + - 0x02 :: this attribute packet is revoked + - 0x04 :: this attribute packet is expired + +*** SIG_SUBPACKET <type> <flags> <len> <data> + This indicates that a signature subpacket was seen. The format is + the same as the "spk" record above. + +*** ENCRYPTION_COMPLIANCE_MODE <flags> + Indicates that the current encryption operation was in compliance + with the given set of modes for all recipients. "flags" is a + space separated list of numerical flags, see "Field 18 - + Compliance flags" above. + +*** DECRYPTION_COMPLIANCE_MODE <flags> + Indicates that the current decryption operation is in compliance + with the given set of modes. "flags" is a space separated list of + numerical flags, see "Field 18 - Compliance flags" above. + +*** VERIFICATION_COMPLIANCE_MODE <flags> + Indicates that the current signature verification operation is in + compliance with the given set of modes. "flags" is a space + separated list of numerical flags, see "Field 18 - Compliance + flags" above. + +** Key related +*** INV_RECP, INV_SGNR + The two similar status codes: + + - INV_RECP <reason> <requested_recipient> + - INV_SGNR <reason> <requested_sender> + + are issued for each unusable recipient/sender. The reasons codes + currently in use are: + + - 0 :: No specific reason given + - 1 :: Not Found + - 2 :: Ambigious specification + - 3 :: Wrong key usage + - 4 :: Key revoked + - 5 :: Key expired + - 6 :: No CRL known + - 7 :: CRL too old + - 8 :: Policy mismatch + - 9 :: Not a secret key + - 10 :: Key not trusted + - 11 :: Missing certificate + - 12 :: Missing issuer certificate + - 13 :: Key disabled + - 14 :: Syntax error in specification + + If no specific reason was given a previously emitted status code + KEY_CONSIDERED may be used to analyzed the problem. + + Note that for historical reasons the INV_RECP status is also used + for gpgsm's SIGNER command where it relates to signer's of course. + Newer GnuPG versions are using INV_SGNR; applications should + ignore the INV_RECP during the sender's command processing once + they have seen an INV_SGNR. Different codes are used so that they + can be distinguish while doing an encrypt+sign operation. + +*** NO_RECP <reserved> + Issued if no recipients are usable. + +*** NO_SGNR <reserved> + Issued if no senders are usable. + +*** KEY_CONSIDERED <fpr> <flags> + Issued to explain the lookup of a key. FPR is the hexified + fingerprint of the primary key. The bit values for FLAGS are: + + - 1 :: The key has not been selected. + - 2 :: All subkeys of the key are expired or have been revoked. + +*** KEYEXPIRED <expire-timestamp> + The key has expired. expire-timestamp is the expiration time in + seconds since Epoch. This status line is not very useful because + it will also be emitted for expired subkeys even if this subkey is + not used. To check whether a key used to sign a message has + expired, the EXPKEYSIG status line is to be used. + + Note, that the TIMESTAMP may either be a number of seconds since + Epoch or an ISO 8601 string which can be detected by the presence + of the letter 'T'. + +*** KEYREVOKED + The used key has been revoked by its owner. No arguments yet. + +*** NO_PUBKEY <long keyid> + The public key is not available. Note the arg should in general + not be used because it is better to take it from the ERRSIG + status line which is printed right before this one. + +*** NO_SECKEY <long keyid> + The secret key is not available + +*** KEY_CREATED <type> <fingerprint> [<handle>] + A key has been created. Values for <type> are: + - B :: primary and subkey + - P :: primary + - S :: subkey + The fingerprint is one of the primary key for type B and P and the + one of the subkey for S. Handle is an arbitrary non-whitespace + string used to match key parameters from batch key creation run. + +*** KEY_NOT_CREATED [<handle>] + The key from batch run has not been created due to errors. + +*** TRUST_ + These are several similar status codes: + + - TRUST_UNDEFINED <error_token> + - TRUST_NEVER <error_token> + - TRUST_MARGINAL [0 [<validation_model>]] + - TRUST_FULLY [0 [<validation_model>]] + - TRUST_ULTIMATE [0 [<validation_model>]] + + For good signatures one of these status lines are emitted to + indicate the validity of the key used to create the signature. + The error token values are currently only emitted by gpgsm. + + VALIDATION_MODEL describes the algorithm used to check the + validity of the key. The defaults are the standard Web of Trust + model for gpg and the standard X.509 model for gpgsm. The + defined values are + + - pgp :: The standard PGP WoT. + - shell :: The standard X.509 model. + - chain :: The chain model. + - steed :: The STEED model. + - tofu :: The TOFU model + + Note that the term =TRUST_= in the status names is used for + historic reasons; we now speak of validity. + +*** TOFU_USER <fingerprint_in_hex> <mbox> + + This status identifies the key and the userid for all following + Tofu information. The fingerprint is the fingerprint of the + primary key and the mbox is in general the addr-spec part of the + userid encoded in UTF-8 and percent escaped. The fingerprint is + identical for all TOFU_USER lines up to a NEWSIG line. + +*** TOFU_STATS <MANY_ARGS> + + Statistics for the current user id. + + The <MANY_ARGS> are the usual space delimited arguments. Here we + have too many of them to fit on one printed line and thus they are + given on 3 printed lines: + + : <summary> <sign-count> <encryption-count> + : [<policy> [<tm1> <tm2> <tm3> <tm4> + : [<validity> [<sign-days> <encrypt-days>]]]] + + Values for SUMMARY are: + - 0 :: attention, an interaction with the user is required (conflict) + - 1 :: key with no verification/encryption history + - 2 :: key with little history + - 3 :: key with enough history for basic trust + - 4 :: key with a lot of history + + Values for POLICY are: + - none :: No Policy set + - auto :: Policy is "auto" + - good :: Policy is "good" + - bad :: Policy is "bad" + - ask :: Policy is "ask" + - unknown :: Policy is "unknown" (TOFU information does not + contribute to the key's validity) + + TM1 is the time the first message was verified. TM2 is the time + the most recent message was verified. TM3 is the time the first + message was encrypted. TM4 is the most recent encryption. All may + either be seconds since Epoch or an ISO time string + (yyyymmddThhmmss). + + VALIDITY is the same as SUMMARY with the exception that VALIDITY + doesn't reflect whether the key needs attention. That is it never + takes on value 0. Instead, if there is a conflict, VALIDITY still + reflects the key's validity (values: 1-4). + + SUMMARY values use the euclidean distance (m = sqrt(a² + b²)) rather + then the sum of the magnitudes (m = a + b) to ensure a balance between + verified signatures and encrypted messages. + + Values are calculated based on the number of days where a key was used + for verifying a signature or to encrypt to it. + The ranges for the values are: + + - 1 :: signature_days + encryption_days == 0 + - 2 :: 1 <= sqrt(signature_days² + encryption_days²) < 8 + - 3 :: 8 <= sqrt(signature_days² + encryption_days²) < 42 + - 4 :: sqrt(signature_days² + encryption_days²) >= 42 + + SIGN-COUNT and ENCRYPTION-COUNT are the number of messages that we + have seen that have been signed by this key / encryption to this + key. + + SIGN-DAYS and ENCRYPTION-DAYS are similar, but the number of days + (in UTC) on which we have seen messages signed by this key / + encrypted to this key. + +*** TOFU_STATS_SHORT <long_string> + + Information about the TOFU binding for the signature. + Example: "15 signatures verified. 10 messages encrypted" + +*** TOFU_STATS_LONG <long_string> + + Information about the TOFU binding for the signature in verbose + format. The LONG_STRING is percent escaped. + Example: 'Verified 9 messages signed by "Werner Koch + (dist sig)" in the past 3 minutes, 40 seconds. The most + recent message was verified 4 seconds ago.' + +*** PKA_TRUST_ + This is one of: + + - PKA_TRUST_GOOD <addr-spec> + - PKA_TRUST_BAD <addr-spec> + + Depending on the outcome of the PKA check one of the above status + codes is emitted in addition to a =TRUST_*= status. + +** Remote control +*** GET_BOOL, GET_LINE, GET_HIDDEN, GOT_IT + + These status line are used with --command-fd for interactive + control of the process. + +*** USERID_HINT <long main keyid> <string> + Give a hint about the user ID for a certain keyID. + +*** NEED_PASSPHRASE <long keyid> <long main keyid> <keytype> <keylength> + Issued whenever a passphrase is needed. KEYTYPE is the numerical + value of the public key algorithm or 0 if this is not applicable, + KEYLENGTH is the length of the key or 0 if it is not known (this + is currently always the case). + +*** NEED_PASSPHRASE_SYM <cipher_algo> <s2k_mode> <s2k_hash> + Issued whenever a passphrase for symmetric encryption is needed. + +*** NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>] + Issued whenever a PIN is requested to unlock a card. + +*** MISSING_PASSPHRASE + No passphrase was supplied. An application which encounters this + message may want to stop parsing immediately because the next + message will probably be a BAD_PASSPHRASE. However, if the + application is a wrapper around the key edit menu functionality it + might not make sense to stop parsing but simply ignoring the + following BAD_PASSPHRASE. + +*** BAD_PASSPHRASE <long keyid> + The supplied passphrase was wrong or not given. In the latter + case you may have seen a MISSING_PASSPHRASE. + +*** GOOD_PASSPHRASE + The supplied passphrase was good and the secret key material + is therefore usable. + +** Import/Export +*** IMPORT_CHECK <long keyid> <fingerprint> <user ID> + This status is emitted in interactive mode right before + the "import.okay" prompt. + +*** IMPORTED <long keyid> <username> + The keyid and name of the signature just imported + +*** IMPORT_OK <reason> [<fingerprint>] + The key with the primary key's FINGERPRINT has been imported. + REASON flags are: + + - 0 :: Not actually changed + - 1 :: Entirely new key. + - 2 :: New user IDs + - 4 :: New signatures + - 8 :: New subkeys + - 16 :: Contains private key. + + The flags may be ORed. + +*** IMPORT_PROBLEM <reason> [<fingerprint>] + Issued for each import failure. Reason codes are: + + - 0 :: No specific reason given. + - 1 :: Invalid Certificate. + - 2 :: Issuer Certificate missing. + - 3 :: Certificate Chain too long. + - 4 :: Error storing certificate. + +*** IMPORT_RES <args> + Final statistics on import process (this is one long line). The + args are a list of unsigned numbers separated by white space: + + - <count> + - <no_user_id> + - <imported> + - always 0 (formerly used for the number of RSA keys) + - <unchanged> + - <n_uids> + - <n_subk> + - <n_sigs> + - <n_revoc> + - <sec_read> + - <sec_imported> + - <sec_dups> + - <skipped_new_keys> + - <not_imported> + - <skipped_v3_keys> + +*** EXPORTED <fingerprint> + The key with <fingerprint> has been exported. The fingerprint is + the fingerprint of the primary key even if the primary key has + been replaced by a stub key during secret key export. + +*** EXPORT_RES <args> + + Final statistics on export process (this is one long line). The + args are a list of unsigned numbers separated by white space: + + - <count> + - <secret_count> + - <exported> + + +** Smartcard related +*** CARDCTRL <what> [<serialno>] + This is used to control smartcard operations. Defined values for + WHAT are: + + - 1 :: Request insertion of a card. Serialnumber may be given + to request a specific card. Used by gpg 1.4 w/o + scdaemon + - 2 :: Request removal of a card. Used by gpg 1.4 w/o scdaemon. + - 3 :: Card with serialnumber detected + - 4 :: No card available + - 5 :: No card reader available + - 6 :: No card support available + - 7 :: Card is in termination state + +*** SC_OP_FAILURE [<code>] + An operation on a smartcard definitely failed. Currently there is + no indication of the actual error code, but application should be + prepared to later accept more arguments. Defined values for + <code> are: + + - 0 :: unspecified error (identically to a missing CODE) + - 1 :: canceled + - 2 :: bad PIN + +*** SC_OP_SUCCESS + A smart card operaion succeeded. This status is only printed for + certain operation and is mostly useful to check whether a PIN + change really worked. + +** Miscellaneous status codes +*** NODATA <what> + No data has been found. Codes for WHAT are: + + - 1 :: No armored data. + - 2 :: Expected a packet but did not found one. + - 3 :: Invalid packet found, this may indicate a non OpenPGP + message. + - 4 :: Signature expected but not found + + You may see more than one of these status lines. + +*** UNEXPECTED <what> + Unexpected data has been encountered. Codes for WHAT are: + - 0 :: Not further specified + - 1 :: Corrupted message structure + +*** TRUNCATED <maxno> + The output was truncated to MAXNO items. This status code is + issued for certain external requests. + +*** ERROR <error location> <error code> [<more>] + This is a generic error status message, it might be followed by + error location specific data. <error code> and <error_location> + should not contain spaces. The error code is a either a string + commencing with a letter or such a string prefixed with a + numerical error code and an underscore; e.g.: "151011327_EOF". +*** WARNING <location> <error code> [<text>] + This is a generic warning status message, it might be followed by + error location specific data. <location> and <error code> may not + contain spaces. The <location> may be used to indicate a class of + warnings. The error code is a either a string commencing with a + letter or such a string prefixed with a numerical error code and + an underscore; e.g.: "151011327_EOF". +*** NOTE <location> <error code> [<text>] + This is a generic info status message the same syntax as for + WARNING messages is used. +*** SUCCESS [<location>] + Positive confirmation that an operation succeeded. It is used + similar to ISO-C's EXIT_SUCCESS. <location> is optional but if + given should not contain spaces. Used only with a few commands. + +*** FAILURE <location> <error_code> + This is the counterpart to SUCCESS and used to indicate a program + failure. It is used similar to ISO-C's EXIT_FAILURE but allows + conveying more information, in particular a gpg-error error code. + That numerical error code may optionally have a suffix made of an + underscore and a string with an error symbol like "151011327_EOF". + A dash may be used instead of <location>. + +*** BADARMOR + The ASCII armor is corrupted. No arguments yet. + +*** DELETE_PROBLEM <reason_code> + Deleting a key failed. Reason codes are: + - 1 :: No such key + - 2 :: Must delete secret key first + - 3 :: Ambigious specification + - 4 :: Key is stored on a smartcard. + +*** PROGRESS <what> <char> <cur> <total> [<units>] + Used by the primegen and public key functions to indicate + progress. <char> is the character displayed with no --status-fd + enabled, with the linefeed replaced by an 'X'. <cur> is the + current amount done and <total> is amount to be done; a <total> of + 0 indicates that the total amount is not known. Both are + non-negative integers. The condition + : TOTAL && CUR == TOTAL + may be used to detect the end of an operation. + + Well known values for <what> are: + + - pk_dsa :: DSA key generation + - pk_elg :: Elgamal key generation + - primegen :: Prime generation + - need_entropy :: Waiting for new entropy in the RNG + - tick :: Generic tick without any special meaning - useful + for letting clients know that the server is still + working. + - starting_agent :: A gpg-agent was started because it is not + running as a daemon. + - learncard :: Send by the agent and gpgsm while learing + the data of a smartcard. + - card_busy :: A smartcard is still working + - scd_locked :: Waiting for other clients to unlock the scdaemon + + When <what> refers to a file path, it may be truncated. + + <units> is sometimes used to describe the units for <current> and + <total>. For example "B", "KiB", or "MiB". + +*** BACKUP_KEY_CREATED <fingerprint> <fname> + A backup of a key identified by <fingerprint> has been writte to + the file <fname>; <fname> is percent-escaped. + +*** MOUNTPOINT <name> + <name> is a percent-plus escaped filename describing the + mountpoint for the current operation (e.g. used by "g13 --mount"). + This may either be the specified mountpoint or one randomly + chosen by g13. + +*** PINENTRY_LAUNCHED <pid>[:<extra>] + This status line is emitted by gpg to notify a client that a + Pinentry has been launched. <pid> is the PID of the Pinentry. It + may be used to display a hint to the user but can't be used to + synchronize with Pinentry. Note that there is also an Assuan + inquiry line with the same name used internally or, if enabled, + send to the client instead of this status line. Such an inquiry + may be used to sync with Pinentry + +** Obsolete status codes +*** SIGEXPIRED + Removed on 2011-02-04. This is deprecated in favor of KEYEXPIRED. +*** RSA_OR_IDEA + Obsolete. This status message used to be emitted for requests to + use the IDEA or RSA algorithms. It has been dropped from GnuPG + 2.1 after the respective patents expired. +*** SHM_INFO, SHM_GET, SHM_GET_BOOL, SHM_GET_HIDDEN + These were used for the ancient shared memory based co-processing. +*** BEGIN_STREAM, END_STREAM + Used to issued by the experimental pipemode. + +** Inter-component codes + Status codes are also used between the components of the GnuPG + system via the Assuan S lines. Some of them are documented here: + +*** PUBKEY_INFO <n> <ubid> + The type of the public key in the following D-lines or + communicated via a pipe. <n> is the value of =enum pubkey_types= + and <ubid> the Unique Blob ID (UBID) which is the fingerprint of + the primary key truncated to 20 octets and formatted in hex. Note + that the keyboxd SEARCH command can be used to lookup the public + key using the <ubid> prefixed with a caret (^). + +*** KEYPAIRINFO <grip> <keyref> [<usage>] [<keytime>] + + This status is emitted by scdaemon and gpg-agent to convey brief + information about keypairs stored on tokens. <grip> is the + hexified keygrip of the key or, if no key is stored, an "X". + <keyref> is the ID of a card's key; for example "OPENPGP.2" for + the second key slot of an OpenPGP card. <usage> is optional and + returns technically possible key usages, this is a string of + single letters describing the usage ('c' for certify, 'e' for + encryption, 's' for signing, 'a' for authentication). A '-' can be + used to tell that usage flags are not conveyed. <keytime> is used + by OpenPGP cards for the stored key creation time. A '-' means no + info available. The format is the usual ISO string are a number + with the seconds since Epoch. +*** MANUFACTURER <n> [<string>] + + This status returns the Manufactorer ID as the unsigned number N. + For OpenPGP this is weel defined; for other cards this is 0. The + name of the manufacturer is also given as <string>; spaces are not + escaped. For PKCS#15 cards <string> is TokenInfo.manufactorerID. + +* Format of the --attribute-fd output + + When --attribute-fd is set, during key listings (--list-keys, + --list-secret-keys) GnuPG dumps each attribute packet to the file + descriptor specified. --attribute-fd is intended for use with + --status-fd as part of the required information is carried on the + ATTRIBUTE status tag (see above). + + The contents of the attribute data is specified by RFC 4880. For + convenience, here is the Photo ID format, as it is currently the + only attribute defined: + + - Byte 0-1 :: The length of the image header. Due to a historical + accident (i.e. oops!) back in the NAI PGP days, this + is a little-endian number. Currently 16 (0x10 0x00). + + - Byte 2 :: The image header version. Currently 0x01. + + - Byte 3 :: Encoding format. 0x01 == JPEG. + + - Byte 4-15 :: Reserved, and currently unused. + + All other data after this header is raw image (JPEG) data. + + +* Layout of the TrustDB + + The TrustDB is built from fixed length records, where the first byte + describes the record type. All numeric values are stored in network + byte order. The length of each record is 40 bytes. The first + record of the DB is always of type 1 and this is the only record of + this type. + + The record types: directory(2), key(3), uid(4), pref(5), sigrec(6), + and shadow directory(8) are not anymore used by version 2 of the + TrustDB. + +** Record type 0 + + Unused record or deleted, can be reused for any purpose. Such + records should in general not exist because deleted records are of + type 254 and kept in a linked list. + +** Version info (RECTYPE_VER, 1) + + Version information for this TrustDB. This is always the first + record of the DB and the only one of this type. + + - 1 u8 :: Record type (value: 1). + - 3 byte :: Magic value ("gpg") + - 1 u8 :: TrustDB version (value: 2). + - 1 u8 :: =marginals=. How many marginal trusted keys are required. + - 1 u8 :: =completes=. How many completely trusted keys are + required. + - 1 u8 :: =max_cert_depth=. How deep is the WoT evaluated. Along + with =marginals= and =completes=, this value is used to + check whether the cached validity value from a [FIXME + dir] record can be used. + - 1 u8 :: =trust_model= + - 1 u8 :: =min_cert_level= + - 2 byte :: Not used + - 1 u32 :: =created=. Timestamp of trustdb creation. + - 1 u32 :: =nextcheck=. Timestamp of last modification which may + affect the validity of keys in the trustdb. This value + is checked against the validity timestamp in the dir + records. + - 1 u32 :: =reserved=. Not used. + - 1 u32 :: =reserved2=. Not used. + - 1 u32 :: =firstfree=. Number of the record with the head record + of the RECTYPE_FREE linked list. + - 1 u32 :: =reserved3=. Not used. + - 1 u32 :: =trusthashtbl=. Record number of the trusthashtable. + + +** Hash table (RECTYPE_HTBL, 10) + + Due to the fact that we use fingerprints to lookup keys, we can + implement quick access by some simple hash methods, and avoid the + overhead of gdbm. A property of fingerprints is that they can be + used directly as hash values. What we use is a dynamic multilevel + architecture, which combines hash tables, record lists, and linked + lists. + + This record is a hash table of 256 entries with the property that + all these records are stored consecutively to make one big + table. The hash value is simple the 1st, 2nd, ... byte of the + fingerprint (depending on the indirection level). + + - 1 u8 :: Record type (value: 10). + - 1 u8 :: Reserved + - n u32 :: =recnum=. A table with the hash table items fitting into + this record. =n= depends on the record length: + $n=(reclen-2)/4$ which yields 9 for oure current record + length of 40 bytes. + + The total number of hash table records to form the table is: + $m=(256+n-1)/n$. This is 29 for our record length of 40. + + To look up a key we use the first byte of the fingerprint to get + the recnum from this hash table and then look up the addressed + record: + + - If that record is another hash table, we use 2nd byte to index + that hash table and so on; + - if that record is a hash list, we walk all entries until we find + a matching one; or + - if that record is a key record, we compare the fingerprint to + decide whether it is the requested key; + + +** Hash list (RECTYPE_HLST, 11) + + See hash table above on how it is used. It may also be used for + other purposes. + + - 1 u8 :: Record type (value: 11). + - 1 u8 :: Reserved. + - 1 u32 :: =next=. Record number of the next hash list record or 0 + if none. + - n u32 :: =rnum=. Array with record numbers to values. With + $n=(reclen-5)/5$ and our record length of 40, n is 7. + +** Trust record (RECTYPE_TRUST, 12) + + - 1 u8 :: Record type (value: 12). + - 1 u8 :: Reserved. + - 20 byte :: =fingerprint=. + - 1 u8 :: =ownertrust=. + - 1 u8 :: =depth=. + - 1 u8 :: =min_ownertrust=. + - 1 byte :: =flags=. + - 1 u32 :: =validlist=. + - 10 byte :: Not used. + +** Validity record (RECTYPE_VALID, 13) + + - 1 u8 :: Record type (value: 13). + - 1 u8 :: Reserved. + - 20 byte :: =namehash=. + - 1 u8 :: =validity= + - 1 u32 :: =next=. + - 1 u8 :: =full_count=. + - 1 u8 :: =marginal_count=. + - 11 byte :: Not used. + +** Free record (RECTYPE_FREE, 254) + + All these records form a linked list of unused records in the TrustDB. + + - 1 u8 :: Record type (value: 254) + - 1 u8 :: Reserved. + - 1 u32 :: =next=. Record number of the next rcord of this type. + The record number to the head of this linked list is + stored in the version info record. + + +* Database scheme for the TOFU info + +#+begin_src sql +-- +-- The VERSION table holds the version of our TOFU data structures. +-- +CREATE TABLE version ( + version integer -- As of now this is always 1 +); + +-- +-- The BINDINGS table associates mail addresses with keys. +-- +CREATE TABLE bindings ( + oid integer primary key autoincrement, + fingerprint text, -- The key's fingerprint in hex + email text, -- The normalized mail address destilled from user_id + user_id text, -- The unmodified user id + time integer, -- The time this binding was first observed. + policy boolean check + (policy in (1, 2, 3, 4, 5)), -- The trust policy with the values: + -- 1 := Auto + -- 2 := Good + -- 3 := Unknown + -- 4 := Bad + -- 5 := Ask + conflict string, -- NULL or a hex formatted fingerprint. + unique (fingerprint, email) +); + +CREATE INDEX bindings_fingerprint_email on bindings (fingerprint, email); +CREATE INDEX bindings_email on bindings (email); + +-- +-- The SIGNATURES table records all data signatures we verified +-- +CREATE TABLE signatures ( + binding integer not null, -- Link to bindings table, + -- references bindings.oid. + sig_digest text, -- The digest of the signed message. + origin text, -- String describing who initially fed + -- the signature to gpg (e.g. "email:claws"). + sig_time integer, -- Timestamp from the signature. + time integer, -- Time this record was created. + primary key (binding, sig_digest, origin) +); +#+end_src + + +* GNU extensions to the S2K algorithm + + 1 octet - S2K Usage: either 254 or 255. + 1 octet - S2K Cipher Algo: 0 + 1 octet - S2K Specifier: 101 + 3 octets - "GNU" + 1 octet - GNU S2K Extension Number. + + If such a GNU extension is used neither an IV nor any kind of + checksum is used. The defined GNU S2K Extension Numbers are: + + - 1 :: Do not store the secret part at all. No specific data + follows. + + - 2 :: A stub to access smartcards. This data follows: + - One octet with the length of the following serial number. + - The serial number. Regardless of what the length octet + indicates no more than 16 octets are stored. + + Note that gpg stores the GNU S2K Extension Number internally as an + S2K Specifier with an offset of 1000. + + +* Format of the OpenPGP TRUST packet + + According to RFC4880 (5.10), the trust packet (aka ring trust) is + only used within keyrings and contains data that records the user's + specifications of which key holds trusted introducers. The RFC also + states that the format of this packet is implementation defined and + SHOULD NOT be emitted to output streams or should be ignored on + import. GnuPG uses this packet in several additional ways: + + - 1 octet :: Trust-Value (only used by Subtype SIG) + - 1 octet :: Signature-Cache (only used by Subtype SIG; value must + be less than 128) + - 3 octets :: Fixed value: "gpg" + - 1 octet :: Subtype + - 0 :: Signature cache (SIG) + - 1 :: Key source on the primary key (KEY) + - 2 :: Key source on a user id (UID) + - 1 octet :: Key Source; i.e. the origin of the key: + - 0 :: Unknown source. + - 1 :: Public keyserver. + - 2 :: Preferred keyserver. + - 3 :: OpenPGP DANE. + - 4 :: Web Key Directory. + - 5 :: Import from a trusted URL. + - 6 :: Import from a trusted file. + - 7 :: Self generated. + - 4 octets :: Time of last update. This is a four-octet scalar + with the seconds since Epoch. + - 1 octet :: Scalar with the length of the following field. + - N octets :: String with the URL of the source. This may be a + zero-length string. + + If the packets contains only two octets a Subtype of 0 is assumed; + this is the only format recognized by GnuPG versions < 2.1.18. + Trust-Value and Signature-Cache must be zero for all subtypes other + than SIG. + + +* Keyserver helper message format + + *This information is obsolete* + (Keyserver helpers have been replaced by dirmngr) + + The keyserver may be contacted by a Unix Domain socket or via TCP. + + The format of a request is: +#+begin_example + command-tag + "Content-length:" digits + CRLF +#+end_example + + Where command-tag is + +#+begin_example + NOOP + GET <user-name> + PUT + DELETE <user-name> +#+end_example + +The format of a response is: + +#+begin_example + "GNUPG/1.0" status-code status-text + "Content-length:" digits + CRLF +#+end_example +followed by <digits> bytes of data + +Status codes are: + + - 1xx :: Informational - Request received, continuing process + + - 2xx :: Success - The action was successfully received, understood, + and accepted + + - 4xx :: Client Error - The request contains bad syntax or cannot be + fulfilled + + - 5xx :: Server Error - The server failed to fulfill an apparently + valid request + + +* Object identifiers + + OIDs below the GnuPG arc: + +#+begin_example + 1.3.6.1.4.1.11591.2 GnuPG + 1.3.6.1.4.1.11591.2.1 notation + 1.3.6.1.4.1.11591.2.1.1 pkaAddress + 1.3.6.1.4.1.11591.2.2 X.509 extensions + 1.3.6.1.4.1.11591.2.2.1 standaloneCertificate + 1.3.6.1.4.1.11591.2.2.2 wellKnownPrivateKey + 1.3.6.1.4.1.11591.2.12242973 invalid encoded OID +#+end_example + + + +* Debug flags + +This tables gives the flag values for the --debug option along with +the alternative names used by the components. + +| | gpg | gpgsm | agent | scd | dirmngr | g13 | wks | +|-------+---------+---------+---------+---------+---------+---------+---------| +| 1 | packet | x509 | | | x509 | mount | mime | +| 2 | mpi | mpi | mpi | mpi | | | parser | +| 4 | crypto | crypto | crypto | crypto | crypto | crypto | crypto | +| 8 | filter | | | | | | | +| 16 | iobuf | | | | dns | | | +| 32 | memory | memory | memory | memory | memory | memory | memory | +| 64 | cache | cache | cache | cache | cache | | | +| 128 | memstat | memstat | memstat | memstat | memstat | memstat | memstat | +| 256 | trust | | | | | | | +| 512 | hashing | hashing | hashing | hashing | hashing | | | +| 1024 | ipc | ipc | ipc | ipc | ipc | ipc | ipc | +| 2048 | | | | cardio | network | | | +| 4096 | clock | | | reader | | | | +| 8192 | lookup | | | | lookup | | | +| 16384 | extprog | | | | | | extprog | + +Description of some debug flags: + + - cardio :: Used by scdaemon to trace the APDUs exchange with the + card. + - clock :: Show execution times of certain functions. + - crypto :: Trace crypto operations. + - hashing :: Create files with the hashed data. + - ipc :: Trace the Assuan commands. + - mpi :: Show the values of the MPIs. + - reader :: Used by scdaemon to trace card reader related code. For + example: Open and close reader. + + + +* Miscellaneous notes + +** v3 fingerprints + For packet version 3 we calculate the keyids this way: + - RSA :: Low 64 bits of n + - ELGAMAL :: Build a v3 pubkey packet (with CTB 0x99) and + calculate a RMD160 hash value from it. This is used + as the fingerprint and the low 64 bits are the keyid. + +** Simplified revocation certificates + Revocation certificates consist only of the signature packet; + "--import" knows how to handle this. The rationale behind it is to + keep them small. + +** Documentation on HKP (the http keyserver protocol): + + A minimalistic HTTP server on port 11371 recognizes a GET for + /pks/lookup. The standard http URL encoded query parameters are + this (always key=value): + + - op=index (like pgp -kv), op=vindex (like pgp -kvv) and op=get (like + pgp -kxa) + + - search=<stringlist>. This is a list of words that must occur in the key. + The words are delimited with space, points, @ and so on. The delimiters + are not searched for and the order of the words doesn't matter (but see + next option). + + - exact=on. This switch tells the hkp server to only report exact matching + keys back. In this case the order and the "delimiters" are important. + + - fingerprint=on. Also reports the fingerprints when used with 'index' or + 'vindex' + + The keyserver also recognizes http-POSTs to /pks/add. Use this to upload + keys. + + + A better way to do this would be a request like: + + /pks/lookup/<gnupg_formatierte_user_id>?op=<operation> + + This can be implemented using Hurd's translator mechanism. + However, I think the whole keyserver stuff has to be re-thought; + I have some ideas and probably create a white paper. +** Algorithm names for the "keygen.algo" prompt + + When using a --command-fd controlled key generation or "addkey" + there is way to know the number to enter on the "keygen.algo" + prompt. The displayed numbers are for human reception and may + change with releases. To provide a stable way to enter a desired + algorithm choice the prompt also accepts predefined names for the + algorithms, which will not change. + + | Name | No | Description | + |---------+----+---------------------------------| + | rsa+rsa | 1 | RSA and RSA (default) | + | dsa+elg | 2 | DSA and Elgamal | + | dsa | 3 | DSA (sign only) | + | rsa/s | 4 | RSA (sign only) | + | elg | 5 | Elgamal (encrypt only) | + | rsa/e | 6 | RSA (encrypt only) | + | dsa/* | 7 | DSA (set your own capabilities) | + | rsa/* | 8 | RSA (set your own capabilities) | + | ecc+ecc | 9 | ECC and ECC | + | ecc/s | 10 | ECC (sign only) | + | ecc/* | 11 | ECC (set your own capabilities) | + | ecc/e | 12 | ECC (encrypt only) | + | keygrip | 13 | Existing key | + | cardkey | 14 | Existing key from card | + + If one of the "foo/*" names are used a "keygen.flags" prompt needs + to be answered as well. Instead of toggling the predefined flags, + it is also possible to set them direct: Use a "=" character + directly followed by a combination of "a" (for authentication), "s" + (for signing), or "c" (for certification). @@ -0,0 +1,13 @@ +GnuPG Frequently Asked Questions + +A FAQ is a fast moving target and thus we don't distribute it anymore +with GnuPG. You may retrieve the current FAQ in HTML format at + + https://gnupg.org/faq/gnupg-faq.html + +or in plain text format at + + https://gnupg.org/faq/gnupg-faq.txt + + + diff --git a/doc/HACKING b/doc/HACKING new file mode 100644 index 0000000..bd16856 --- /dev/null +++ b/doc/HACKING @@ -0,0 +1,433 @@ +# HACKING -*- org -*- +#+TITLE: A Hacker's Guide to GnuPG +#+TEXT: Some notes on GnuPG internals +#+STARTUP: showall +#+OPTIONS: ^:{} + +* How to contribute + + The following stuff explains some basic procedures you need to + follow if you want to contribute code or documentation. + +** No more ChangeLog files + +Do not modify any of the ChangeLog files in GnuPG. Starting on +December 1st, 2011 we put change information only in the GIT commit +log, and generate a top-level ChangeLog file from logs at "make dist" +time. As such, there are strict requirements on the form of the +commit log messages. The old ChangeLog files have all be renamed to +ChangeLog-2011 + +** Commit log requirements + +Your commit log should always start with a one-line summary, the +second line should be blank, and the remaining lines are usually +ChangeLog-style entries for all affected files. However, it's fine +--- even recommended --- to write a few lines of prose describing the +change, when the summary and ChangeLog entries don't give enough of +the big picture. Omit the leading TABs that you are seeing in a +"real" ChangeLog file, but keep the maximum line length at 72 or +smaller, so that the generated ChangeLog lines, each with its leading +TAB, will not exceed 80 columns. If you want to add text which shall +not be copied to the ChangeLog, separate it by a line consisting of +two dashes at the begin of a line. + +The one-line summary usually starts with a keyword to identify the +mainly affected subsystem. If more than one keyword is required the +are delimited by a comma (e.g. =scd,w32:=). Commonly found keywords +are + + - agent :: The gpg-agent component + - build :: Changes to the build system + - ccid :: The CCID driver in scdaemon + - common :: Code in common + - dirmngr :: The dirmngr component + - doc :: Documentation changes + - gpg :: The gpg or gpgv components + - sm :: The gpgsm component (also "gpgsm") + - gpgscm :: The regression test driver + - indent :: Indentation and similar changes + - iobuf :: The IOBUF system in common + - po :: Translations + - scd :: The scdaemon component + - speedo :: Speedo build system specific changes + - ssh :: The ssh-agent part of the agent + - tests :: The regressions tests + - tools :: Other code in tools + - w32 :: Windows related code + - wks :: The web key service tools + - yat2m :: The yat2m tool. + +Typo fixes and documentation updates don't need a ChangeLog entry; +thus you would use a commit message like + +#+begin_example +doc: Fix typo in a comment + +-- +#+end_example + +The marker line here is important; without it the first line would +appear in the ChangeLog. + +If you exceptionally need to have longer lines in a commit log you may +do this after this scissor line: +#+begin_example +# ------------------------ >8 ------------------------ +#+end_example +(hash, blank, 24 dashes, blank, scissor, blank, 24 dashes). +Note that such a comment will be removed if the git commit option +=--cleanup=scissor= is used. + +** License policy + + GnuPG is licensed under the GPLv3+ with some files under a mixed + LGPLv3+/GPLv2+ license. It is thus important, that all contributed + code allows for an update of the license; for example we can't + accept code under the GPLv2(only). + + GnuPG used to have a strict policy of requiring copyright + assignments to the FSF. To avoid this major organizational overhead + and to allow inclusion of code, not copyrighted by the FSF, this + policy has been relaxed on 2013-03-29. It is now also possible to + contribute code by asserting that the contribution is in accordance + to the "Libgcrypt Developer's Certificate of Origin" as found in the + file "DCO". (Except for a slight wording change, this DCO is + identical to the one used by the Linux kernel.) + + If you want to contribute code or documentation to GnuPG and you + didn't sign a copyright assignment with the FSF in the past, you + need to take these simple steps: + + - Decide which mail address you want to use. Please have your real + name in the address and not a pseudonym. Anonymous contributions + can only be done if you find a proxy who certifies for you. + + - If your employer or school might claim ownership of code written + by you; you need to talk to them to make sure that you have the + right to contribute under the DCO. + + - Send an OpenPGP signed mail to the gnupg-devel@gnupg.org mailing + list from your mail address. Include a copy of the DCO as found + in the official master branch. Insert your name and email address + into the DCO in the same way you want to use it later. Example: + + Signed-off-by: Joe R. Hacker <joe@example.org> + + (If you really need it, you may perform simple transformations of + the mail address: Replacing "@" by " at " or "." by " dot ".) + + - That's it. From now on you only need to add a "Signed-off-by:" + line with your name and mail address to the commit message. It is + recommended to send the patches using a PGP/MIME signed mail. + +** Coding standards + + Please follow the GNU coding standards. If you are in doubt consult + the existing code as an example. Do no re-indent code without a + need. If you really need to do it, use a separate commit for such a + change. + + - Only certain C99 features may be used (see below); in general + stick to C90. + - Please do not use C++ =//= style comments. + - Do not use comments like: +#+begin_src + if (foo) + /* Now that we know that foo is true we can call bar. */ + bar (); +#+end_src + instead write the comment on the if line or before it. You may + also use a block and put the comment inside. + - Please use asterisks on the left of longer comments. This makes + it easier to read without syntax highlighting, on printouts, and + for blind people. + - Try to fit lines into 80 columns. + - Ignore signed/unsigned pointer mismatches + - No arithmetic on void pointers; cast to char* first. + - Do not use +#+begin_src + if ( 42 == foo ) +#+end_src + this is harder to read and modern compilers are pretty good in + detecing accidential assignments. It is also suggested not to + compare to 0 or NULL but to test the value direct or with a '!'; + this makes it easier to see that a boolean test is done. + - We use our own printf style functions like =es_printf=, and + =gpgrt_asprintf= (or the =es_asprintf= macro) which implement most + C99 features with the exception of =wchar_t= (which should anyway + not be used). Please use them always and do not resort to those + provided by libc. The rationale for using them is that we know + that the format specifiers work on all platforms and that we do + not need to chase platform dependent bugs. Note also that in + gnupg asprintf is a macro already evaluating to gpgrt_asprintf. + - It is common to have a label named "leave" for a function's + cleanup and return code. This helps with freeing memory and is a + convenient location to set a breakpoint for debugging. + - Always use xfree() instead of free(). If it is not easy to see + that the freed variable is not anymore used, explicitly set the + variable to NULL. + - New code shall in general use xtrymalloc or xtrycalloc and check + for an error (use gpg_error_from_syserror()). + - Init function local variables only if needed so that the compiler + can do a better job in detecting uninitialized variables which may + indicate a problem with the code. + - Never init static or file local variables to 0 to make sure they + end up in BSS. + - Put extra parenthesis around terms with binary operators to make + it clear that the binary operator was indeed intended. + - Use --enable-maintainer-mode with configure so that all suitable + warnings are enabled. + +** Variable names + + Follow the GNU standards. Here are some conventions you may want to + stick to (do not rename existing "wrong" uses without a goog + reason). + + - err :: This conveys an error code of type =gpg_error_t= which is + compatible to an =int=. To compare such a variable to a + GPG_ERR_ constant, it is necessary to map the value like + this: =gpg_err_code(err)=. + - ec :: This is used for a gpg-error code which has no source part + (=gpg_err_code_t=) and will eventually be used as input to + =gpg_err_make=. + - rc :: Used for all kind of other errors; for example system + calls. The value is not compatible with gpg-error. + + +*** C99 language features + + In GnuPG 2.x, but *not in 1.4* and not in most libraries, a limited + set of C99 features may be used: + + - Variadic macros: + : #define foo(a,...) bar(a, __VA_ARGS__) + + - The predefined macro =__func__=: + : log_debug ("%s: Problem with foo\n", __func__); + + - Variable declaration inside a for(): + : for (int i = 0; i < 5; ++) + : bar (i); + + Although we usually make use of the =u16=, =u32=, and =u64= types, + it is also possible to include =<stdint.h>= and use =int16_t=, + =int32_t=, =int64_t=, =uint16_t=, =uint32_t=, and =uint64_t=. But do + not use =int8_t= or =uint8_t=. + +** Commit log keywords + + - GnuPG-bug-id :: Values are comma or space delimited bug numbers + from bug.gnupg.org pertaining to this commit. + - Debian-bug-id :: Same as above but from the Debian bug tracker. + - CVE-id :: CVE id number pertaining to this commit. + - Regression-due-to :: Commit id of the regression fixed by this commit. + - Fixes-commit :: Commit id this commit fixes. + - Updates-commit :: Commit id this commit updates. + - Reported-by :: Value is a name or mail address of a bug reporte. + - Suggested-by :: Value is a name or mail address of someone how + suggested this change. + - Co-authored-by :: Name or mail address of a co-author + - Some-comments-by :: Name or mail address of the author of + additional comments (commit log or code). + - Proofread-by :: Sometimes used by translation commits. + - Signed-off-by :: Name or mail address of the developer + +* Windows +** How to build an installer for Windows + + Your best bet is to use a decent Debian System for development. + You need to install a long list of tools for building. This list + still needs to be compiled. However, the build process will stop + if a tool is missing. GNU make is required (on non GNU systems + often installed as "gmake"). The installer requires a couple of + extra software to be available either as tarballs or as local git + repositories. In case this file here is part of a gnupg-w32-2.*.xz + complete tarball as distributed from the same place as a binary + installer, all such tarballs are already included. + + Cd to the GnuPG source directory and use one of one of these + command: + + - If sources are included (gnupg-w32-*.tar.xz) + + make -f build-aux/speedo.mk WHAT=this installer + + - To build from tarballs + + make -f build-aux/speedo.mk WHAT=release TARBALLS=TARDIR installer + + - To build from local GIT repos + + make -f build-aux/speedo.mk WHAT=git TARBALLS=TARDIR installer + + Note that also you need to supply tarballs with supporting + libraries even if you build from git. The makefile expects only + the core GnuPG software to be available as local GIT repositories. + speedo.mk has the versions of the tarballs and the branch names of + the git repositories. In case of problems, don't hesitate to ask + on the gnupg-devel mailing for help. + +* Debug hints + + See the manual for some hints. + +* Standards +** RFCs + +1423 Privacy Enhancement for Internet Electronic Mail: + Part III: Algorithms, Modes, and Identifiers. + +1489 Registration of a Cyrillic Character Set. + +1750 Randomness Recommendations for Security. + +1991 PGP Message Exchange Formats (obsolete) + +2144 The CAST-128 Encryption Algorithm. + +2279 UTF-8, a transformation format of ISO 10646. + +2440 OpenPGP (obsolete). + +3156 MIME Security with Pretty Good Privacy (PGP). + +4880 Current OpenPGP specification. + +6337 Elliptic Curve Cryptography (ECC) in OpenPGP + +* Various information + +** Directory Layout + + - ./ :: Readme, configure + - ./agent :: Gpg-agent and related tools + - ./doc :: Documentation + - ./g10 :: Gpg program here called gpg2 + - ./sm :: Gpgsm program + - ./jnlib :: Not used (formerly used utility functions) + - ./common :: Utility functions + - ./kbx :: Keybox library + - ./scd :: Smartcard daemon + - ./scripts :: Scripts needed by configure and others + - ./dirmngr :: The directory manager + +** Detailed Roadmap + + This list of files is not up to date! + + - g10/gpg.c :: Main module with option parsing and all the stuff you + have to do on startup. Also has the exit handler and + some helper functions. + + - g10/parse-packet.c :: + - g10/build-packet.c :: + - g10/free-packet.c :: Parsing and creating of OpenPGP message packets. + + - g10/getkey.c :: Key selection code + - g10/pkclist.c :: Build a list of public keys + - g10/skclist.c :: Build a list of secret keys + - g10/keyring.c :: Keyring access functions + - g10/keydb.h :: + + - g10/keyid.c :: Helper functions to get the keyid, fingerprint etc. + + - g10/trustdb.c :: Web-of-Trust computations + - g10/trustdb.h :: + - g10/tdbdump.c :: Export/import/list the trustdb.gpg + - g10/tdbio.c :: I/O handling for the trustdb.gpg + - g10/tdbio.h :: + + - g10/compress.c :: Filter to handle compression + - g10/filter.h :: Declarations for all filter functions + - g10/delkey.c :: Delete a key + - g10/kbnode.c :: Helper for the kbnode_t linked list + - g10/main.h :: Prototypes and some constants + - g10/mainproc.c :: Message processing + - g10/armor.c :: Ascii armor filter + - g10/mdfilter.c :: Filter to calculate hashs + - g10/textfilter.c :: Filter to handle CR/LF and trailing white space + - g10/cipher.c :: En-/Decryption filter + - g10/misc.c :: Utility functions + - g10/options.h :: Structure with all the command line options + and related constants + - g10/openfile.c :: Create/Open Files + - g10/keyserver.h :: Keyserver access dispatcher. + - g10/packet.h :: Definition of OpenPGP structures. + - g10/passphrase.c :: Passphrase handling code + + - g10/pubkey-enc.c :: Process a public key encoded packet. + - g10/seckey-cert.c :: Not anymore used + - g10/seskey.c :: Make session keys etc. + - g10/import.c :: Import keys into our key storage. + - g10/export.c :: Export keys to the OpenPGP format. + - g10/sign.c :: Create signature and optionally encrypt. + - g10/plaintext.c :: Process plaintext packets. + - g10/decrypt-data.c :: Decrypt an encrypted data packet + - g10/encrypt.c :: Main encryption driver + - g10/revoke.c :: Create recovation certificates. + - g10/keylist.c :: Print information about OpenPGP keys + - g10/sig-check.c :: Check a signature + - g10/helptext.c :: Show online help texts + - g10/verify.c :: Verify signed data. + - g10/decrypt.c :: Decrypt and verify data. + - g10/keyedit.c :: Edit properties of a key. + - g10/dearmor.c :: Armor utility. + - g10/keygen.c :: Generate a key pair + +** Memory allocation + +Use only the functions: + + - xmalloc + - xmalloc_secure + - xtrymalloc + - xtrymalloc_secure + - xcalloc + - xcalloc_secure + - xtrycalloc + - xtrycalloc_secure + - xrealloc + - xtryrealloc + - xstrdup + - xtrystrdup + - xfree + + +The *secure versions allocate memory in the secure memory. That is, +swapping out of this memory is avoided and is gets overwritten on +free. Use this for passphrases, session keys and other sensitive +material. This memory set aside for secure memory is linited to a few +k. In general the function don't print a memeory message and +terminate the process if there is not enough memory available. The +"try" versions of the functions return NULL instead. + +** Logging + + TODO + +** Option parsing + +GnuPG does not use getopt or GNU getopt but functions of it's own. +See util/argparse.c for details. The advantage of these functions is +that it is more easy to display and maintain the help texts for the +options. The same option table is also used to parse resource files. + +** What is an IOBUF + +This is the data structure used for most I/O of gnupg. It is similar +to System V Streams but much simpler. Because OpenPGP messages are +nested in different ways; the use of such a system has big advantages. +Here is an example, how it works: If the parser sees a packet header +with a partial length, it pushes the block_filter onto the IOBUF to +handle these partial length packets: from now on you don't have to +worry about this. When it sees a compressed packet it pushes the +uncompress filter and the next read byte is one which has already been +uncompressed by this filter. Same goes for enciphered packet, +plaintext packets and so on. The file g10/encode.c might be a good +starting point to see how it is used - actually this is the other way: +constructing messages using pushed filters but it may be easier to +understand. + + diff --git a/doc/KEYSERVER b/doc/KEYSERVER new file mode 100644 index 0000000..f63200a --- /dev/null +++ b/doc/KEYSERVER @@ -0,0 +1,83 @@ +Format of keyserver colon listings +================================== + +David Shaw <dshaw@jabberwocky.com> + +The machine readable response begins with an optional information +line: + +info:<version>:<count> + +<version> = this is the version of this protocol. Currently, this is + the number 1. + +<count> = the number of keys returned in this response. Note this is + the number of keys, and not the number of lines returned. + It should match the number of "pub:" lines returned. + +If this optional line is not included, or the version information is +not supplied, the version number is assumed to be 1. + +The key listings are made up of several lines per key. The first line +is for the primary key: + +pub:<fingerprint>:<algo>:<keylen>:<creationdate>:<expirationdate>:<flags> + +<fingerprint> = this is either the fingerprint or the keyid of the + key. Either the 16-digit or 8-digit keyids are + acceptable, but obviously the fingerprint is best. + Since it is not possible to calculate the keyid from a + V3 key fingerprint, for V3 keys this should be either + the 16-digit or 8-digit keyid only. + +<algo> = the algorithm number from RFC-2440. (i.e. 1==RSA, 17==DSA, + etc). + +<keylen> = the key length (i.e. 1024, 2048, 4096, etc.) + +<creationdate> = creation date of the key in standard RFC-2440 form + (i.e. number of seconds since 1/1/1970 UTC time) + +<expirationdate> = expiration date of the key in standard RFC-2440 + form (i.e. number of seconds since 1/1/1970 UTC time) + +<flags> = letter codes to indicate details of the key, if any. Flags + may be in any order. + + r == revoked + d == disabled + e == expired + +Following the "pub" line are one or more "uid" lines to indicate user +IDs on the key: + +uid:<escaped uid string>:<creationdate>:<expirationdate>:<flags> + +<escaped uid string> == the user ID string, with HTTP %-escaping for + anything that isn't 7-bit safe as well as for + the ":" character. Any other characters may + be escaped, as desired. + +creationdate, expirationdate, and flags mean the same here as before. +The information is taken from the self-sig, if any, and applies to the +user ID in question, and not to the key as a whole. + +Details: + +* All characters except for the <escaped uid string> are + case-insensitive. + +* Obviously, on a keyserver without integrated crypto, many of the + items given here are not fully trustworthy until the key is + downloaded and signatures checked. For example, the information + that a key is flagged "r" for revoked should be treated as + untrustworthy information until the key is checked on the client + side. + +* Empty fields are allowed. For example, a key with no expiration + date would have the <expirationdate> field empty. Also, a keyserver + that does not track a particular piece of information may leave that + field empty as well. I expect that the creation and expiration + dates for user IDs will be left empty in current keyservers. Colons + for empty fields on the end of each line may be left off, if + desired. diff --git a/doc/Makefile.am b/doc/Makefile.am new file mode 100644 index 0000000..aba09b9 --- /dev/null +++ b/doc/Makefile.am @@ -0,0 +1,213 @@ +# Copyright (C) 2002, 2004 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + +## Process this file with automake to produce Makefile.in + +AM_CPPFLAGS = + +include $(top_srcdir)/am/cmacros.am + +examples = examples/README examples/scd-event examples/trustlist.txt \ + examples/VS-NfD.prf examples/Automatic.prf \ + examples/debug.prf \ + examples/gpgconf.rnames examples/gpgconf.conf \ + examples/systemd-user/README \ + examples/systemd-user/dirmngr.service \ + examples/systemd-user/dirmngr.socket \ + examples/systemd-user/gpg-agent.service \ + examples/systemd-user/gpg-agent.socket \ + examples/systemd-user/gpg-agent-ssh.socket \ + examples/systemd-user/gpg-agent-browser.socket \ + examples/systemd-user/gpg-agent-extra.socket \ + examples/pwpattern.list + +helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \ + help.da.txt help.de.txt help.el.txt help.eo.txt \ + help.es.txt help.et.txt help.fi.txt help.fr.txt \ + help.gl.txt help.hu.txt help.id.txt help.it.txt \ + help.ja.txt help.nb.txt help.pl.txt help.pt.txt \ + help.pt_BR.txt help.ro.txt help.ru.txt help.sk.txt \ + help.sv.txt help.tr.txt help.zh_CN.txt help.zh_TW.txt + +profiles = + +EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem qualified.txt \ + gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png gnupg-logo-tr.png \ + gnupg-module-overview.png gnupg-module-overview.pdf \ + gnupg-card-architecture.png gnupg-card-architecture.pdf \ + FAQ gnupg7.texi mkdefsinc.c defsincdate \ + opt-homedir.texi see-also-note.texi specify-user-id.texi \ + gpgv.texi yat2m.c ChangeLog-2011 whats-new-in-2.1.txt \ + trust-values.texi + +BUILT_SOURCES = gnupg-module-overview.png gnupg-module-overview.pdf \ + gnupg-card-architecture.png gnupg-card-architecture.pdf \ + defsincdate defs.inc + +info_TEXINFOS = gnupg.texi + +dist_pkgdata_DATA = $(helpfiles) $(profiles) + +nobase_dist_doc_DATA = FAQ DETAILS HACKING DCO TRANSLATE OpenPGP KEYSERVER \ + $(examples) + +#dist_html_DATA = + + +gnupg_TEXINFOS = \ + gpg.texi gpgsm.texi gpg-agent.texi scdaemon.texi instguide.texi \ + tools.texi debugging.texi glossary.texi contrib.texi gpl.texi \ + sysnotes.texi dirmngr.texi wks.texi \ + gnupg-module-overview.svg \ + gnupg-card-architecture.fig \ + howtos.texi howto-create-a-server-cert.texi + +gnupg.texi : defs.inc + +# We need EPS files for "make distcheck" but we do not want to distribute +# them due to their size. Let's build them as needed. +gnupg.dvi : gnupg-module-overview.eps gnupg-card-architecture.eps + + +DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips + +AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css + +YAT2M_OPTIONS = -I $(srcdir) \ + --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.2" + +myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \ + dirmngr.texi scdaemon.texi tools.texi wks.texi +myman_pages = gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 \ + watchgnupg.1 gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \ + gpg-connect-agent.1 gpgparsemail.1 gpgtar.1 \ + gpg-check-pattern.1 \ + applygnupgdefaults.8 gpg-wks-client.1 gpg-wks-server.1 \ + dirmngr-client.1 +if USE_GPG2_HACK +myman_pages += gpg2.1 gpgv2.1 +else +myman_pages += gpg.1 gpgv.1 +endif + +man_MANS = $(myman_pages) gnupg.7 + +watchgnupg_SOURCE = gnupg.texi + + +CLEANFILES = yat2m mkdefsinc defs.inc + +DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \ + gnupg-card-architecture.eps \ + gnupg-module-overview.eps \ + $(myman_pages) gnupg.7 + +if HAVE_YAT2M +YAT2M_CMD = $(YAT2M) +YAT2M_DEP = $(YAT2M) +else +YAT2M_CMD = ./yat2m +YAT2M_DEP = yat2m + +yat2m: yat2m.c + $(CC_FOR_BUILD) -o $@ $(srcdir)/yat2m.c +endif + +mkdefsinc: mkdefsinc.c Makefile ../config.h + $(CC_FOR_BUILD) -I. -I.. -I$(srcdir) $(AM_CPPFLAGS) \ + -o $@ $(srcdir)/mkdefsinc.c + +.svg.eps: + convert `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.svg.png: + convert `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.svg.pdf: + convert `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.fig.png: + fig2dev -L png `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.fig.jpg: + fig2dev -L jpeg `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.fig.eps: + fig2dev -L eps `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.fig.pdf: + fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@ + + +yat2m-stamp: $(myman_sources) defs.inc + @rm -f yat2m-stamp.tmp + @touch yat2m-stamp.tmp + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + for file in $(myman_sources) ; do \ + $(YAT2M_CMD) $(YAT2M_OPTIONS) --store \ + --date "`cat $$incd 2>/dev/null`" \ + `test -f '$$file' || echo '$(srcdir)/'`$$file ; done + @mv -f yat2m-stamp.tmp $@ + +yat2m-stamp: $(YAT2M_DEP) + +$(myman_pages) gnupg.7 : yat2m-stamp defs.inc + @if test -f $@; then :; else \ + trap 'rm -rf yat2m-stamp yat2m-lock' 1 2 13 15; \ + if mkdir yat2m-lock 2>/dev/null; then \ + rm -f yat2m-stamp; \ + $(MAKE) $(AM_MAKEFLAGS) yat2m-stamp; \ + rmdir yat2m-lock; \ + else \ + while test -d yat2m-lock; do sleep 1; done; \ + test -f yat2m-stamp; exit $$?; \ + fi; \ + fi + +dist-hook: defsincdate + +defsincdate: $(gnupg_TEXINFOS) + : >defsincdate ; \ + if test -e $(top_srcdir)/.git; then \ + (cd $(srcdir) && git log -1 --format='%ct' \ + -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ + elif test x"$$SOURCE_DATE_EPOCH" != x; then \ + echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \ + fi + +defs.inc : defsincdate Makefile mkdefsinc + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \ + $(gnupg_TEXINFOS) >$@ + + +online: gnupg.html gnupg.pdf gnupg-module-overview.png \ + gnupg-card-architecture.png + set -e; \ + echo "Uploading current manuals to www.gnupg.org ..."; \ + cp $(srcdir)/gnupg-logo-tr.png gnupg.html/; \ + cp gnupg-module-overview.png gnupg.html/; \ + cp gnupg-card-architecture.png gnupg.html/; \ + user=werner ; webhost="ftp.gnupg.org" ; dashdevel="" ; \ + if echo "@PACKAGE_VERSION@" | grep -- "-beta" >/dev/null; then \ + dashdevel="-devel" ; \ + else \ + rsync -v gnupg.pdf $${user}@$${webhost}:webspace/manuals/ ; \ + fi ; \ + cd gnupg.html ; \ + rsync -vr --exclude='.git' . \ + $${user}@$${webhost}:webspace/manuals/gnupg$${dashdevel}/ diff --git a/doc/Makefile.in b/doc/Makefile.in new file mode 100644 index 0000000..59b671f --- /dev/null +++ b/doc/Makefile.in @@ -0,0 +1,1273 @@ +# Makefile.in generated by automake 1.16.3 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2020 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# Copyright (C) 2002, 2004 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + +# cmacros.am - C macro definitions +# Copyright (C) 2004 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_DOSISH_SYSTEM_FALSE@am__append_1 = -DGNUPG_BINDIR="\"$(bindir)\"" \ +@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_LIBEXECDIR="\"$(libexecdir)\"" \ +@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_LIBDIR="\"$(libdir)/@PACKAGE@\"" \ +@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_DATADIR="\"$(datadir)/@PACKAGE@\"" \ +@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_SYSCONFDIR="\"$(sysconfdir)/@PACKAGE@\"" \ +@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_LOCALSTATEDIR="\"$(localstatedir)\"" + + +# If a specific protect tool program has been defined, pass its name +# to cc. Note that these macros should not be used directly but via +# the gnupg_module_name function. +@GNUPG_AGENT_PGM_TRUE@am__append_2 = -DGNUPG_DEFAULT_AGENT="\"@GNUPG_AGENT_PGM@\"" +@GNUPG_PINENTRY_PGM_TRUE@am__append_3 = -DGNUPG_DEFAULT_PINENTRY="\"@GNUPG_PINENTRY_PGM@\"" +@GNUPG_SCDAEMON_PGM_TRUE@am__append_4 = -DGNUPG_DEFAULT_SCDAEMON="\"@GNUPG_SCDAEMON_PGM@\"" +@GNUPG_DIRMNGR_PGM_TRUE@am__append_5 = -DGNUPG_DEFAULT_DIRMNGR="\"@GNUPG_DIRMNGR_PGM@\"" +@GNUPG_PROTECT_TOOL_PGM_TRUE@am__append_6 = -DGNUPG_DEFAULT_PROTECT_TOOL="\"@GNUPG_PROTECT_TOOL_PGM@\"" +@GNUPG_DIRMNGR_LDAP_PGM_TRUE@am__append_7 = -DGNUPG_DEFAULT_DIRMNGR_LDAP="\"@GNUPG_DIRMNGR_LDAP_PGM@\"" +@USE_GPG2_HACK_TRUE@am__append_8 = gpg2.1 gpgv2.1 +@USE_GPG2_HACK_FALSE@am__append_9 = gpg.1 gpgv.1 +subdir = doc +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/autobuild.m4 \ + $(top_srcdir)/m4/codeset.m4 $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/gpg-error.m4 $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/isc-posix.m4 $(top_srcdir)/m4/ksba.m4 \ + $(top_srcdir)/m4/lcmessage.m4 $(top_srcdir)/m4/ldap.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libassuan.m4 \ + $(top_srcdir)/m4/libgcrypt.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/npth.m4 $(top_srcdir)/m4/ntbtls.m4 \ + $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/m4/readline.m4 \ + $(top_srcdir)/m4/socklen.m4 $(top_srcdir)/m4/sys_socket_h.m4 \ + $(top_srcdir)/m4/tar-ustar.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_pkgdata_DATA) \ + $(nobase_dist_doc_DATA) $(am__DIST_COMMON) +mkinstalldirs = $(SHELL) $(top_srcdir)/build-aux/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +AM_V_DVIPS = $(am__v_DVIPS_@AM_V@) +am__v_DVIPS_ = $(am__v_DVIPS_@AM_DEFAULT_V@) +am__v_DVIPS_0 = @echo " DVIPS " $@; +am__v_DVIPS_1 = +AM_V_MAKEINFO = $(am__v_MAKEINFO_@AM_V@) +am__v_MAKEINFO_ = $(am__v_MAKEINFO_@AM_DEFAULT_V@) +am__v_MAKEINFO_0 = @echo " MAKEINFO" $@; +am__v_MAKEINFO_1 = +AM_V_INFOHTML = $(am__v_INFOHTML_@AM_V@) +am__v_INFOHTML_ = $(am__v_INFOHTML_@AM_DEFAULT_V@) +am__v_INFOHTML_0 = @echo " INFOHTML" $@; +am__v_INFOHTML_1 = +AM_V_TEXI2DVI = $(am__v_TEXI2DVI_@AM_V@) +am__v_TEXI2DVI_ = $(am__v_TEXI2DVI_@AM_DEFAULT_V@) +am__v_TEXI2DVI_0 = @echo " TEXI2DVI" $@; +am__v_TEXI2DVI_1 = +AM_V_TEXI2PDF = $(am__v_TEXI2PDF_@AM_V@) +am__v_TEXI2PDF_ = $(am__v_TEXI2PDF_@AM_DEFAULT_V@) +am__v_TEXI2PDF_0 = @echo " TEXI2PDF" $@; +am__v_TEXI2PDF_1 = +AM_V_texinfo = $(am__v_texinfo_@AM_V@) +am__v_texinfo_ = $(am__v_texinfo_@AM_DEFAULT_V@) +am__v_texinfo_0 = -q +am__v_texinfo_1 = +AM_V_texidevnull = $(am__v_texidevnull_@AM_V@) +am__v_texidevnull_ = $(am__v_texidevnull_@AM_DEFAULT_V@) +am__v_texidevnull_0 = > /dev/null +am__v_texidevnull_1 = +INFO_DEPS = $(srcdir)/gnupg.info +TEXINFO_TEX = $(top_srcdir)/build-aux/texinfo.tex +am__TEXINFO_TEX_DIR = $(top_srcdir)/build-aux +DVIS = gnupg.dvi +PDFS = gnupg.pdf +PSS = gnupg.ps +HTMLS = gnupg.html +TEXINFOS = gnupg.texi +TEXI2DVI = texi2dvi +TEXI2PDF = $(TEXI2DVI) --pdf --batch +MAKEINFOHTML = $(MAKEINFO) --html +AM_MAKEINFOHTMLFLAGS = $(AM_MAKEINFOFLAGS) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__installdirs = "$(DESTDIR)$(infodir)" "$(DESTDIR)$(man1dir)" \ + "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" \ + "$(DESTDIR)$(pkgdatadir)" "$(DESTDIR)$(docdir)" +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man1dir = $(mandir)/man1 +man7dir = $(mandir)/man7 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(dist_pkgdata_DATA) $(nobase_dist_doc_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(gnupg_TEXINFOS) $(srcdir)/Makefile.in \ + $(top_srcdir)/am/cmacros.am \ + $(top_srcdir)/build-aux/mkinstalldirs \ + $(top_srcdir)/build-aux/texinfo.tex +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +AWK_HEX_NUMBER_OPTION = @AWK_HEX_NUMBER_OPTION@ +BUILD_FILEVERSION = @BUILD_FILEVERSION@ +BUILD_HOSTNAME = @BUILD_HOSTNAME@ +BUILD_INCLUDED_LIBINTL = @BUILD_INCLUDED_LIBINTL@ +BUILD_REVISION = @BUILD_REVISION@ +BUILD_TIMESTAMP = @BUILD_TIMESTAMP@ +BUILD_VERSION = @BUILD_VERSION@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DL_LIBS = @DL_LIBS@ +DNSLIBS = @DNSLIBS@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +ENCFS = @ENCFS@ +EXEEXT = @EXEEXT@ +FUSERMOUNT = @FUSERMOUNT@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GNUPG_AGENT_PGM = @GNUPG_AGENT_PGM@ +GNUPG_DIRMNGR_LDAP_PGM = @GNUPG_DIRMNGR_LDAP_PGM@ +GNUPG_DIRMNGR_PGM = @GNUPG_DIRMNGR_PGM@ +GNUPG_PINENTRY_PGM = @GNUPG_PINENTRY_PGM@ +GNUPG_PROTECT_TOOL_PGM = @GNUPG_PROTECT_TOOL_PGM@ +GNUPG_SCDAEMON_PGM = @GNUPG_SCDAEMON_PGM@ +GPGKEYS_LDAP = @GPGKEYS_LDAP@ +GPGRT_CONFIG = @GPGRT_CONFIG@ +GPG_ERROR_CFLAGS = @GPG_ERROR_CFLAGS@ +GPG_ERROR_CONFIG = @GPG_ERROR_CONFIG@ +GPG_ERROR_LIBS = @GPG_ERROR_LIBS@ +GPG_ERROR_MT_CFLAGS = @GPG_ERROR_MT_CFLAGS@ +GPG_ERROR_MT_LIBS = @GPG_ERROR_MT_LIBS@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +KSBA_CFLAGS = @KSBA_CFLAGS@ +KSBA_CONFIG = @KSBA_CONFIG@ +KSBA_LIBS = @KSBA_LIBS@ +LBER_LIBS = @LBER_LIBS@ +LDAPLIBS = @LDAPLIBS@ +LDAP_CPPFLAGS = @LDAP_CPPFLAGS@ +LDFLAGS = @LDFLAGS@ +LIBASSUAN_CFLAGS = @LIBASSUAN_CFLAGS@ +LIBASSUAN_CONFIG = @LIBASSUAN_CONFIG@ +LIBASSUAN_LIBS = @LIBASSUAN_LIBS@ +LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@ +LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@ +LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@ +LIBGNUTLS_CFLAGS = @LIBGNUTLS_CFLAGS@ +LIBGNUTLS_LIBS = @LIBGNUTLS_LIBS@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBOBJS = @LIBOBJS@ +LIBREADLINE = @LIBREADLINE@ +LIBS = @LIBS@ +LIBUSB_CPPFLAGS = @LIBUSB_CPPFLAGS@ +LIBUSB_LIBS = @LIBUSB_LIBS@ +LIBUTIL_LIBS = @LIBUTIL_LIBS@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NETLIBS = @NETLIBS@ +NPTH_CFLAGS = @NPTH_CFLAGS@ +NPTH_CONFIG = @NPTH_CONFIG@ +NPTH_LIBS = @NPTH_LIBS@ +NTBTLS_CFLAGS = @NTBTLS_CFLAGS@ +NTBTLS_CONFIG = @NTBTLS_CONFIG@ +NTBTLS_LIBS = @NTBTLS_LIBS@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_GT = @PACKAGE_GT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SENDMAIL = @SENDMAIL@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SHRED = @SHRED@ +SQLITE3_CFLAGS = @SQLITE3_CFLAGS@ +SQLITE3_LIBS = @SQLITE3_LIBS@ +STRIP = @STRIP@ +SYSROOT = @SYSROOT@ +SYS_SOCKET_H = @SYS_SOCKET_H@ +TAR = @TAR@ +USE_C99_CFLAGS = @USE_C99_CFLAGS@ +USE_INCLUDED_LIBINTL = @USE_INCLUDED_LIBINTL@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +W32SOCKLIBS = @W32SOCKLIBS@ +WINDRES = @WINDRES@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ +YAT2M = @YAT2M@ +ZLIBS = @ZLIBS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = $(datadir)/locale +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ + +# NB: AM_CFLAGS may also be used by tools running on the build +# platform to create source files. +AM_CPPFLAGS = -DLOCALEDIR=\"$(localedir)\" $(am__append_1) \ + $(am__append_2) $(am__append_3) $(am__append_4) \ + $(am__append_5) $(am__append_6) $(am__append_7) +@HAVE_W32CE_SYSTEM_FALSE@extra_sys_libs = + +# Under Windows we use LockFileEx. WindowsCE provides this only on +# the WindowsMobile 6 platform and thus we need to use the coredll6 +# import library. We also want to use a stacksize of 256k instead of +# the 2MB which is the default with cegcc. 256k is the largest stack +# we use with pth. +@HAVE_W32CE_SYSTEM_TRUE@extra_sys_libs = -lcoredll6 +@HAVE_W32CE_SYSTEM_FALSE@extra_bin_ldflags = +@HAVE_W32CE_SYSTEM_TRUE@extra_bin_ldflags = -Wl,--stack=0x40000 +resource_objs = + +# Convenience macros +libcommon = ../common/libcommon.a +libcommonpth = ../common/libcommonpth.a +libcommontls = ../common/libcommontls.a +libcommontlsnpth = ../common/libcommontlsnpth.a +examples = examples/README examples/scd-event examples/trustlist.txt \ + examples/VS-NfD.prf examples/Automatic.prf \ + examples/debug.prf \ + examples/gpgconf.rnames examples/gpgconf.conf \ + examples/systemd-user/README \ + examples/systemd-user/dirmngr.service \ + examples/systemd-user/dirmngr.socket \ + examples/systemd-user/gpg-agent.service \ + examples/systemd-user/gpg-agent.socket \ + examples/systemd-user/gpg-agent-ssh.socket \ + examples/systemd-user/gpg-agent-browser.socket \ + examples/systemd-user/gpg-agent-extra.socket \ + examples/pwpattern.list + +helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \ + help.da.txt help.de.txt help.el.txt help.eo.txt \ + help.es.txt help.et.txt help.fi.txt help.fr.txt \ + help.gl.txt help.hu.txt help.id.txt help.it.txt \ + help.ja.txt help.nb.txt help.pl.txt help.pt.txt \ + help.pt_BR.txt help.ro.txt help.ru.txt help.sk.txt \ + help.sv.txt help.tr.txt help.zh_CN.txt help.zh_TW.txt + +profiles = +EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem qualified.txt \ + gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png gnupg-logo-tr.png \ + gnupg-module-overview.png gnupg-module-overview.pdf \ + gnupg-card-architecture.png gnupg-card-architecture.pdf \ + FAQ gnupg7.texi mkdefsinc.c defsincdate \ + opt-homedir.texi see-also-note.texi specify-user-id.texi \ + gpgv.texi yat2m.c ChangeLog-2011 whats-new-in-2.1.txt \ + trust-values.texi + +BUILT_SOURCES = gnupg-module-overview.png gnupg-module-overview.pdf \ + gnupg-card-architecture.png gnupg-card-architecture.pdf \ + defsincdate defs.inc + +info_TEXINFOS = gnupg.texi +dist_pkgdata_DATA = $(helpfiles) $(profiles) +nobase_dist_doc_DATA = FAQ DETAILS HACKING DCO TRANSLATE OpenPGP KEYSERVER \ + $(examples) + + +#dist_html_DATA = +gnupg_TEXINFOS = \ + gpg.texi gpgsm.texi gpg-agent.texi scdaemon.texi instguide.texi \ + tools.texi debugging.texi glossary.texi contrib.texi gpl.texi \ + sysnotes.texi dirmngr.texi wks.texi \ + gnupg-module-overview.svg \ + gnupg-card-architecture.fig \ + howtos.texi howto-create-a-server-cert.texi + +DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips +AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css +YAT2M_OPTIONS = -I $(srcdir) \ + --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.2" + +myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \ + dirmngr.texi scdaemon.texi tools.texi wks.texi + +myman_pages = gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 watchgnupg.1 \ + gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \ + gpg-connect-agent.1 gpgparsemail.1 gpgtar.1 \ + gpg-check-pattern.1 applygnupgdefaults.8 gpg-wks-client.1 \ + gpg-wks-server.1 dirmngr-client.1 $(am__append_8) \ + $(am__append_9) +man_MANS = $(myman_pages) gnupg.7 +watchgnupg_SOURCE = gnupg.texi +CLEANFILES = yat2m mkdefsinc defs.inc +DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \ + gnupg-card-architecture.eps \ + gnupg-module-overview.eps \ + $(myman_pages) gnupg.7 + +@HAVE_YAT2M_FALSE@YAT2M_CMD = ./yat2m +@HAVE_YAT2M_TRUE@YAT2M_CMD = $(YAT2M) +@HAVE_YAT2M_FALSE@YAT2M_DEP = yat2m +@HAVE_YAT2M_TRUE@YAT2M_DEP = $(YAT2M) +all: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) all-am + +.SUFFIXES: +.SUFFIXES: .dvi .eps .fig .html .info .jpg .o .pdf .png .ps .rc .svg .texi +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/am/cmacros.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu doc/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; +$(top_srcdir)/am/cmacros.am $(am__empty): + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +.texi.info: + $(AM_V_MAKEINFO)restore=: && backupdir="$(am__leading_dot)am$$$$" && \ + am__cwd=`pwd` && $(am__cd) $(srcdir) && \ + rm -rf $$backupdir && mkdir $$backupdir && \ + if ($(MAKEINFO) --version) >/dev/null 2>&1; then \ + for f in $@ $@-[0-9] $@-[0-9][0-9] $(@:.info=).i[0-9] $(@:.info=).i[0-9][0-9]; do \ + if test -f $$f; then mv $$f $$backupdir; restore=mv; else :; fi; \ + done; \ + else :; fi && \ + cd "$$am__cwd"; \ + if $(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \ + -o $@ $<; \ + then \ + rc=0; \ + $(am__cd) $(srcdir); \ + else \ + rc=$$?; \ + $(am__cd) $(srcdir) && \ + $$restore $$backupdir/* `echo "./$@" | sed 's|[^/]*$$||'`; \ + fi; \ + rm -rf $$backupdir; exit $$rc + +.texi.dvi: + $(AM_V_TEXI2DVI)TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \ + MAKEINFO='$(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir)' \ + $(TEXI2DVI) $(AM_V_texinfo) --build-dir=$(@:.dvi=.t2d) -o $@ $(AM_V_texidevnull) \ + $< + +.texi.pdf: + $(AM_V_TEXI2PDF)TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \ + MAKEINFO='$(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir)' \ + $(TEXI2PDF) $(AM_V_texinfo) --build-dir=$(@:.pdf=.t2p) -o $@ $(AM_V_texidevnull) \ + $< + +.texi.html: + $(AM_V_MAKEINFO)rm -rf $(@:.html=.htp) + $(AM_V_at)if $(MAKEINFOHTML) $(AM_MAKEINFOHTMLFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \ + -o $(@:.html=.htp) $<; \ + then \ + rm -rf $@ && mv $(@:.html=.htp) $@; \ + else \ + rm -rf $(@:.html=.htp); exit 1; \ + fi +$(srcdir)/gnupg.info: gnupg.texi $(gnupg_TEXINFOS) +gnupg.pdf: gnupg.texi $(gnupg_TEXINFOS) +gnupg.html: gnupg.texi $(gnupg_TEXINFOS) +.dvi.ps: + $(AM_V_DVIPS)TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \ + $(DVIPS) $(AM_V_texinfo) -o $@ $< + +uninstall-dvi-am: + @$(NORMAL_UNINSTALL) + @list='$(DVIS)'; test -n "$(dvidir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(dvidir)/$$f'"; \ + rm -f "$(DESTDIR)$(dvidir)/$$f"; \ + done + +uninstall-html-am: + @$(NORMAL_UNINSTALL) + @list='$(HTMLS)'; test -n "$(htmldir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " rm -rf '$(DESTDIR)$(htmldir)/$$f'"; \ + rm -rf "$(DESTDIR)$(htmldir)/$$f"; \ + done + +uninstall-info-am: + @$(PRE_UNINSTALL) + @if test -d '$(DESTDIR)$(infodir)' && $(am__can_run_installinfo); then \ + list='$(INFO_DEPS)'; \ + for file in $$list; do \ + relfile=`echo "$$file" | sed 's|^.*/||'`; \ + echo " install-info --info-dir='$(DESTDIR)$(infodir)' --remove '$(DESTDIR)$(infodir)/$$relfile'"; \ + if install-info --info-dir="$(DESTDIR)$(infodir)" --remove "$(DESTDIR)$(infodir)/$$relfile"; \ + then :; else test ! -f "$(DESTDIR)$(infodir)/$$relfile" || exit 1; fi; \ + done; \ + else :; fi + @$(NORMAL_UNINSTALL) + @list='$(INFO_DEPS)'; \ + for file in $$list; do \ + relfile=`echo "$$file" | sed 's|^.*/||'`; \ + relfile_i=`echo "$$relfile" | sed 's|\.info$$||;s|$$|.i|'`; \ + (if test -d "$(DESTDIR)$(infodir)" && cd "$(DESTDIR)$(infodir)"; then \ + echo " cd '$(DESTDIR)$(infodir)' && rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9]"; \ + rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9]; \ + else :; fi); \ + done + +uninstall-pdf-am: + @$(NORMAL_UNINSTALL) + @list='$(PDFS)'; test -n "$(pdfdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(pdfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(pdfdir)/$$f"; \ + done + +uninstall-ps-am: + @$(NORMAL_UNINSTALL) + @list='$(PSS)'; test -n "$(psdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(psdir)/$$f'"; \ + rm -f "$(DESTDIR)$(psdir)/$$f"; \ + done + +dist-info: $(INFO_DEPS) + @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ + list='$(INFO_DEPS)'; \ + for base in $$list; do \ + case $$base in \ + $(srcdir)/*) base=`echo "$$base" | sed "s|^$$srcdirstrip/||"`;; \ + esac; \ + if test -f $$base; then d=.; else d=$(srcdir); fi; \ + base_i=`echo "$$base" | sed 's|\.info$$||;s|$$|.i|'`; \ + for file in $$d/$$base $$d/$$base-[0-9] $$d/$$base-[0-9][0-9] $$d/$$base_i[0-9] $$d/$$base_i[0-9][0-9]; do \ + if test -f $$file; then \ + relfile=`expr "$$file" : "$$d/\(.*\)"`; \ + test -f "$(distdir)/$$relfile" || \ + cp -p $$file "$(distdir)/$$relfile"; \ + else :; fi; \ + done; \ + done + +mostlyclean-aminfo: + -rm -rf gnupg.t2d gnupg.t2p + +clean-aminfo: + -test -z "gnupg.dvi gnupg.pdf gnupg.ps gnupg.html" \ + || rm -rf gnupg.dvi gnupg.pdf gnupg.ps gnupg.html + +maintainer-clean-aminfo: + @list='$(INFO_DEPS)'; for i in $$list; do \ + i_i=`echo "$$i" | sed 's|\.info$$||;s|$$|.i|'`; \ + echo " rm -f $$i $$i-[0-9] $$i-[0-9][0-9] $$i_i[0-9] $$i_i[0-9][0-9]"; \ + rm -f $$i $$i-[0-9] $$i-[0-9][0-9] $$i_i[0-9] $$i_i[0-9][0-9]; \ + done +install-man1: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man1dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.1[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \ + done; } + +uninstall-man1: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man1dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.1[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir) +install-man7: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man7dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man7dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man7dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.7[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man7dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man7dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man7dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man7dir)" || exit $$?; }; \ + done; } + +uninstall-man7: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man7dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.7[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man7dir)'; $(am__uninstall_files_from_dir) +install-man8: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +install-dist_pkgdataDATA: $(dist_pkgdata_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkgdatadir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkgdatadir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgdatadir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgdatadir)" || exit $$?; \ + done + +uninstall-dist_pkgdataDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(pkgdatadir)'; $(am__uninstall_files_from_dir) +install-nobase_dist_docDATA: $(nobase_dist_doc_DATA) + @$(NORMAL_INSTALL) + @list='$(nobase_dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ + fi; \ + $(am__nobase_list) | while read dir files; do \ + xfiles=; for file in $$files; do \ + if test -f "$$file"; then xfiles="$$xfiles $$file"; \ + else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \ + test -z "$$xfiles" || { \ + test "x$$dir" = x. || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(docdir)/$$dir'"; \ + $(MKDIR_P) "$(DESTDIR)$(docdir)/$$dir"; }; \ + echo " $(INSTALL_DATA) $$xfiles '$(DESTDIR)$(docdir)/$$dir'"; \ + $(INSTALL_DATA) $$xfiles "$(DESTDIR)$(docdir)/$$dir" || exit $$?; }; \ + done + +uninstall-nobase_dist_docDATA: + @$(NORMAL_UNINSTALL) + @list='$(nobase_dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + $(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \ + dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ + dist-info dist-hook +check-am: all-am +check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-am +all-am: Makefile $(INFO_DEPS) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(infodir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgdatadir)" "$(DESTDIR)$(docdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-am +install-exec: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) +clean: clean-am + +clean-am: clean-aminfo clean-generic mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: $(DVIS) + +html: html-am + +html-am: $(HTMLS) + +info: info-am + +info-am: $(INFO_DEPS) + +install-data-am: install-dist_pkgdataDATA install-info-am install-man \ + install-nobase_dist_docDATA + +install-dvi: install-dvi-am + +install-dvi-am: $(DVIS) + @$(NORMAL_INSTALL) + @list='$(DVIS)'; test -n "$(dvidir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(dvidir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(dvidir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dvidir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(dvidir)" || exit $$?; \ + done +install-exec-am: + +install-html: install-html-am + +install-html-am: $(HTMLS) + @$(NORMAL_INSTALL) + @list='$(HTMLS)'; list2=; test -n "$(htmldir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(htmldir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(htmldir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p" || test -d "$$p"; then d=; else d="$(srcdir)/"; fi; \ + $(am__strip_dir) \ + d2=$$d$$p; \ + if test -d "$$d2"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(htmldir)/$$f'"; \ + $(MKDIR_P) "$(DESTDIR)$(htmldir)/$$f" || exit 1; \ + echo " $(INSTALL_DATA) '$$d2'/* '$(DESTDIR)$(htmldir)/$$f'"; \ + $(INSTALL_DATA) "$$d2"/* "$(DESTDIR)$(htmldir)/$$f" || exit $$?; \ + else \ + list2="$$list2 $$d2"; \ + fi; \ + done; \ + test -z "$$list2" || { echo "$$list2" | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(htmldir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(htmldir)" || exit $$?; \ + done; } +install-info: install-info-am + +install-info-am: $(INFO_DEPS) + @$(NORMAL_INSTALL) + @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ + list='$(INFO_DEPS)'; test -n "$(infodir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(infodir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(infodir)" || exit 1; \ + fi; \ + for file in $$list; do \ + case $$file in \ + $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ + esac; \ + if test -f $$file; then d=.; else d=$(srcdir); fi; \ + file_i=`echo "$$file" | sed 's|\.info$$||;s|$$|.i|'`; \ + for ifile in $$d/$$file $$d/$$file-[0-9] $$d/$$file-[0-9][0-9] \ + $$d/$$file_i[0-9] $$d/$$file_i[0-9][0-9] ; do \ + if test -f $$ifile; then \ + echo "$$ifile"; \ + else : ; fi; \ + done; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(infodir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(infodir)" || exit $$?; done + @$(POST_INSTALL) + @if $(am__can_run_installinfo); then \ + list='$(INFO_DEPS)'; test -n "$(infodir)" || list=; \ + for file in $$list; do \ + relfile=`echo "$$file" | sed 's|^.*/||'`; \ + echo " install-info --info-dir='$(DESTDIR)$(infodir)' '$(DESTDIR)$(infodir)/$$relfile'";\ + install-info --info-dir="$(DESTDIR)$(infodir)" "$(DESTDIR)$(infodir)/$$relfile" || :;\ + done; \ + else : ; fi +install-man: install-man1 install-man7 install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: $(PDFS) + @$(NORMAL_INSTALL) + @list='$(PDFS)'; test -n "$(pdfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pdfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pdfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pdfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pdfdir)" || exit $$?; done +install-ps: install-ps-am + +install-ps-am: $(PSS) + @$(NORMAL_INSTALL) + @list='$(PSS)'; test -n "$(psdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(psdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(psdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(psdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(psdir)" || exit $$?; done +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-aminfo \ + maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-aminfo mostlyclean-generic + +pdf: pdf-am + +pdf-am: $(PDFS) + +ps: ps-am + +ps-am: $(PSS) + +uninstall-am: uninstall-dist_pkgdataDATA uninstall-dvi-am \ + uninstall-html-am uninstall-info-am uninstall-man \ + uninstall-nobase_dist_docDATA uninstall-pdf-am uninstall-ps-am + +uninstall-man: uninstall-man1 uninstall-man7 uninstall-man8 + +.MAKE: all check install install-am install-exec install-strip + +.PHONY: all all-am check check-am clean clean-aminfo clean-generic \ + cscopelist-am ctags-am dist-hook dist-info distclean \ + distclean-generic distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-dist_pkgdataDATA install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man1 \ + install-man7 install-man8 install-nobase_dist_docDATA \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-aminfo \ + maintainer-clean-generic mostlyclean mostlyclean-aminfo \ + mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-dist_pkgdataDATA uninstall-dvi-am \ + uninstall-html-am uninstall-info-am uninstall-man \ + uninstall-man1 uninstall-man7 uninstall-man8 \ + uninstall-nobase_dist_docDATA uninstall-pdf-am uninstall-ps-am + +.PRECIOUS: Makefile + + +@HAVE_W32_SYSTEM_TRUE@.rc.o: +@HAVE_W32_SYSTEM_TRUE@ $(WINDRES) $(DEFAULT_INCLUDES) $(INCLUDES) "$<" "$@" + +gnupg.texi : defs.inc + +# We need EPS files for "make distcheck" but we do not want to distribute +# them due to their size. Let's build them as needed. +gnupg.dvi : gnupg-module-overview.eps gnupg-card-architecture.eps + +@HAVE_YAT2M_FALSE@yat2m: yat2m.c +@HAVE_YAT2M_FALSE@ $(CC_FOR_BUILD) -o $@ $(srcdir)/yat2m.c + +mkdefsinc: mkdefsinc.c Makefile ../config.h + $(CC_FOR_BUILD) -I. -I.. -I$(srcdir) $(AM_CPPFLAGS) \ + -o $@ $(srcdir)/mkdefsinc.c + +.svg.eps: + convert `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.svg.png: + convert `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.svg.pdf: + convert `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.fig.png: + fig2dev -L png `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.fig.jpg: + fig2dev -L jpeg `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.fig.eps: + fig2dev -L eps `test -f '$<' || echo '$(srcdir)/'`$< $@ + +.fig.pdf: + fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@ + +yat2m-stamp: $(myman_sources) defs.inc + @rm -f yat2m-stamp.tmp + @touch yat2m-stamp.tmp + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + for file in $(myman_sources) ; do \ + $(YAT2M_CMD) $(YAT2M_OPTIONS) --store \ + --date "`cat $$incd 2>/dev/null`" \ + `test -f '$$file' || echo '$(srcdir)/'`$$file ; done + @mv -f yat2m-stamp.tmp $@ + +yat2m-stamp: $(YAT2M_DEP) + +$(myman_pages) gnupg.7 : yat2m-stamp defs.inc + @if test -f $@; then :; else \ + trap 'rm -rf yat2m-stamp yat2m-lock' 1 2 13 15; \ + if mkdir yat2m-lock 2>/dev/null; then \ + rm -f yat2m-stamp; \ + $(MAKE) $(AM_MAKEFLAGS) yat2m-stamp; \ + rmdir yat2m-lock; \ + else \ + while test -d yat2m-lock; do sleep 1; done; \ + test -f yat2m-stamp; exit $$?; \ + fi; \ + fi + +dist-hook: defsincdate + +defsincdate: $(gnupg_TEXINFOS) + : >defsincdate ; \ + if test -e $(top_srcdir)/.git; then \ + (cd $(srcdir) && git log -1 --format='%ct' \ + -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \ + elif test x"$$SOURCE_DATE_EPOCH" != x; then \ + echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \ + fi + +defs.inc : defsincdate Makefile mkdefsinc + incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \ + ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \ + $(gnupg_TEXINFOS) >$@ + +online: gnupg.html gnupg.pdf gnupg-module-overview.png \ + gnupg-card-architecture.png + set -e; \ + echo "Uploading current manuals to www.gnupg.org ..."; \ + cp $(srcdir)/gnupg-logo-tr.png gnupg.html/; \ + cp gnupg-module-overview.png gnupg.html/; \ + cp gnupg-card-architecture.png gnupg.html/; \ + user=werner ; webhost="ftp.gnupg.org" ; dashdevel="" ; \ + if echo "@PACKAGE_VERSION@" | grep -- "-beta" >/dev/null; then \ + dashdevel="-devel" ; \ + else \ + rsync -v gnupg.pdf $${user}@$${webhost}:webspace/manuals/ ; \ + fi ; \ + cd gnupg.html ; \ + rsync -vr --exclude='.git' . \ + $${user}@$${webhost}:webspace/manuals/gnupg$${dashdevel}/ + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/doc/OpenPGP b/doc/OpenPGP new file mode 100644 index 0000000..794f669 --- /dev/null +++ b/doc/OpenPGP @@ -0,0 +1,116 @@ + GnuPG and OpenPGP + ================= + + See RFC-4880 for a description of OpenPGP. These notes are older + than RFC-4880 and refer to the predecessor of the specs (RFC-2440). + + + Compatibility Notes + =================== + GnuPG (>=1.0.3) is in compliance with RFC2440 despite these exceptions: + + * With GnuPG >= 2.1.0 all support for version 3 keys has been + removed. Thus there is no more compatibility with PGP-2. Users + who need to be able to decrypt old PGP 2 messages should use + GnuPG 1.4.x along with the option --allow-weak-digest-algos. + + * With GnuPG >= 2.1.0 all signatures (on messages and keys) are + created using version 4 signatures. Support for verifying + version 3 signature is still available. + + * (9.2) states that IDEA SHOULD be implemented. This is not done + due to patent problems. + UPDATE: Since version 1.4.13 (or GnuPG 2.x with Libgcrypt 1.6) + IDEA support has been added to allow decryption of old + PGP-2 encrypted material. + + All MAY features are implemented with this exception: + + * multi-part armored messages are not supported. + MIME (rfc2015) should be used instead. + + Most of the OPTIONAL stuff is implemented. + + There are a couple of options which can be used to override some + RFC requirements. This is always mentioned with the description + of that options. + + A special format of partial packet length exists for v3 packets + which can be considered to be in compliance with RFC1991; this + format is only created if a special option is active. + UPDATE: This support has been removed with version 1.3.6. + + GnuPG uses a S2K mode of 101 for GNU extensions to the secret key + protection algorithms. This number is not defined in OpenPGP, but + given that this number is in a range which is used at many other + places in OpenPGP for private/experimental algorithm identifiers, + this should be not a too bad choice. The 3 bytes "GNU" are used to + identify this as a GNU extension - see the file DETAILS for a + definition of the used data formats. + + + Some Notes on OpenPGP / PGP Compatibility: + ========================================== + + * PGP 5.x does not accept V4 signatures for anything other than + key material. The GnuPG option --force-v3-sigs mimics this + behavior. + + * PGP 5.x does not recognize the "five-octet" lengths in + new-format headers or in signature subpacket lengths. + + * PGP 5.0 rejects an encrypted session key if the keylength + differs from the S2K symmetric algorithm. This is a bug in its + validation function. + + * PGP 5.0 does not handle multiple one-pass signature headers and + trailers. Signing one will compress the one-pass signed literal + and prefix a V3 signature instead of doing a nested one-pass + signature. + + * When exporting a private key, PGP 2.x generates the header + "BEGIN PGP SECRET KEY BLOCK" instead of "BEGIN PGP PRIVATE KEY + BLOCK". All previous versions ignore the implied data type, and + look directly at the packet data type. + + * In a clear-signed signature, PGP 5.0 will figure out the correct + hash algorithm if there is no "Hash:" header, but it will reject + a mismatch between the header and the actual algorithm used. The + "standard" (i.e. Zimmermann/Finney/et al.) version of PGP 2.x + rejects the "Hash:" header and assumes MD5. There are a number + of enhanced variants of PGP 2.6.x that have been modified for + SHA-1 signatures. + + * PGP 5.0 can read an RSA key in V4 format, but can only recognize + it with a V3 keyid, and can properly use only a V3 format RSA + key. + + * Neither PGP 5.x nor PGP 6.0 recognize ElGamal Encrypt and Sign + keys. They only handle ElGamal Encrypt-only keys. + + + Parts of this document are taken from: + ====================================== + + OpenPGP Message Format + draft-ietf-openpgp-formats-07.txt + + + Copyright 1998 by The Internet Society. All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph + are included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. diff --git a/doc/TRANSLATE b/doc/TRANSLATE new file mode 100644 index 0000000..9bd9b08 --- /dev/null +++ b/doc/TRANSLATE @@ -0,0 +1,61 @@ +$Id$ + +Note for translators +-------------------- + +Some strings in GnuPG are for matching user input against. These +strings can accept multiple values that mean essentially the same +thing. + +For example, the string "yes" in English is "sÃ" in Spanish. However, +some users will type "si" (without the accent). To accommodate both +users, you can translate the string "yes" as "sÃ|si". You can have +any number of alternate matches separated by the | character like +"sÃ|si|seguro". + +The strings that can be handled in this way are of the form "yes|yes", +(or "no|no", etc.) There should also be a comment in the .po file +directing you to this file. + + +Help files +---------- + +GnuPG provides a little help feature (entering a ? on a prompt). This +help used to be translated the usual way with gettext but it turned +out that this is too inflexible and does for example not allow +correcting little mistakes in the English text. For some newer features +we require editable help files anyway and thus the existing help +strings have been moved to plain text files names "help.LL.txt". We +distribute these files and allow overriding them by files of that name +in /etc/gnupg. The syntax of these files is documented in +doc/help.txt. This is also the original we use to describe new +possible online help keys. The source files are located in doc/ and +need to be in encoded in UTF-8. Strings which require a translation +are disabled like this + + .#gpgsm.some.help-item + This string is not translated. + +After translation you should remove the hash mark so that the +entry looks like. + + .gpgsm.some.help-item + This string has been translated. + +The percent sign is not a special character and if there is something +to watch out there will be a remark. + + + +Sending new or updated translations +----------------------------------- + +Please note that we do not use the TP Robot but require that +translations are to be send by mail to translations@gnupg.org. We +also strongly advise to get subscribed to i18n@gnupg.org and request +assistance if it is not clear on how to translate certain strings. A +wrongly translated string may lead to a security problem. + +A copyright disclaimer to the FSF is not anymore required since +December 2012. diff --git a/doc/com-certs.pem b/doc/com-certs.pem new file mode 100644 index 0000000..33dd40c --- /dev/null +++ b/doc/com-certs.pem @@ -0,0 +1,67 @@ +# Common certificates for initial keybox creation. + +Issuer ...: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support@cacert.org +Serial ...: 00 +Subject ..: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support@cacert.org + +-----BEGIN CERTIFICATE----- +MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290 +IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB +IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA +Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO +BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi +MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ +ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ +8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6 +zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y +fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7 +w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc +G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k +epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q +laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ +QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU +fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826 +YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w +ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY +gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe +MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0 +IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy +dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw +czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0 +dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl +aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC +AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg +b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB +ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc +nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg +18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c +gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl +Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY +sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T +SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF +CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum +GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk +zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW +omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD +-----END CERTIFICATE----- + + +Issuer ...: /CN=The STEED Self-Signing Nonthority +Serial ...: 01 +Subject ..: /CN=The STEED Self-Signing Nonthority + +-----BEGIN CERTIFICATE----- +MIICKDCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAsMSowKAYDVQQDEyFUaGUg +U1RFRUQgU2VsZi1TaWduaW5nIE5vbnRob3JpdHkwIBcNMTExMTExMDAwMDAwWhgP +MjEwNjAyMDYwMDAwMDBaMCwxKjAoBgNVBAMTIVRoZSBTVEVFRCBTZWxmLVNpZ25p +bmcgTm9udGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAk2h9kqe8 +0eb8ESY7UGV6j6S5zuP5DiM4TWJ3jKG2y+D2CyA1Sl90iZ6zyN3zCB0yR1xxhpuw +xdrwBRovRFludAbx3MeynYhzXkk0Hwn038q1oIt2YUw3Igz34s24o455ZE86JQ/6 +5dC7ppF8Z1I9KBL96NO+qZR/alVAKxYAwS8CAwEAAaNYMFYwEgYDVR0TAQH/BAgw +BgEB/wIBATARBgorBgEEAdpHAgICBAMBAf8wHQYDVR0OBBYEFGimOJmN+rrFEOpk +XONPloay7ffqMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQB3JwUn +AbOdGv5ErojNSSP+yGZIy5av4wnkzK840Uj3jY6A5cuHroZGOD60hqLV2Hy0npox +zte4phWEKWmZiXd8SCmd3MFNgZSieiixye0qxSmuqYft2j6NhEXD5xc/iTTjFT42 +SjGPLKAICuMBuGPnoozOEVlgqwaDqKOUph5sqw== +-----END CERTIFICATE----- diff --git a/doc/contrib.texi b/doc/contrib.texi new file mode 100644 index 0000000..8a4fc86 --- /dev/null +++ b/doc/contrib.texi @@ -0,0 +1,106 @@ +@c Copyright (C) 2002 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@node Contributors +@unnumbered Contributors to GnuPG +@cindex contributors + +The GnuPG project would like to thank its many contributors. Without +them the project would not have been nearly as successful as it has +been. Any omissions in this list are accidental. Feel free to contact +the maintainer if you have been left out or some of your contributions +are not listed. + +David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils +Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner +Koch wrote the code. Birger Langkjer, Daniel Resare, Dokianakis +Theofanis, Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy +Ferenc László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz +Aleksander Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, +Magda Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, +Nilgun Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung +Bauermann, Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter +Koch, Yosiaki IIDA did the official translations. Mike Ashley wrote +and maintains the GNU Privacy Handbook. David Scribner is the current +FAQ editor. Lorenzo Cappelletti maintains the web site. + +The new modularized architecture of gnupg 1.9 as well as the X.509/CMS +part has been developed as part of the Ägypten project. Direct +contributors to this project are: Bernhard Herzog, who did extensive +testing and tracked down a lot of bugs. Bernhard Reiter, who made sure +that we met the specifications and the deadlines. He did extensive +testing and came up with a lot of suggestions. Jan-Oliver Wagner made +sure that we met the specifications and the deadlines. He also did +extensive testing and came up with a lot of suggestions. Karl-Heinz +Zimmer and Marc Mutz had to struggle with all the bugs and +misconceptions while working on KDE integration. Marcus Brinkman +extended GPGME, cleaned up the Assuan code and fixed bugs all over the +place. Moritz Schulte took over Libgcrypt maintenance and developed it +into a stable an useful library. Steffen Hansen had a hard time to +write the dirmngr due to underspecified interfaces. Thomas Koester did +extensive testing and tracked down a lot of bugs. Werner Koch designed +the system and wrote most of the code. + +The following people helped greatly by suggesting improvements, +testing, fixing bugs, providing resources and doing other important +tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand +Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews, +Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian +Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de +Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere, +Christian Kurz, Christian von Roques, Christopher Oliver, Christian +Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave +Dykstra, David C Niemi, David Champion, David Ellement, David +Hallinan, David Hollenberg, David Mathog, David R. Bergstein, Detlef +Lannert, Dimitri, Dirk Lattermann, Dirk Meyer, Disastry, Douglas +Calvert, Ed Boraas, Edmund GRIMLEY EVANS, Edwin Woudt, Enzo +Michelangeli, Ernst Molitor, Fabio Coatti, Felix von Leitner, fish +stiqz, Florian Weimer, Francesco Potorti, Frank Donahoe, Frank +Heckenbach, Frank Stajano, Frank Tobin, Gabriel Rosenkoetter, Gaël +Quéri, Gene Carter, Geoff Keating, Georg Schwarz, Giampaolo Tomassoni, +Gilbert Fernandes, Greg Louis, Greg Troxel, Gregory Steuck, Gregery +Barton, Harald Denker, Holger Baust, Hendrik Buschkamp, Holger +Schurig, Holger Smolinski, Holger Trapp, Hugh Daniel, Huy Le, Ian +McKellar, Ivo Timmermans, Jan Krueger, Jan Niehusmann, Janusz +A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff Long, Jeffery Von +Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio MG, J. Michael +Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett, John +A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph Walton, +Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel, Karsten +Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin Ryde, +Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman, M +Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus +Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, +Martin Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew +Skala, Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael +Engels, Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, +Michael Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson +H. F. Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, +Oliver Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, +Per Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter +Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong, +Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner, +Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann, +Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam +Roberts, Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge +Munhoven, SL Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, +Stefan Keller, Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven +Murdoch, Susanne Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen +Klok, Thomas Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA +Satoshi, Tom Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, +Thomas Klausner, Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko +Lusa, Vincent P. Broman, Volker Quetschke, W Lewis, Walter Hofmann, +Walter Koch, Wayne Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki +IIDA, Yoshihiro Kajiki and Gerlinde Klaes. + +This software has been made possible by the previous work of Chris +Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, +Paul Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, +Taher Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA +mathematicians and all the folks who have worked hard to create +complete and free operating systems. + +And finally we'd like to thank everyone who uses these tools, submits +bug reports and generally reminds us why we're doing this work in the +first place. diff --git a/doc/debugging.texi b/doc/debugging.texi new file mode 100644 index 0000000..14056d6 --- /dev/null +++ b/doc/debugging.texi @@ -0,0 +1,287 @@ +@c Copyright (C) 2004 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@node Debugging +@chapter How to solve problems + +Everyone knows that software often does not do what it should do and thus +there is a need to track down problems. We call this debugging in a +reminiscent to the moth jamming a relay in a Mark II box back in 1947. + +Most of the problems a merely configuration and user problems but +nevertheless they are the most annoying ones and responsible for many +gray hairs. We try to give some guidelines here on how to identify and +solve the problem at hand. + + +@menu +* Debugging Tools:: Description of some useful tools. +* Debugging Hints:: Various hints on debugging. +* Common Problems:: Commonly seen problems. +* Architecture Details:: How the whole thing works internally. +@end menu + + +@node Debugging Tools +@section Debugging Tools + +The GnuPG distribution comes with a couple of tools, useful to help find +and solving problems. + +@menu +* kbxutil:: Scrutinizing a keybox file. +@end menu + +@node kbxutil +@subsection Scrutinizing a keybox file + +A keybox is a file format used to store public keys along with meta +information and indices. The commonly used one is the file +@file{pubring.kbx} in the @file{.gnupg} directory. It contains all +X.509 certificates as well as OpenPGP keys. + +@noindent +When called the standard way, e.g.: + +@samp{kbxutil ~/.gnupg/pubring.kbx} + +@noindent +it lists all records (called @acronym{blobs}) with there meta-information +in a human readable format. + +@noindent +To see statistics on the keybox in question, run it using + +@samp{kbxutil --stats ~/.gnupg/pubring.kbx} + +@noindent +and you get an output like: + +@example +Total number of blobs: 99 + header: 1 + empty: 0 + openpgp: 0 + x509: 98 + non flagged: 81 + secret flagged: 0 + ephemeral flagged: 17 +@end example + +In this example you see that the keybox does not have any OpenPGP keys +but contains 98 X.509 certificates and a total of 17 keys or certificates +are flagged as ephemeral, meaning that they are only temporary stored +(cached) in the keybox and won't get listed using the usual commands +provided by @command{gpgsm} or @command{gpg}. 81 certificates are stored +in a standard way and directly available from @command{gpgsm}. + +@noindent +To find duplicated certificates and keyblocks in a keybox file (this +should not occur but sometimes things go wrong), run it using + +@samp{kbxutil --find-dups ~/.gnupg/pubring.kbx} + + +@node Debugging Hints +@section Various hints on debugging + +@itemize @bullet + +@item How to find the IP address of a keyserver + +If a round robin URL of is used for a keyserver +(e.g. subkeys.gnupg.org); it is not easy to see what server is actually +used. Using the keyserver debug option as in + +@smallexample + gpg --keyserver-options debug=1 -v --refresh-key 1E42B367 +@end smallexample + +is thus often helpful. Note that the actual output depends on the +backend and may change from release to release. + +@item Logging on WindowsCE + +For development, the best logging method on WindowsCE is the use of +remote debugging using a log file name of @file{tcp://<ip-addr>:<port>}. +The command @command{watchgnupg} may be used on the remote host to listen +on the given port (@pxref{option watchgnupg --tcp}). For in the field +tests it is better to make use of the logging facility provided by the +@command{gpgcedev} driver (part of libassuan); this is enabled by using +a log file name of @file{GPG2:} (@pxref{option --log-file}). + +@end itemize + + +@node Common Problems +@section Commonly Seen Problems + + +@itemize @bullet +@item Error code @samp{Not supported} from Dirmngr + +Most likely the option @option{enable-ocsp} is active for gpgsm +but Dirmngr's OCSP feature has not been enabled using +@option{allow-ocsp} in @file{dirmngr.conf}. + +@item The Curses based Pinentry does not work + +The far most common reason for this is that the environment variable +@code{GPG_TTY} has not been set correctly. Make sure that it has been +set to a real tty device and not just to @samp{/dev/tty}; +i.e. @samp{GPG_TTY=tty} is plainly wrong; what you want is +@samp{GPG_TTY=`tty`} --- note the back ticks. Also make sure that +this environment variable gets exported, that is you should follow up +the setting with an @samp{export GPG_TTY} (assuming a Bourne style +shell). Even for GUI based Pinentries; you should have set +@code{GPG_TTY}. See the section on installing the @command{gpg-agent} +on how to do it. + + +@item SSH hangs while a popping up pinentry was expected + +SSH has no way to tell the gpg-agent what terminal or X display it is +running on. So when remotely logging into a box where a gpg-agent with +SSH support is running, the pinentry will get popped up on whatever +display the gpg-agent has been started. To solve this problem you may +issue the command + +@smallexample +echo UPDATESTARTUPTTY | gpg-connect-agent +@end smallexample + +and the next pinentry will pop up on your display or screen. However, +you need to kill the running pinentry first because only one pinentry +may be running at once. If you plan to use ssh on a new display you +should issue the above command before invoking ssh or any other service +making use of ssh. + + +@item Exporting a secret key without a certificate + +It may happen that you have created a certificate request using +@command{gpgsm} but not yet received and imported the certificate from +the CA. However, you want to export the secret key to another machine +right now to import the certificate over there then. You can do this +with a little trick but it requires that you know the approximate time +you created the signing request. By running the command + +@smallexample + ls -ltr ~/.gnupg/private-keys-v1.d +@end smallexample + +you get a listing of all private keys under control of @command{gpg-agent}. +Pick the key which best matches the creation time and run the command + +@cartouche +@smallexample + @value{LIBEXECDIR}/gpg-protect-tool --p12-export \ + ~/.gnupg/private-keys-v1.d/@var{foo} >@var{foo}.p12 +@end smallexample +@end cartouche + +(Please adjust the path to @command{gpg-protect-tool} to the appropriate +location). @var{foo} is the name of the key file you picked (it should +have the suffix @file{.key}). A Pinentry box will pop up and ask you +for the current passphrase of the key and a new passphrase to protect it +in the pkcs#12 file. + +To import the created file on the machine you use this command: + +@cartouche +@smallexample + @value{LIBEXECDIR}/gpg-protect-tool --p12-import --store @var{foo}.p12 +@end smallexample +@end cartouche + +You will be asked for the pkcs#12 passphrase and a new passphrase to +protect the imported private key at its new location. + +Note that there is no easy way to match existing certificates with +stored private keys because some private keys are used for Secure Shell +or other purposes and don't have a corresponding certificate. + + +@item A root certificate does not verify + +A common problem is that the root certificate misses the required +basicConstraints attribute and thus @command{gpgsm} rejects this +certificate. An error message indicating ``no value'' is a sign for +such a certificate. You may use the @code{relax} flag in +@file{trustlist.txt} to accept the certificate anyway. Note that the +fingerprint and this flag may only be added manually to +@file{trustlist.txt}. + +@item Error message: ``digest algorithm N has not been enabled'' + +The signature is broken. You may try the option +@option{--extra-digest-algo SHA256} to workaround the problem. The +number N is the internal algorithm identifier; for example 8 refers to +SHA-256. + + +@item The Windows version does not work under Wine + +When running the W32 version of @command{gpg} under Wine you may get +an error messages like: + +@smallexample +gpg: fatal: WriteConsole failed: Access denied +@end smallexample + +@noindent +The solution is to use the command @command{wineconsole}. + +Some operations like @option{--generate-key} really want to talk to +the console directly +for increased security (for example to prevent the passphrase from +appearing on the screen). So, you should use @command{wineconsole} +instead of @command{wine}, which will launch a windows console that +implements those additional features. + + +@item Why does GPG's --search-key list weird keys? + +For performance reasons the keyservers do not check the keys the same +way @command{gpg} does. It may happen that the listing of keys +available on the keyservers shows keys with wrong user IDs or with user +Ids from other keys. If you try to import this key, the bad keys or bad +user ids won't get imported, though. This is a bit unfortunate but we +can't do anything about it without actually downloading the keys. + +@end itemize + + +@c ******************************************** +@c *** Architecture Details ***************** +@c ******************************************** +@node Architecture Details +@section How the whole thing works internally + + +@menu +* Component interaction:: How the components work together. +* GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x. +@end menu + +@node Component interaction +@subsection How the components work together + + +@float Figure,fig:moduleoverview +@caption{GnuPG module overview} +@center @image{gnupg-module-overview, 150mm,,GnuPG modules} +@end float + + +@node GnuPG-1 and GnuPG-2 +@subsection Relationship between GnuPG 1.4 and 2.x + +Here is a little picture showing how the different GnuPG versions make +use of a smartcard: + +@float Figure,fig:cardarchitecture +@caption{GnuPG card architecture} +@center @image{gnupg-card-architecture, 150mm,, GnuPG card architecture} +@end float diff --git a/doc/defsincdate b/doc/defsincdate new file mode 100644 index 0000000..2ed5769 --- /dev/null +++ b/doc/defsincdate @@ -0,0 +1 @@ +1665157484 diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi new file mode 100644 index 0000000..d6ef375 --- /dev/null +++ b/doc/dirmngr.texi @@ -0,0 +1,1273 @@ +@c Copyright (C) 2002 Klar"alvdalens Datakonsult AB +@c Copyright (C) 2004, 2005, 2006, 2007 g10 Code GmbH +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@include defs.inc + +@node Invoking DIRMNGR +@chapter Invoking DIRMNGR +@cindex DIRMNGR command options +@cindex command options +@cindex options, DIRMNGR command + +@manpage dirmngr.8 +@ifset manverb +.B dirmngr +\- GnuPG's network access daemon +@end ifset + +@mansect synopsis +@ifset manverb +.B dirmngr +.RI [ options ] +.I command +.RI [ args ] +@end ifset + +@mansect description +Since version 2.1 of GnuPG, @command{dirmngr} takes care of accessing +the OpenPGP keyservers. As with previous versions it is also used as +a server for managing and downloading certificate revocation lists +(CRLs) for X.509 certificates, downloading X.509 certificates, and +providing access to OCSP providers. Dirmngr is invoked internally by +@command{gpg}, @command{gpgsm}, or via the @command{gpg-connect-agent} +tool. + +@manpause +@noindent +@xref{Option Index},for an index to @command{DIRMNGR}'s commands and +options. +@mancont + +@menu +* Dirmngr Commands:: List of all commands. +* Dirmngr Options:: List of all options. +* Dirmngr Configuration:: Configuration files. +* Dirmngr Signals:: Use of signals. +* Dirmngr Examples:: Some usage examples. +* Dirmngr Protocol:: The protocol dirmngr uses. +@end menu + + +@node Dirmngr Commands +@section Commands +@mansect commands + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +@table @gnupgtabopt +@item --version +@opindex version +Print the program version and licensing information. Note that you cannot +abbreviate this command. + +@item --help, -h +@opindex help +Print a usage message summarizing the most useful command-line options. +Note that you cannot abbreviate this command. + +@item --dump-options +@opindex dump-options +Print a list of all available options and commands. Note that you cannot +abbreviate this command. + +@item --server +@opindex server +Run in server mode and wait for commands on the @code{stdin}. The +default mode is to create a socket and listen for commands there. +This is only used for testing. + +@item --daemon +@opindex daemon +Run in background daemon mode and listen for commands on a socket. +This is the way @command{dirmngr} is started on demand by the other +GnuPG components. To force starting @command{dirmngr} it is in +general best to use @code{gpgconf --launch dirmngr}. + +@item --supervised +@opindex supervised +Run in the foreground, sending logs to stderr, and listening on file +descriptor 3, which must already be bound to a listening socket. This +is useful when running under systemd or other similar process +supervision schemes. This option is not supported on Windows. + +@item --list-crls +@opindex list-crls +List the contents of the CRL cache on @code{stdout}. This is probably +only useful for debugging purposes. + +@item --load-crl @var{file} +@opindex load-crl +This command requires a filename as additional argument, and it will +make Dirmngr try to import the CRL in @var{file} into it's cache. +Note, that this is only possible if Dirmngr is able to retrieve the +CA's certificate directly by its own means. In general it is better +to use @code{gpgsm}'s @code{--call-dirmngr loadcrl filename} command +so that @code{gpgsm} can help dirmngr. + +@item --fetch-crl @var{url} +@opindex fetch-crl +This command requires an URL as additional argument, and it will make +dirmngr try to retrieve and import the CRL from that @var{url} into +it's cache. This is mainly useful for debugging purposes. The +@command{dirmngr-client} provides the same feature for a running dirmngr. + +@item --shutdown +@opindex shutdown +This commands shuts down an running instance of Dirmngr. This command +has currently no effect. + +@item --flush +@opindex flush +This command removes all CRLs from Dirmngr's cache. Client requests +will thus trigger reading of fresh CRLs. + +@end table + + +@mansect options +@node Dirmngr Options +@section Option Summary + +Note that all long options with the exception of @option{--options} +and @option{--homedir} may also be given in the configuration file +after stripping off the two leading dashes. + +@table @gnupgtabopt + +@item --options @var{file} +@opindex options +Reads configuration from @var{file} instead of from the default +per-user configuration file. The default configuration file is named +@file{dirmngr.conf} and expected in the home directory. + +@item --homedir @var{dir} +@opindex options +Set the name of the home directory to @var{dir}. This option is only +effective when used on the command line. The default is +the directory named @file{.gnupg} directly below the home directory +of the user unless the environment variable @code{GNUPGHOME} has been set +in which case its value will be used. Many kinds of data are stored within +this directory. + + +@item -v +@item --verbose +@opindex v +@opindex verbose +Outputs additional information while running. +You can increase the verbosity by giving several +verbose commands to @sc{dirmngr}, such as @option{-vv}. + + +@item --log-file @var{file} +@opindex log-file +Append all logging output to @var{file}. This is very helpful in +seeing what the agent actually does. Use @file{socket://} to log to +socket. + +@item --debug-level @var{level} +@opindex debug-level +Select the debug level for investigating problems. @var{level} may be a +numeric value or by a keyword: + +@table @code +@item none +No debugging at all. A value of less than 1 may be used instead of +the keyword. +@item basic +Some basic debug messages. A value between 1 and 2 may be used +instead of the keyword. +@item advanced +More verbose debug messages. A value between 3 and 5 may be used +instead of the keyword. +@item expert +Even more detailed messages. A value between 6 and 8 may be used +instead of the keyword. +@item guru +All of the debug messages you can get. A value greater than 8 may be +used instead of the keyword. The creation of hash tracing files is +only enabled if the keyword is used. +@end table + +How these messages are mapped to the actual debugging flags is not +specified and may change with newer releases of this program. They are +however carefully selected to best aid in debugging. + +@item --debug @var{flags} +@opindex debug +Set debugging flags. This option is only useful for debugging and its +behavior may change with a new release. All flags are or-ed and may +be given in C syntax (e.g. 0x0042) or as a comma separated list of +flag names. To get a list of all supported flags the single word +"help" can be used. + +@item --debug-all +@opindex debug-all +Same as @code{--debug=0xffffffff} + +@item --tls-debug @var{level} +@opindex tls-debug +Enable debugging of the TLS layer at @var{level}. The details of the +debug level depend on the used TLS library and are not set in stone. + +@item --debug-wait @var{n} +@opindex debug-wait +When running in server mode, wait @var{n} seconds before entering the +actual processing loop and print the pid. This gives time to attach a +debugger. + +@item --disable-check-own-socket +@opindex disable-check-own-socket +On some platforms @command{dirmngr} is able to detect the removal of +its socket file and shutdown itself. This option disable this +self-test for debugging purposes. + +@item -s +@itemx --sh +@itemx -c +@itemx --csh +@opindex s +@opindex sh +@opindex c +@opindex csh +Format the info output in daemon mode for use with the standard Bourne +shell respective the C-shell. The default is to guess it based on the +environment variable @code{SHELL} which is in almost all cases +sufficient. + +@item --force +@opindex force +Enabling this option forces loading of expired CRLs; this is only +useful for debugging. + +@item --use-tor +@itemx --no-use-tor +@opindex use-tor +@opindex no-use-tor +The option @option{--use-tor} switches Dirmngr and thus GnuPG into +``Tor mode'' to route all network access via Tor (an anonymity +network). Certain other features are disabled in this mode. The +effect of @option{--use-tor} cannot be overridden by any other command +or even by reloading dirmngr. The use of @option{--no-use-tor} +disables the use of Tor. The default is to use Tor if it is available +on startup or after reloading dirmngr. The test on the available of +Tor is done by trying to connects to a SOCKS proxy at either port 9050 +or 9150); if another type of proxy is listening on one of these ports, +you should use @option{--no-use-tor}. + +@item --standard-resolver +@opindex standard-resolver +This option forces the use of the system's standard DNS resolver code. +This is mainly used for debugging. Note that on Windows a standard +resolver is not used and all DNS access will return the error ``Not +Implemented'' if this option is used. Using this together with enabled +Tor mode returns the error ``Not Enabled''. + +@item --recursive-resolver +@opindex recursive-resolver +When possible use a recursive resolver instead of a stub resolver. + +@item --resolver-timeout @var{n} +@opindex resolver-timeout +Set the timeout for the DNS resolver to N seconds. The default are 30 +seconds. + +@item --connect-timeout @var{n} +@item --connect-quick-timeout @var{n} +@opindex connect-timeout +@opindex connect-quick-timeout +Set the timeout for HTTP and generic TCP connection attempts to N +seconds. The value set with the quick variant is used when the +--quick option has been given to certain Assuan commands. The quick +value is capped at the value of the regular connect timeout. The +default values are 15 and 2 seconds. Note that the timeout values are +for each connection attempt; the connection code will attempt to +connect all addresses listed for a server. + +@item --listen-backlog @var{n} +@opindex listen-backlog +Set the size of the queue for pending connections. The default is 64. + +@item --allow-version-check +@opindex allow-version-check +Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get +the list of current software versions. If this option is enabled +the list is retrieved in case the local +copy does not exist or is older than 5 to 7 days. See the option +@option{--query-swdb} of the command @command{gpgconf} for more +details. Note, that regardless of this option a version check can +always be triggered using this command: + +@example + gpg-connect-agent --dirmngr 'loadswdb --force' /bye +@end example + + +@item --keyserver @var{name} +@opindex keyserver +Use @var{name} as your keyserver. This is the server that @command{gpg} +communicates with to receive keys, send keys, and search for +keys. The format of the @var{name} is a URI: +`scheme:[//]keyservername[:port]' The scheme is the type of keyserver: +"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP +keyservers, or "mailto" for the Graff email keyserver. Note that your +particular installation of GnuPG may have other keyserver types +available as well. Keyserver schemes are case-insensitive. After the +keyserver name, optional keyserver configuration options may be +provided. These are the same as the @option{--keyserver-options} of +@command{gpg}, but apply only to this particular keyserver. + +Most keyservers synchronize with each other, so there is generally no +need to send keys to more than one server. Somes keyservers use round +robin DNS to give a different keyserver each time you use it. + +If exactly two keyservers are configured and only one is a Tor hidden +service (.onion), Dirmngr selects the keyserver to use depending on +whether Tor is locally running or not. The check for a running Tor is +done for each new connection. + +If no keyserver is explicitly configured, dirmngr will use the +built-in default of @code{https://keyserver.ubuntu.com}. + +Windows users with a keyserver running on their Active Directory +may use the short form @code{ldap:///} for @var{name} to access this directory. + +For accessing anonymous LDAP keyservers @var{name} is in general just +a @code{ldaps://ldap.example.com}. A BaseDN parameter should never be +specified. If authentication is required things are more complicated +and two methods are available: + +The modern method (since version 2.2.28) is to use the very same syntax +as used with the option @option{--ldapserver}. Please see over +there for details; here is an example: + +@example + keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users, + dc=example,dc=com:PASSWORD::starttls +@end example + + The other method is to use a full URL for @var{name}; for example: + +@example + keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME + %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD +@end example + + Put this all on one line without any spaces and keep the '%2C' + as given. Replace USERNAME, PASSWORD, and the 'dc' parts + according to the instructions received from your LDAP + administrator. Note that only simple authentication + (i.e. cleartext passwords) is supported and thus using ldaps is + strongly suggested (since 2.2.28 "ldaps" defaults to port 389 + and uses STARTTLS). On Windows authentication via AD can be + requested by adding @code{gpgNtds=1} after the fourth question + mark instead of the bindname and password parameter. + + + +@item --nameserver @var{ipaddr} +@opindex nameserver +In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve DNS +names. If the default public resolver, which is @code{8.8.8.8}, shall +not be used a different one can be given using this option. Note that +a numerical IP address must be given (IPv6 or IPv4) and that no error +checking is done for @var{ipaddr}. + +@item --disable-ipv4 +@item --disable-ipv6 +@opindex disable-ipv4 +@opindex disable-ipv6 +Disable the use of all IPv4 or IPv6 addresses. + +@item --disable-ldap +@opindex disable-ldap +Entirely disables the use of LDAP. + +@item --disable-http +@opindex disable-http +Entirely disables the use of HTTP. + +@item --ignore-http-dp +@opindex ignore-http-dp +When looking for the location of a CRL, the to be tested certificate +usually contains so called @dfn{CRL Distribution Point} (DP) entries +which are URLs describing the way to access the CRL. The first found DP +entry is used. With this option all entries using the @acronym{HTTP} +scheme are ignored when looking for a suitable DP. + +@item --ignore-ldap-dp +@opindex ignore-ldap-dp +This is similar to @option{--ignore-http-dp} but ignores entries using +the @acronym{LDAP} scheme. Both options may be combined resulting in +ignoring DPs entirely. + +@item --ignore-ocsp-service-url +@opindex ignore-ocsp-service-url +Ignore all OCSP URLs contained in the certificate. The effect is to +force the use of the default responder. + +@item --honor-http-proxy +@opindex honor-http-proxy +If the environment variable @env{http_proxy} has been set, use its +value to access HTTP servers. + +@item --http-proxy [http://]@var{host}[:@var{port}] +@opindex http-proxy +@efindex http_proxy +Use @var{host} and @var{port} to access HTTP servers. The use of this +option overrides the environment variable @env{http_proxy} regardless +whether @option{--honor-http-proxy} has been set. + + +@item --ldap-proxy @var{host}[:@var{port}] +@opindex ldap-proxy +Use @var{host} and @var{port} to connect to LDAP servers. If @var{port} +is omitted, port 389 (standard LDAP port) is used. This overrides any +specified host and port part in a LDAP URL and will also be used if host +and port have been omitted from the URL. + +@item --only-ldap-proxy +@opindex only-ldap-proxy +Never use anything else but the LDAP "proxy" as configured with +@option{--ldap-proxy}. Usually @command{dirmngr} tries to use other +configured LDAP server if the connection using the "proxy" failed. + + +@item --ldapserverlist-file @var{file} +@opindex ldapserverlist-file +Read the list of LDAP servers to consult for CRLs and X.509 certificates from +file instead of the default per-user ldap server list file. The default +value for @var{file} is @file{dirmngr_ldapservers.conf}. + +This server list file contains one LDAP server per line in the format + +@sc{hostname:port:username:password:base_dn:flags} + +Lines starting with a @samp{#} are comments. + +Note that as usual all strings entered are expected to be UTF-8 encoded. +Obviously this will lead to problems if the password has originally been +encoded as Latin-1. There is no other solution here than to put such a +password in the binary encoding into the file (i.e. non-ascii characters +won't show up readable).@footnote{The @command{gpgconf} tool might be +helpful for frontends as it enables editing this configuration file using +percent-escaped strings.} + + +@item --ldapserver @var{spec} +@opindex ldapserver +This is an alternative way to specify LDAP servers for CRL and X.509 +certificate retrieval. If this option is used the servers configured +in @file{dirmngr_ldapservers.conf} (or the file given by +@option{--ldapserverlist-file}) are cleared. Note that +@file{dirmngr_ldapservers.conf} is not read again by a reload +signal. However, @option{--ldapserver} options are read again. + +@var{spec} is either a proper LDAP URL or a colon delimited list of +the form + +@sc{hostname:port:username:password:base_dn:flags:} + +with an optional prefix of @code{ldap:} (but without the two slashes +which would turn this into a proper LDAP URL). @sc{flags} is a list +of one or more comma delimited keywords: +@table @code +@item plain +The default: Do not use a TLS secured connection at all; the default +port is 389. +@item starttls +Use STARTTLS to secure the connection; the default port is 389. +@item ldaptls +Tunnel LDAP through a TLS connection; the default port is 636. +@item ntds +On Windows authenticate the LDAP connection using the Active Directory +with the current user. +@item areconly +On Windows use only the A or AAAA record when resolving the LDAP +server name. +@end table + +Note that in an URL style specification the scheme @code{ldaps://} +refers to STARTTLS and _not_ to LDAP-over-TLS. + + +@item --ldaptimeout @var{secs} +@opindex ldaptimeout +Specify the number of seconds to wait for an LDAP query before timing +out. The default are 15 seconds. 0 will never timeout. + + +@item --add-servers +@opindex add-servers +This option makes dirmngr add any servers it discovers when validating +certificates against CRLs to the internal list of servers to consult for +certificates and CRLs. + +This option is useful when trying to validate a certificate that has +a CRL distribution point that points to a server that is not already +listed in the ldapserverlist. Dirmngr will always go to this server and +try to download the CRL, but chances are high that the certificate used +to sign the CRL is located on the same server. So if dirmngr doesn't add +that new server to list, it will often not be able to verify the +signature of the CRL unless the @code{--add-servers} option is used. + +Note: The current version of dirmngr has this option disabled by default. + + +@item --allow-ocsp +@opindex allow-ocsp +This option enables OCSP support if requested by the client. + +OCSP requests are rejected by default because they may violate the +privacy of the user; for example it is possible to track the time when +a user is reading a mail. + + +@item --ocsp-responder @var{url} +@opindex ocsp-responder +Use @var{url} as the default OCSP Responder if the certificate does +not contain information about an assigned responder. Note, that +@code{--ocsp-signer} must also be set to a valid certificate. + +@item --ocsp-signer @var{fpr}|@var{file} +@opindex ocsp-signer +Use the certificate with the fingerprint @var{fpr} to check the +responses of the default OCSP Responder. Alternatively a filename can be +given in which case the response is expected to be signed by one of the +certificates described in that file. Any argument which contains a +slash, dot or tilde is considered a filename. Usual filename expansion +takes place: A tilde at the start followed by a slash is replaced by the +content of @env{HOME}, no slash at start describes a relative filename +which will be searched at the home directory. To make sure that the +@var{file} is searched in the home directory, either prepend the name +with "./" or use a name which contains a dot. + +If a response has been signed by a certificate described by these +fingerprints no further check upon the validity of this certificate is +done. + +The format of the @var{FILE} is a list of SHA-1 fingerprint, one per +line with optional colons between the bytes. Empty lines and lines +prefix with a hash mark are ignored. + + +@item --ocsp-max-clock-skew @var{n} +@opindex ocsp-max-clock-skew +The number of seconds a skew between the OCSP responder and them local +clock is accepted. Default is 600 (10 minutes). + +@item --ocsp-max-period @var{n} +@opindex ocsp-max-period +Seconds a response is at maximum considered valid after the time given +in the thisUpdate field. Default is 7776000 (90 days). + +@item --ocsp-current-period @var{n} +@opindex ocsp-current-period +The number of seconds an OCSP response is considered valid after the +time given in the NEXT_UPDATE datum. Default is 10800 (3 hours). + + +@item --max-replies @var{n} +@opindex max-replies +Do not return more that @var{n} items in one query. The default is +10. + +@item --ignore-cert-extension @var{oid} +@opindex ignore-cert-extension +Add @var{oid} to the list of ignored certificate extensions. The +@var{oid} is expected to be in dotted decimal form, like +@code{2.5.29.3}. This option may be used more than once. Critical +flagged certificate extensions matching one of the OIDs in the list +are treated as if they are actually handled and thus the certificate +won't be rejected due to an unknown critical extension. Use this +option with care because extensions are usually flagged as critical +for a reason. + +@item --ignore-cert @var{fpr}|@var{file} +@opindex ignore-cert +Entirely ignore certificates with the fingerprint @var{fpr}. As an +alternative to the fingerprint a filename can be given in which case +all certificates described in that file are ignored. Any argument +which contains a slash, dot or tilde is considered a filename. Usual +filename expansion takes place: A tilde at the start followed by a +slash is replaced by the content of @env{HOME}, no slash at start +describes a relative filename which will be searched at the home +directory. To make sure that the @var{file} is searched in the home +directory, either prepend the name with "./" or use a name which +contains a dot. The format of such a file is a list of SHA-1 +fingerprint, one per line with optional colons between the bytes. +Empty lines and lines prefixed with a hash mark are ignored. + +This option is useful as a quick workaround to exclude certain +certificates from the system store. + + +@item --hkp-cacert @var{file} +Use the root certificates in @var{file} for verification of the TLS +certificates used with @code{hkps} (keyserver access over TLS). If +the file is in PEM format a suffix of @code{.pem} is expected for +@var{file}. This option may be given multiple times to add more +root certificates. Tilde expansion is supported. + +If no @code{hkp-cacert} directive is present, dirmngr will use the +system CAs. + +@end table + + +@c +@c Dirmngr Configuration +@c +@mansect files +@node Dirmngr Configuration +@section Configuration + +Dirmngr makes use of several directories when running in daemon mode: +There are a few configuration files whih control the operation of +dirmngr. By default they may all be found in the current home +directory (@pxref{option --homedir}). + +@table @file + +@item dirmngr.conf +@efindex dirmngr.conf +This is the standard configuration file read by @command{dirmngr} on +startup. It may contain any valid long option; the leading two dashes +may not be entered and the option may not be abbreviated. This file +is also read after a @code{SIGHUP} however not all options will +actually have an effect. This default name may be changed on the +command line (@pxref{option --options}). You should backup this file. + +@item /etc/gnupg/trusted-certs +This directory should be filled with certificates of Root CAs you +are trusting in checking the CRLs and signing OCSP Responses. + +Usually these are the same certificates you use with the applications +making use of dirmngr. It is expected that each of these certificate +files contain exactly one @acronym{DER} encoded certificate in a file +with the suffix @file{.crt} or @file{.der}. @command{dirmngr} reads +those certificates on startup and when given a SIGHUP. Certificates +which are not readable or do not make up a proper X.509 certificate +are ignored; see the log file for details. + +Applications using dirmngr (e.g. gpgsm) can request these +certificates to complete a trust chain in the same way as with the +extra-certs directory (see below). + +Note that for OCSP responses the certificate specified using the option +@option{--ocsp-signer} is always considered valid to sign OCSP requests. + +@item /etc/gnupg/extra-certs +This directory may contain extra certificates which are preloaded +into the internal cache on startup. Applications using dirmngr (e.g. gpgsm) +can request cached certificates to complete a trust chain. +This is convenient in cases you have a couple intermediate CA certificates +or certificates usually used to sign OCSP responses. +These certificates are first tried before going +out to the net to look for them. These certificates must also be +@acronym{DER} encoded and suffixed with @file{.crt} or @file{.der}. + +@item ~/.gnupg/crls.d +This directory is used to store cached CRLs. The @file{crls.d} +part will be created by dirmngr if it does not exists but you need to +make sure that the upper directory exists. + +@end table +@manpause + +To be able to see what's going on you should create the configure file +@file{~/gnupg/dirmngr.conf} with at least one line: + +@example +log-file ~/dirmngr.log +@end example + +To be able to perform OCSP requests you probably want to add the line: + +@example +allow-ocsp +@end example + +To make sure that new options are read and that after the installation +of a new GnuPG versions the installed dirmngr is running, you may want +to kill an existing dirmngr first: + +@example +gpgconf --kill dirmngr +@end example + +You may check the log file to see whether all desired root +certificates have been loaded correctly. + + +@c +@c Dirmngr Signals +@c +@mansect signals +@node Dirmngr Signals +@section Use of signals + +A running @command{dirmngr} may be controlled by signals, i.e. using +the @command{kill} command to send a signal to the process. + +Here is a list of supported signals: + +@table @gnupgtabopt + +@item SIGHUP +@cpindex SIGHUP +This signal flushes all internally cached CRLs as well as any cached +certificates. Then the certificate cache is reinitialized as on +startup. Options are re-read from the configuration file. Instead of +sending this signal it is better to use +@example +gpgconf --reload dirmngr +@end example + +@item SIGTERM +@cpindex SIGTERM +Shuts down the process but waits until all current requests are +fulfilled. If the process has received 3 of these signals and requests +are still pending, a shutdown is forced. You may also use +@example +gpgconf --kill dirmngr +@end example +instead of this signal + +@item SIGINT +@cpindex SIGINT +Shuts down the process immediately. + + +@item SIGUSR1 +@cpindex SIGUSR1 +This prints some caching statistics to the log file. + +@end table + + + +@c +@c Examples +@c +@mansect examples +@node Dirmngr Examples +@section Examples + +Here is an example on how to show dirmngr's internal table of OpenPGP +keyserver addresses. The output is intended for debugging purposes +and not part of a defined API. + +@example + gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye +@end example + +To inhibit the use of a particular host you have noticed in one of the +keyserver pools, you may use + +@example + gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye +@end example + +The description of the @code{keyserver} command can be printed using + +@example + gpg-connect-agent --dirmngr 'help keyserver' /bye +@end example + + + +@c +@c Assuan Protocol +@c +@manpause +@node Dirmngr Protocol +@section Dirmngr's Assuan Protocol + +Assuan is the IPC protocol used to access dirmngr. This is a +description of the commands implemented by dirmngr. + +@menu +* Dirmngr LOOKUP:: Look up a certificate via LDAP +* Dirmngr ISVALID:: Validate a certificate using a CRL or OCSP. +* Dirmngr CHECKCRL:: Validate a certificate using a CRL. +* Dirmngr CHECKOCSP:: Validate a certificate using OCSP. +* Dirmngr CACHECERT:: Put a certificate into the internal cache. +* Dirmngr VALIDATE:: Validate a certificate for debugging. +@end menu + +@node Dirmngr LOOKUP +@subsection Return the certificate(s) found + +Lookup certificate. To allow multiple patterns (which are ORed) +quoting is required: Spaces are to be translated into "+" or into +"%20"; obviously this requires that the usual escape quoting rules +are applied. The server responds with: + +@example + S: D <DER encoded certificate> + S: END + S: D <second DER encoded certificate> + S: END + S: OK +@end example + +In this example 2 certificates are returned. The server may return +any number of certificates; OK will also be returned when no +certificates were found. The dirmngr might return a status line + +@example + S: S TRUNCATED <n> +@end example + + +To indicate that the output was truncated to N items due to a +limitation of the server or by an arbitrary set limit. + +The option @option{--url} may be used if instead of a search pattern a +complete URL to the certificate is known: + +@example + C: LOOKUP --url CN%3DWerner%20Koch,o%3DIntevation%20GmbH,c%3DDE?userCertificate +@end example + +If the option @option{--cache-only} is given, no external lookup is done +so that only certificates from the cache are returned. + +With the option @option{--single}, the first and only the first match +will be returned. Unless option @option{--cache-only} is also used, no +local lookup will be done in this case. + + + +@node Dirmngr ISVALID +@subsection Validate a certificate using a CRL or OCSP + +@example + ISVALID [--only-ocsp] [--force-default-responder] @var{certid}|@var{certfpr} +@end example + +Check whether the certificate described by the @var{certid} has been +revoked. Due to caching, the Dirmngr is able to answer immediately in +most cases. + +The @var{certid} is a hex encoded string consisting of two parts, +delimited by a single dot. The first part is the SHA-1 hash of the +issuer name and the second part the serial number. + +Alternatively the certificate's SHA-1 fingerprint @var{certfpr} may be +given in which case an OCSP request is done before consulting the CRL. +If the option @option{--only-ocsp} is given, no fallback to a CRL check +will be used. If the option @option{--force-default-responder} is +given, only the default OCSP responder will be used and any other +methods of obtaining an OCSP responder URL won't be used. + +@noindent +Common return values are: + +@table @code +@item GPG_ERR_NO_ERROR (0) +This is the positive answer: The certificate is not revoked and we have +an up-to-date revocation list for that certificate. If OCSP was used +the responder confirmed that the certificate has not been revoked. + +@item GPG_ERR_CERT_REVOKED +This is the negative answer: The certificate has been revoked. Either +it is in a CRL and that list is up to date or an OCSP responder informed +us that it has been revoked. + +@item GPG_ERR_NO_CRL_KNOWN +No CRL is known for this certificate or the CRL is not valid or out of +date. + +@item GPG_ERR_NO_DATA +The OCSP responder returned an ``unknown'' status. This means that it +is not aware of the certificate's status. + +@item GPG_ERR_NOT_SUPPORTED +This is commonly seen if OCSP support has not been enabled in the +configuration. +@end table + +If DirMngr has not enough information about the given certificate (which +is the case for not yet cached certificates), it will inquire the +missing data: + +@example + S: INQUIRE SENDCERT <CertID> + C: D <DER encoded certificate> + C: END +@end example + +A client should be aware that DirMngr may ask for more than one +certificate. + +If Dirmngr has a certificate but the signature of the certificate +could not been validated because the root certificate is not known to +dirmngr as trusted, it may ask back to see whether the client trusts +this the root certificate: + +@example + S: INQUIRE ISTRUSTED <CertHexfpr> + C: D 1 + C: END +@end example + +Only this answer will let Dirmngr consider the certificate as valid. + + +@node Dirmngr CHECKCRL +@subsection Validate a certificate using a CRL + +Check whether the certificate with FINGERPRINT (SHA-1 hash of the +entire X.509 certificate blob) is valid or not by consulting the CRL +responsible for this certificate. If the fingerprint has not been +given or the certificate is not known, the function inquires the +certificate using: + +@example + S: INQUIRE TARGETCERT + C: D <DER encoded certificate> + C: END +@end example + +Thus the caller is expected to return the certificate for the request +(which should match FINGERPRINT) as a binary blob. Processing then +takes place without further interaction; in particular dirmngr tries +to locate other required certificate by its own mechanism which +includes a local certificate store as well as a list of trusted root +certificates. + +@noindent +The return code is 0 for success; i.e. the certificate has not been +revoked or one of the usual error codes from libgpg-error. + +@node Dirmngr CHECKOCSP +@subsection Validate a certificate using OCSP + +@example + CHECKOCSP [--force-default-responder] [@var{fingerprint}] +@end example + +Check whether the certificate with @var{fingerprint} (the SHA-1 hash of +the entire X.509 certificate blob) is valid by consulting the appropriate +OCSP responder. If the fingerprint has not been given or the +certificate is not known by Dirmngr, the function inquires the +certificate using: + +@example + S: INQUIRE TARGETCERT + C: D <DER encoded certificate> + C: END +@end example + +Thus the caller is expected to return the certificate for the request +(which should match @var{fingerprint}) as a binary blob. Processing +then takes place without further interaction; in particular dirmngr +tries to locate other required certificates by its own mechanism which +includes a local certificate store as well as a list of trusted root +certificates. + +If the option @option{--force-default-responder} is given, only the +default OCSP responder is used. This option is the per-command variant +of the global option @option{--ignore-ocsp-service-url}. + + +@noindent +The return code is 0 for success; i.e. the certificate has not been +revoked or one of the usual error codes from libgpg-error. + +@node Dirmngr CACHECERT +@subsection Put a certificate into the internal cache + +Put a certificate into the internal cache. This command might be +useful if a client knows in advance certificates required for a test and +wants to make sure they get added to the internal cache. It is also +helpful for debugging. To get the actual certificate, this command +immediately inquires it using + +@example + S: INQUIRE TARGETCERT + C: D <DER encoded certificate> + C: END +@end example + +Thus the caller is expected to return the certificate for the request +as a binary blob. + +@noindent +The return code is 0 for success; i.e. the certificate has not been +successfully cached or one of the usual error codes from libgpg-error. + +@node Dirmngr VALIDATE +@subsection Validate a certificate for debugging + +Validate a certificate using the certificate validation function used +internally by dirmngr. This command is only useful for debugging. To +get the actual certificate, this command immediately inquires it using + +@example + S: INQUIRE TARGETCERT + C: D <DER encoded certificate> + C: END +@end example + +Thus the caller is expected to return the certificate for the request +as a binary blob. + + +@mansect see also +@ifset isman +@command{gpgsm}(1), +@command{dirmngr-client}(1) +@end ifset +@include see-also-note.texi + +@c +@c !!! UNDER CONSTRUCTION !!! +@c +@c +@c @section Verifying a Certificate +@c +@c There are several ways to request services from Dirmngr. Almost all of +@c them are done using the Assuan protocol. What we describe here is the +@c Assuan command CHECKCRL as used for example by the dirmnr-client tool if +@c invoked as +@c +@c @example +@c dirmngr-client foo.crt +@c @end example +@c +@c This command will send an Assuan request to an already running Dirmngr +@c instance. foo.crt is expected to be a standard X.509 certificate and +@c dirmngr will receive the Assuan command +@c +@c @example +@c CHECKCRL @var [{fingerprint}] +@c @end example +@c +@c @var{fingerprint} is optional and expected to be the SHA-1 has of the +@c DER encoding of the certificate under question. It is to be HEX +@c encoded. The rationale for sending the fingerprint is that it allows +@c dirmngr to reply immediately if it has already cached such a request. If +@c this is not the case and no certificate has been found in dirmngr's +@c internal certificate storage, dirmngr will request the certificate using +@c the Assuan inquiry +@c +@c @example +@c INQUIRE TARGETCERT +@c @end example +@c +@c The caller (in our example dirmngr-client) is then expected to return +@c the certificate for the request (which should match @var{fingerprint}) +@c as a binary blob. +@c +@c Dirmngr now passes control to @code{crl_cache_cert_isvalid}. This +@c function checks whether a CRL item exists for target certificate. These +@c CRL items are kept in a database of already loaded and verified CRLs. +@c This mechanism is called the CRL cache. Obviously timestamps are kept +@c there with each item to cope with the expiration date of the CRL. The +@c possible return values are: @code{0} to indicate that a valid CRL is +@c available for the certificate and the certificate itself is not listed +@c in this CRL, @code{GPG_ERR_CERT_REVOKED} to indicate that the certificate is +@c listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no +@c information is available. The first two codes are immediately returned to +@c the caller and the processing of this request has been done. +@c +@c Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now +@c calls @code{clr_cache_reload_crl} and if this succeeds calls +@c @code{crl_cache_cert_isvald) once more. All further errors are +@c immediately returned to the caller. +@c +@c @code{crl_cache_reload_crl} is the actual heart of the CRL management. +@c It locates the corresponding CRL for the target certificate, reads and +@c verifies this CRL and stores it in the CRL cache. It works like this: +@c +@c * Loop over all crlDPs in the target certificate. +@c * If the crlDP is invalid immediately terminate the loop. +@c * Loop over all names in the current crlDP. +@c * If the URL scheme is unknown or not enabled +@c (--ignore-http-dp, --ignore-ldap-dp) continues with +@c the next name. +@c * @code{crl_fetch} is called to actually retrieve the CRL. +@c In case of problems this name is ignore and we continue with +@c the next name. Note that @code{crl_fetch} does only return +@c a descriptor for the CRL for further reading so does the CRL +@c does not yet end up in memory. +@c * @code{crl_cache_insert} is called with that descriptor to +@c actually read the CRL into the cache. See below for a +@c description of this function. If there is any error (e.g. read +@c problem, CRL not correctly signed or verification of signature +@c not possible), this descriptor is rejected and we continue +@c with the next name. If the CRL has been successfully loaded, +@c the loop is terminated. +@c * If no crlDP has been found in the previous loop use a default CRL. +@c Note, that if any crlDP has been found but loading of the CRL failed, +@c this condition is not true. +@c * Try to load a CRL from all configured servers (ldapservers.conf) +@c in turn. The first server returning a CRL is used. +@c * @code(crl_cache_insert) is then used to actually insert the CRL +@c into the cache. If this failed we give up immediately without +@c checking the rest of the servers from the first step. +@c * Ready. +@c +@c +@c The @code{crl_cache_insert} function takes care of reading the bulk of +@c the CRL, parsing it and checking the signature. It works like this: A +@c new database file is created using a temporary file name. The CRL +@c parsing machinery is started and all items of the CRL are put into +@c this database file. At the end the issuer certificate of the CRL +@c needs to be retrieved. Three cases are to be distinguished: +@c +@c a) An authorityKeyIdentifier with an issuer and serialno exits: The +@c certificate is retrieved using @code{find_cert_bysn}. If +@c the certificate is in the certificate cache, it is directly +@c returned. Then the requester (i.e. the client who requested the +@c CRL check) is asked via the Assuan inquiry ``SENDCERT'' whether +@c he can provide this certificate. If this succeed the returned +@c certificate gets cached and returned. Note, that dirmngr does not +@c verify in any way whether the expected certificate is returned. +@c It is in the interest of the client to return a useful certificate +@c as otherwise the service request will fail due to a bad signature. +@c The last way to get the certificate is by looking it up at +@c external resources. This is done using the @code{ca_cert_fetch} +@c and @code{fetch_next_ksba_cert} and comparing the returned +@c certificate to match the requested issuer and seriano (This is +@c needed because the LDAP layer may return several certificates as +@c LDAP as no standard way to retrieve by serial number). +@c +@c b) An authorityKeyIdentifier with a key ID exists: The certificate is +@c retrieved using @code{find_cert_bysubject}. If the certificate is +@c in the certificate cache, it is directly returned. Then the +@c requester is asked via the Assuan inquiry ``SENDCERT_SKI'' whether +@c he can provide this certificate. If this succeed the returned +@c certificate gets cached and returned. Note, that dirmngr does not +@c verify in any way whether the expected certificate is returned. +@c It is in the interest of the client to return a useful certificate +@c as otherwise the service request will fail due to a bad signature. +@c The last way to get the certificate is by looking it up at +@c external resources. This is done using the @code{ca_cert_fetch} +@c and @code{fetch_next_ksba_cert} and comparing the returned +@c certificate to match the requested subject and key ID. +@c +@c c) No authorityKeyIdentifier exits: The certificate is retrieved +@c using @code{find_cert_bysubject} without the key ID argument. If +@c the certificate is in the certificate cache the first one with a +@c matching subject is directly returned. Then the requester is +@c asked via the Assuan inquiry ``SENDCERT'' and an exact +@c specification of the subject whether he can +@c provide this certificate. If this succeed the returned +@c certificate gets cached and returned. Note, that dirmngr does not +@c verify in any way whether the expected certificate is returned. +@c It is in the interest of the client to return a useful certificate +@c as otherwise the service request will fail due to a bad signature. +@c The last way to get the certificate is by looking it up at +@c external resources. This is done using the @code{ca_cert_fetch} +@c and @code{fetch_next_ksba_cert} and comparing the returned +@c certificate to match the requested subject; the first certificate +@c with a matching subject is then returned. +@c +@c If no certificate was found, the function returns with the error +@c GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails, +@c the erro is returned. On success the @code{validate_cert_chain} is +@c used to verify that the certificate is actually valid. +@c +@c Here we may encounter a recursive situation: +@c @code{validate_cert_chain} needs to look at other certificates and +@c also at CRLs to check whether these other certificates and well, the +@c CRL issuer certificate itself are not revoked. FIXME: We need to make +@c sure that @code{validate_cert_chain} does not try to lookup the CRL we +@c are currently processing. This would be a catch-22 and may indicate a +@c broken PKI. However, due to overlapping expiring times and imprecise +@c clocks this may actually happen. +@c +@c For historical reasons the Assuan command ISVALID is a bit different +@c to CHECKCRL but this is mainly due to different calling conventions. +@c In the end the same fucntionality is used, albeit hidden by a couple +@c of indirection and argument and result code mangling. It furthere +@c ingetrages OCSP checking depending on options are the way it is +@c called. GPGSM still uses this command but might eventuall switch over +@c to CHECKCRL and CHECKOCSP so that ISVALID can be retired. +@c +@c +@c @section Validating a certificate +@c +@c We describe here how the internal function @code{validate_cert_chain} +@c works. Note that mainly testing purposes this functionality may be +@c called directly using @cmd{dirmngr-client --validate @file{foo.crt}}. +@c +@c The function takes the target certificate and a mode argument as +@c parameters and returns an error code and optionally the closes +@c expiration time of all certificates in the chain. +@c +@c We first check that the certificate may be used for the requested +@c purpose (i.e. OCSP or CRL signing). If this is not the case +@c GPG_ERR_WRONG_KEY_USAGE is returned. +@c +@c The next step is to find the trust anchor (root certificate) and to +@c assemble the chain in memory: Starting with the target certificate, +@c the expiration time is checked against the current date, unknown +@c critical extensions are detected and certificate policies are matched +@c (We only allow 2.289.9.9 but I have no clue about that OID and from +@c where I got it - it does not even seem to be assigned - debug cruft?). +@c +@c Now if this certificate is a self-signed one, we have reached the +@c trust anchor. In this case we check that the signature is good, the +@c certificate is allowed to act as a CA, that it is a trusted one (by +@c checking whether it is has been put into the trusted-certs +@c configuration directory) and finally prepend into to our list +@c representing the certificate chain. This steps ends then. +@c +@c If it is not a self-signed certificate, we check that the chain won't +@c get too long (current limit is 100), if this is the case we terminate +@c with the error GPG_ERR_BAD_CERT_CHAIN. +@c +@c Now the issuer's certificate is looked up: If an +@c authorityKeyIdentifier is available, this one is used to locate the +@c certificate either using issuer and serialnumber or subject DN +@c (i.e. the issuer's DN) and the keyID. The functions +@c @code{find_cert_bysn) and @code{find_cert_bysubject} are used +@c respectively. The have already been described above under the +@c description of @code{crl_cache_insert}. If no certificate was found +@c or with no authorityKeyIdentifier, only the cache is consulted using +@c @code{get_cert_bysubject}. The latter is done under the assumption +@c that a matching certificate has explicitly been put into the +@c certificate cache. If the issuer's certificate could not be found, +@c the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}. +@c +@c If the issuer's certificate has been found, the signature of the +@c actual certificate is checked and in case this fails the error +@c #code{GPG_ERR_BAD_CERT_CHAIN} is returned. If the signature checks out, the +@c maximum chain length of the issuing certificate is checked as well as +@c the capability of the certificate (i.e. whether he may be used for +@c certificate signing). Then the certificate is prepended to our list +@c representing the certificate chain. Finally the loop is continued now +@c with the issuer's certificate as the current certificate. +@c +@c After the end of the loop and if no error as been encountered +@c (i.e. the certificate chain has been assempled correctly), a check is +@c done whether any certificate expired or a critical policy has not been +@c met. In any of these cases the validation terminates with an +@c appropriate error. +@c +@c Finally the function @code{check_revocations} is called to verify no +@c certificate in the assempled chain has been revoked: This is an +@c recursive process because a CRL has to be checked for each certificate +@c in the chain except for the root certificate, of which we already know +@c that it is trusted and we avoid checking a CRL here due to common +@c setup problems and the assumption that a revoked root certificate has +@c been removed from the list of trusted certificates. +@c +@c +@c +@c +@c @section Looking up certificates through LDAP. +@c +@c This describes the LDAP layer to retrieve certificates. +@c the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are +@c used for this. The first one starts a search and the second one is +@c used to retrieve certificate after certificate. +@c diff --git a/doc/examples/Automatic.prf b/doc/examples/Automatic.prf new file mode 100644 index 0000000..41f9bea --- /dev/null +++ b/doc/examples/Automatic.prf @@ -0,0 +1,15 @@ +# Automatic.prf - Configure options for a more automatic mode -*- conf -*- +# +# The options for each tool are configured in a section ("[TOOL]"); +# see the respective man page for a description of these options and +# the gpgconf manpage for a description of this file's syntax. + +[gpg] +auto-key-locate local,wkd,dane +auto-key-retrieve +trust-model tofu+pgp$\r$\n' + +[gpg-agent] +default-cache-ttl 900 +max-cache-ttl 3600 +min-passphrase-nonalpha 0 diff --git a/doc/examples/README b/doc/examples/README new file mode 100644 index 0000000..77ee807 --- /dev/null +++ b/doc/examples/README @@ -0,0 +1,11 @@ +Files in this directory: + + +scd-event A handler script used with scdaemon + +trustlist.txt A list of trustworthy root certificates + (Please check yourself whether you actually trust them) + +gpgconf.conf A sample configuration file for gpgconf. + +systemd-user Sample files for a Linux-only init system. diff --git a/doc/examples/VS-NfD.prf b/doc/examples/VS-NfD.prf new file mode 100644 index 0000000..edb9e01 --- /dev/null +++ b/doc/examples/VS-NfD.prf @@ -0,0 +1,24 @@ +# VS-NfD.prf - Configure options for the VS-NfD mode -*- conf -*- +# +# The options for each tool are configured in a section ("[TOOL]"); +# see the respective man page for a description of these options and +# the gpgconf manpage for a description of this file's syntax. + +[gpg] +compliance de-vs + +[gpgsm] +compliance de-vs +enable-crl-checks + +[gpg-agent] +default-cache-ttl 900 +max-cache-ttl 3600 +no-allow-mark-trusted +no-allow-external-cache +enforce-passphrase-constraints +min-passphrase-len 9 +min-passphrase-nonalpha 0 + +[dirmngr] +allow-ocsp diff --git a/doc/examples/debug.prf b/doc/examples/debug.prf new file mode 100644 index 0000000..f635fc8 --- /dev/null +++ b/doc/examples/debug.prf @@ -0,0 +1,29 @@ +# debug.prf - Configure options for easier debugging -*- conf -*- +# +# Note that the actual debug options for each component need to be set +# manually. Running the component with "--debug help" shows a list of +# supported values. To watch the logs this command can be used: +# +# watchgnupg --time-only --force $(gpgconf --list-dirs socketdir)/S.log +# + +[gpg] +log-file socket:// +verbose +#debug ipc + +[gpgsm] +log-file socket:// +verbose +#debug ipc + +[gpg-agent] +log-file socket:// +verbose +#debug ipc +#debug-pinentry + +[dirmngr] +log-file socket:// +verbose +#debug ipc,dns diff --git a/doc/examples/gpgconf.conf b/doc/examples/gpgconf.conf new file mode 100644 index 0000000..a61d4d4 --- /dev/null +++ b/doc/examples/gpgconf.conf @@ -0,0 +1,62 @@ +# gpgconf.conf - configuration for gpgconf +#---------------------------------------------------------------------- +# This file is read by gpgconf(1) to setup defaults for all or +# specified users and groups. It may be used to change the hardwired +# defaults in gpgconf and to enforce certain values for the various +# GnuPG related configuration files. +# +# NOTE: This is a legacy mechanism. The modern way is to use global +# configuration files like /etc/gnupg/gpg.conf which are more +# flexible and better integrated into the configuration system. +# +# Empty lines and comment lines, indicated by a hash mark as first non +# white space character, are ignored. The line is separated by white +# space into fields. The first field is used to match the user or +# group and must start at the first column, the file is processed +# sequential until a matching rule is found. A rule may contain +# several lines; continuation lines are indicated by a indenting them. +# +# Syntax of a line: +# <key>|WS <component> <option> ["["<flag>"]"] [<value>] +# +# Examples for the <key> field: +# foo - Matches the user "foo". +# foo: - Matches the user "foo". +# foo:staff - Matches the user "foo" or the group "staff". +# :staff - Matches the group "staff". +# * - Matches any user. +# All other variants are not defined and reserved for future use. +# +# <component> and <option> are as specified by gpgconf. +# <flag> may be one of: +# default - Delete the option so that the default is used. +# no-change - Mark the field as non changeable by gpgconf. +# change - Mark the field as changeable by gpgconf. +# +# Example file: +#========== +# :staff gpg-agent min-passphrase-len 6 [change] +# +# * gpg-agent min-passphrase-len [no-change] 8 +# gpg-agent min-passphrase-nonalpha [no-change] 1 +# gpg-agent max-passphrase-days [no-change] 700 +# gpg-agent enable-passphrase-history [no-change] +# gpg-agent enforce-passphrase-constraints [default] +# gpg-agent enforce-passphrase-constraints [no-change] +# gpg-agent max-cache-ttl [no-change] 10800 +# gpg-agent max-cache-ttl-ssh [no-change] 10800 +# gpgsm enable-ocsp +# gpg compliance [no-change] +# gpgsm compliance [no-change] +#=========== +# All users in the group "staff" are allowed to change the value for +# --allow-mark-trusted; gpgconf's default is not to allow a change +# through its interface. When "gpgconf --apply-defaults" is used, +# "allow-mark-trusted" will get enabled and "min-passphrase-len" set +# to 6. All other users are not allowed to change +# "min-passphrase-len" and "allow-mark-trusted". When "gpgconf +# --apply-defaults" is used for them, "min-passphrase-len" is set to +# 8, "allow-mark-trusted" deleted from the config file and +# "enable-ocsp" is put into the config file of gpgsm. The latter may +# be changed by any user. +#------------------------------------------------------------------- diff --git a/doc/examples/gpgconf.rnames b/doc/examples/gpgconf.rnames new file mode 100644 index 0000000..0e83732 --- /dev/null +++ b/doc/examples/gpgconf.rnames @@ -0,0 +1,12 @@ +# gpgconf-rnames.lst +# Additional registry settings to be shown by "gpgconf -X". +# +# Example: HKCU\Software\GNU\GnuPG:FooBar +# +# HKCU := The class. Other supported classes are HKLM, HKCR, HKU, +# and HKCC. If no class is given and the string thus starts +# with a backslash HKCU with a fallback to HKLM is used. +# Software\GNU\GnuPG := The actual key. +# FooBar := The name of the item. if a name is not given the default +# value is used. +# diff --git a/doc/examples/pwpattern.list b/doc/examples/pwpattern.list new file mode 100644 index 0000000..251c2d4 --- /dev/null +++ b/doc/examples/pwpattern.list @@ -0,0 +1,48 @@ +# pwpattern.list -*- default-generic -*- +# +# This is an example for a pattern file as used by gpg-check-pattern. +# The file is line based with comment lines beginning on the *first* +# position with a '#'. Empty lines and lines with just spaces are +# ignored. The other lines may be verbatim patterns and match as they +# are (trailing spaces are ignored) or extended regular expressions +# indicated by a / in the first column and terminated by another / or +# end of line. All comparisons are case insensitive. + +# Reject the usual metavariables. Usual not required because +# gpg-agent can be used to reject all passphrases shorter than 8 +# charactes. +foo +bar +baz + +# As well as very common passwords. Note that gpg-agent can be used +# to reject them due to missing non-alpha characters. +password +passwort +passphrase +mantra +test +abc +egal + +# German number plates. +/^[A-Z]{1,3}[ ]*-[ ]*[A-Z]{1,2}[ ]*[0-9]+/ + +# Dates (very limited, only ISO dates). */ +/^[012][0-9][0-9][0-9]-[012][0-9]-[0123][0-9]$/ + +# Arbitrary strings +the quick brown fox jumps over the lazy dogs back +no-password +no password + +12345678 +123456789 +1234567890 +87654321 +987654321 +0987654321 +qwertyuiop +qwertzuiop +asdfghjkl +zxcvbnm diff --git a/doc/examples/scd-event b/doc/examples/scd-event new file mode 100755 index 0000000..938465f --- /dev/null +++ b/doc/examples/scd-event @@ -0,0 +1,102 @@ +#!/bin/sh +# Sample script for scdaemon event mechanism. + +#exec >>/tmp/scd-event.log + +PGM=scd-event + +reader_port= +old_code=0x0000 +new_code=0x0000 +status= + +tick='`' +prev= +while [ $# -gt 0 ]; do + arg="$1" + case $arg in + -*=*) optarg=$(echo "X$arg" | sed -e '1s/^X//' -e 's/[-_a-zA-Z0-9]*=//') + ;; + *) optarg= + ;; + esac + if [ -n "$prev" ]; then + eval "$prev=\$arg" + prev= + shift + continue + fi + case $arg in + --help|-h) + cat <<EOF +Usage: $PGM [options] +$PGM is called by scdaemon on card reader status changes + +Options: + --reader-port N Reports change for port N + --old-code 0xNNNN Previous status code + --old-code 0xNNNN Current status code + --status USABLE|ACTIVE|PRESENT|NOCARD + Human readable status code + +Environment: + +GNUPGHOME=DIR Set to the active homedir + +EOF + exit 0 + ;; + + --reader-port) + prev=reader_port + ;; + --reader-port=*) + reader_port="$optarg" + ;; + --old-code) + prev=old_code + ;; + --old-code=*) + old_code="$optarg" + ;; + --new-code) + prev=new_code + ;; + --new-code=*) + new_code="$optarg" + ;; + --status) + prev=status + ;; + --new-code=*) + status="$optarg" + ;; + + -*) + echo "$PGM: invalid option $tick$arg'" >&2 + exit 1 + ;; + + *) + break + ;; + esac + shift +done +if [ -n "$prev" ]; then + echo "$PGM: argument missing for option $tick$prev'" >&2 + exit 1 +fi + +cat <<EOF +======================== +port: $reader_port +old-code: $old_code +new-code: $new_code +status: $status +EOF + +if [ x$status = xUSABLE ]; then + gpg --batch --card-status 2>&1 +fi + diff --git a/doc/examples/systemd-user/README b/doc/examples/systemd-user/README new file mode 100644 index 0000000..43122f5 --- /dev/null +++ b/doc/examples/systemd-user/README @@ -0,0 +1,66 @@ +Socket-activated dirmngr and gpg-agent with systemd +=================================================== + +When used on a GNU/Linux system supervised by systemd, you can ensure +that the GnuPG daemons dirmngr and gpg-agent are launched +automatically the first time they're needed, and shut down cleanly at +session logout. This is done by enabling user services via +socket-activation. + +System distributors +------------------- + +The *.service and *.socket files (from this directory) should be +placed in /usr/lib/systemd/user/ alongside other user-session services +and sockets. + +To enable socket-activated dirmngr for all accounts on the system, +use: + + systemctl --user --global enable dirmngr.socket + +To enable socket-activated gpg-agent for all accounts on the system, +use: + + systemctl --user --global enable gpg-agent.socket + +Additionally, you can enable socket-activated gpg-agent ssh-agent +emulation for all accounts on the system with: + + systemctl --user --global enable gpg-agent-ssh.socket + +You can also enable restricted ("--extra-socket"-style) gpg-agent +sockets for all accounts on the system with: + + systemctl --user --global enable gpg-agent-extra.socket + +Individual users +---------------- + +A user on a system with systemd where this has not been installed +system-wide can place these files in ~/.config/systemd/user/ to make +them available. + +If a given service isn't installed system-wide, or if it's installed +system-wide but not globally enabled, individual users will still need +to enable them. For example, to enable socket-activated dirmngr for +all future sessions: + + systemctl --user enable dirmngr.socket + +To enable socket-activated gpg-agent with ssh support, do: + + systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket + +These changes won't take effect until your next login after you've +fully logged out (be sure to terminate any running daemons before +logging out). + +If you'd rather try a socket-activated GnuPG daemon in an +already-running session without logging out (with or without enabling +it for all future sessions), kill any existing daemon and start the +user socket directly. For example, to set up socket-activated dirmgnr +in the current session: + + gpgconf --kill dirmngr + systemctl --user start dirmngr.socket diff --git a/doc/examples/systemd-user/dirmngr.service b/doc/examples/systemd-user/dirmngr.service new file mode 100644 index 0000000..3c060cd --- /dev/null +++ b/doc/examples/systemd-user/dirmngr.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) +Requires=dirmngr.socket + +[Service] +ExecStart=/usr/bin/dirmngr --supervised +ExecReload=/usr/bin/gpgconf --reload dirmngr diff --git a/doc/examples/systemd-user/dirmngr.socket b/doc/examples/systemd-user/dirmngr.socket new file mode 100644 index 0000000..ebabf89 --- /dev/null +++ b/doc/examples/systemd-user/dirmngr.socket @@ -0,0 +1,11 @@ +[Unit] +Description=GnuPG network certificate management daemon +Documentation=man:dirmngr(8) + +[Socket] +ListenStream=%t/gnupg/S.dirmngr +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/systemd-user/gpg-agent-browser.socket b/doc/examples/systemd-user/gpg-agent-browser.socket new file mode 100644 index 0000000..bc8d344 --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent-browser.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (access for web browsers) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.browser +FileDescriptorName=browser +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/systemd-user/gpg-agent-extra.socket b/doc/examples/systemd-user/gpg-agent-extra.socket new file mode 100644 index 0000000..5b87d09 --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent-extra.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache (restricted) +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.extra +FileDescriptorName=extra +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/systemd-user/gpg-agent-ssh.socket b/doc/examples/systemd-user/gpg-agent-ssh.socket new file mode 100644 index 0000000..798c1d9 --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent-ssh.socket @@ -0,0 +1,13 @@ +[Unit] +Description=GnuPG cryptographic agent (ssh-agent emulation) +Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent.ssh +FileDescriptorName=ssh +Service=gpg-agent.service +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/systemd-user/gpg-agent.service b/doc/examples/systemd-user/gpg-agent.service new file mode 100644 index 0000000..a050fcc --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent.service @@ -0,0 +1,8 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) +Requires=gpg-agent.socket + +[Service] +ExecStart=/usr/bin/gpg-agent --supervised +ExecReload=/usr/bin/gpgconf --reload gpg-agent diff --git a/doc/examples/systemd-user/gpg-agent.socket b/doc/examples/systemd-user/gpg-agent.socket new file mode 100644 index 0000000..4257c2c --- /dev/null +++ b/doc/examples/systemd-user/gpg-agent.socket @@ -0,0 +1,12 @@ +[Unit] +Description=GnuPG cryptographic agent and passphrase cache +Documentation=man:gpg-agent(1) + +[Socket] +ListenStream=%t/gnupg/S.gpg-agent +FileDescriptorName=std +SocketMode=0600 +DirectoryMode=0700 + +[Install] +WantedBy=sockets.target diff --git a/doc/examples/trustlist.txt b/doc/examples/trustlist.txt new file mode 100644 index 0000000..4d57242 --- /dev/null +++ b/doc/examples/trustlist.txt @@ -0,0 +1,66 @@ +# This is the global list of trusted keys. Comment lines, like this +# one, as well as empty lines are ignored. Lines have a length limit +# but this is not serious limitation as the format of the entries is +# fixed and checked by gpg-agent. A non-comment line starts with +# optional white space, followed by the SHA-1 fingerpint in hex, +# optionally followed by a flag character which my either be 'P', 'S' +# or '*'. This file will be read by gpg-agent if no local trustlist +# is available or if the statement "include-default" is used in the +# local list. You should give the gpg-agent(s) a HUP after editing +# this file. + + +#Serial number: 32D18D +# Issuer: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde +# fÈur Telekommunikation und Post/C=DE +EA:8D:99:DD:36:AA:2D:07:1A:3C:7B:69:00:9E:51:B9:4A:2E:E7:60 S + +#Serial number: 00C48C8D +# Issuer: /CN=7R-CA 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde +# fÈur Telekommunikation und Post/C=DE +DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B S + +#Serial number: 01 +# Issuer: /CN=8R-CA 1:PN/O=Regulierungsbehörde für +# Telekommunikation und Post/C=DE +42:6A:F6:78:30:E9:CE:24:5B:EF:41:A2:C1:A8:51:DA:C5:0A:6D:F5 S + +#Serial number: 02 +# Issuer: /CN=9R-CA 1:PN/O=Regulierungsbehörde für +# Telekommunikation und Post/C=DE +75:9A:4A:CE:7C:DA:7E:89:1B:B2:72:4B:E3:76:EA:47:3A:96:97:24 S + +#Serial number: 2A +# Issuer: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE +31:C9:D2:E6:31:4D:0B:CC:2C:1A:45:00:A6:6B:97:98:27:18:8E:CD S + +#Serial number: 2D +# Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE +A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D S + +# S/N: 0139 +# Issuer: /CN=12R-CA 1:PN/O=Bundesnetzagentur/C=DE +44:7E:D4:E3:9A:D7:92:E2:07:FA:53:1A:2E:F5:B8:02:5B:47:57:B0 de + +# S/N: 013C +# Issuer: /CN=13R-CA 1:PN/O=Bundesnetzagentur/C=DE +AC:A7:BE:45:1F:A6:BF:09:F2:D1:3F:08:7B:BC:EB:7F:46:A2:CC:8A de + + +# S/N: 00B3963E0E6C2D65125853E970665402E5 +# Issuer: /CN=S-TRUST Qualified Root CA 2008-001:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE +C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA S + +# S/N: 00C4216083F35C54F67B09A80C3C55FE7D +# Issuer: /CN=S-TRUST Qualified Root CA 2008-002:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE +D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B S + + +#Serial number: 00 +# Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww. +# cacert.org/O=Root CA/EMail=support@cacert.org +13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33 S + + diff --git a/doc/glossary.texi b/doc/glossary.texi new file mode 100644 index 0000000..8c786a7 --- /dev/null +++ b/doc/glossary.texi @@ -0,0 +1,72 @@ +@c Copyright (C) 2004 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@node Glossary +@unnumbered Glossary + + +@table @samp +@item ARL + The @emph{Authority Revocation List} is technical identical to a +@acronym{CRL} but used for @acronym{CA}s and not for end user +certificates. + +@item Chain model + Verification model for X.509 which uses the creation date of a +signature as the date the validation starts and in turn checks that each +certificate has been issued within the time frame, the issuing +certificate was valid. This allows the verification of signatures after +the CA's certificate expired. The validation test also required an +online check of the certificate status. The chain model is required by +the German signature law. See also @emph{Shell model}. + +@item CMS + The @emph{Cryptographic Message Standard} describes a message +format for encryption and digital signing. It is closely related to the +X.509 certificate format. @acronym{CMS} was formerly known under the +name @code{PKCS#7} and is described by @code{RFC3369}. + +@item CRL + The @emph{Certificate Revocation List} is a list containing +certificates revoked by the issuer. + +@item CSR + The @emph{Certificate Signing Request} is a message send to a CA to +ask them to issue a new certificate. The data format of such a signing +request is called PCKS#10. + +@item OpenPGP + A data format used to build a PKI and to exchange encrypted or +signed messages. In contrast to X.509, OpenPGP also includes the +message format but does not explicitly demand a specific PKI. However +any kind of PKI may be build upon the OpenPGP protocol. + +@item Keygrip + This term is used by GnuPG to describe a 20 byte hash value used +to identify a certain key without referencing to a concrete protocol. +It is used internally to access a private key. Usually it is shown and +entered as a 40 character hexadecimal formatted string. + +@item OCSP + The @emph{Online Certificate Status Protocol} is used as an +alternative to a @acronym{CRL}. It is described in @code{RFC 2560}. + +@item PSE + The @emph{Personal Security Environment} describes a database to +store private keys. This is either a smartcard or a collection of files +on a disk; the latter is often called a Soft-PSE. + + +@item Shell model +The standard model for validation of certificates under X.509. At the +time of the verification all certificates must be valid and not expired. +See also @emph{Chain model}. + + +@item X.509 +Description of a PKI used with CMS. It is for example +defined by @code{RFC3280}. + + +@end table diff --git a/doc/gnupg-card-architecture.fig b/doc/gnupg-card-architecture.fig new file mode 100644 index 0000000..0efa362 --- /dev/null +++ b/doc/gnupg-card-architecture.fig @@ -0,0 +1,419 @@ +#FIG 3.2 Produced by xfig version 3.2.5-alpha5 +# Copyright 2005 Werner Koch +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <http://www.gnu.org/licenses/>. +# +Landscape +Center +Metric +A4 +100.00 +Single +-2 +1200 2 +0 32 #414541 +0 33 #808080 +0 34 #c0c0c0 +0 35 #c6b797 +0 36 #eff8ff +0 37 #dccba6 +0 38 #e0e0e0 +0 39 #8e8f8e +0 40 #aaaaaa +0 41 #555555 +0 42 #404040 +0 43 #868286 +0 44 #c7c3c7 +0 45 #e7e3e7 +0 46 #8e8e8e +0 47 #444444 +0 48 #868686 +0 49 #c7c7c7 +0 50 #666666 +0 51 #e2e2ee +0 52 #94949a +0 53 #dbdbdb +0 54 #a1a1b7 +0 55 #9c0000 +0 56 #ededed +0 57 #86acff +0 58 #7070ff +0 59 #bebebe +0 60 #515151 +0 61 #000049 +0 62 #797979 +0 63 #303430 +0 64 #c7b696 +0 65 #d7d7d7 +0 66 #aeaeae +0 67 #85807d +0 68 #d2d2d2 +0 69 #3a3a3a +0 70 #4573aa +0 71 #000000 +0 72 #e7e7e7 +0 73 #f7f7f7 +0 74 #d6d7d6 +0 75 #7b79a5 +0 76 #effbff +0 77 #9e9e9e +0 78 #717571 +0 79 #73758c +0 80 #414141 +0 81 #635dce +0 82 #565151 +0 83 #dd9d93 +0 84 #f1ece0 +0 85 #c3c3c3 +0 86 #e2c8a8 +0 87 #e1e1e1 +0 88 #da7a1a +0 89 #f1e41a +0 90 #887dc2 +0 91 #d6d6d6 +0 92 #8c8ca5 +0 93 #4a4a4a +0 94 #8c6b6b +0 95 #5a5a5a +0 96 #636363 +0 97 #b79b73 +0 98 #4193ff +0 99 #bf703b +0 100 #db7700 +0 101 #dab800 +0 102 #006400 +0 103 #5a6b3b +0 104 #d3d3d3 +0 105 #8e8ea4 +0 106 #f3b95d +0 107 #89996b +0 108 #646464 +0 109 #b7e6ff +0 110 #86c0ec +0 111 #bdbdbd +0 112 #d39552 +0 113 #98d2fe +0 114 #8c9c6b +0 115 #f76b00 +0 116 #5a6b39 +0 117 #8c9c6b +0 118 #8c9c7b +0 119 #184a18 +0 120 #adadad +0 121 #f7bd5a +0 122 #636b9c +0 123 #de0000 +0 124 #adadad +0 125 #f7bd5a +0 126 #adadad +0 127 #f7bd5a +0 128 #636b9c +0 129 #526b29 +0 130 #949494 +0 131 #006300 +0 132 #00634a +0 133 #7b844a +0 134 #e7bd7b +0 135 #a5b5c6 +0 136 #6b6b94 +0 137 #846b6b +0 138 #529c4a +0 139 #d6e7e7 +0 140 #526363 +0 141 #186b4a +0 142 #9ca5b5 +0 143 #ff9400 +0 144 #ff9400 +0 145 #00634a +0 146 #7b844a +0 147 #63737b +0 148 #e7bd7b +0 149 #184a18 +0 150 #f7bd5a +0 151 #dedede +0 152 #f3eed3 +0 153 #f5ae5d +0 154 #95ce99 +0 155 #b5157d +0 156 #eeeeee +0 157 #848484 +0 158 #7b7b7b +0 159 #005a00 +0 160 #e77373 +0 161 #ffcb31 +0 162 #29794a +0 163 #de2821 +0 164 #2159c6 +0 165 #f8f8f8 +0 166 #e6e6e6 +0 167 #21845a +0 168 #ff9408 +0 169 #007000 +0 170 #d00000 +0 171 #fed600 +0 172 #d82010 +0 173 #003484 +0 174 #d62010 +0 175 #389000 +0 176 #ba0000 +0 177 #003380 +0 178 #00a7bd +0 179 #ffc500 +0 180 #087bd0 +0 181 #fbc100 +0 182 #840029 +0 183 #07399c +0 184 #0063bd +0 185 #39acdf +0 186 #42c0e0 +0 187 #31ceff +0 188 #ffde00 +0 189 #085a00 +0 190 #ff2100 +0 191 #f75e08 +0 192 #ef7b08 +0 193 #ff8200 +0 194 #007d00 +0 195 #0000be +0 196 #757575 +0 197 #f3f3f3 +0 198 #d7d3d7 +0 199 #aeaaae +0 200 #c2c2c2 +0 201 #303030 +0 202 #515551 +0 203 #f7f3f7 +0 204 #717171 +6 9270 1980 13230 6570 +6 9471 3906 13014 5677 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 10540 4394 10540 3936 9471 3936 9471 4394 10540 4394 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 10387 5616 10387 5158 9471 5158 9471 5616 10387 5616 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 12984 5005 12984 4547 9471 4547 9471 5005 12984 5005 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 12984 5616 12984 5158 12067 5158 12067 5616 12984 5616 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 11701 5627 11701 5168 10784 5168 10784 5627 11701 5627 +4 0 0 50 -1 16 11 0.0000 4 173 835 9623 4242 OpenPGP\001 +4 0 0 50 -1 16 11 0.0000 4 132 2770 9776 4853 APDU and ISO-7816 access code\001 +4 0 0 50 -1 16 11 0.0000 4 132 448 9623 5464 CCID\001 +4 0 0 50 -1 16 11 0.0000 4 132 601 12220 5464 CT-API\001 +4 0 0 50 -1 16 11 0.0000 4 132 560 10957 5464 PC/SC\001 +-6 +6 10693 3906 13014 4394 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 11762 4394 11762 3936 10693 3936 10693 4394 11762 4394 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 12984 4394 12984 3936 11915 3936 11915 4394 12984 4394 +4 0 0 50 -1 16 11 0.0000 4 132 377 10998 4242 NKS\001 +4 0 0 50 -1 16 11 0.0000 4 132 804 12067 4242 PKCS#15\001 +-6 +2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5 + 13137 2072 9318 2072 9318 5739 13137 5739 13137 2072 +2 1 2 1 0 7 50 -1 -1 3.000 0 0 -1 0 0 2 + 9318 3753 13137 3753 +2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5 + 11691 6360 10774 6360 10774 5901 11691 5901 11691 6360 +2 1 2 2 0 7 50 -1 -1 4.500 0 0 -1 0 0 1 + 11762 5739 +2 1 1 2 0 7 50 -1 -1 6.000 0 0 -1 0 0 4 + 10693 5739 10693 6502 11762 6502 11762 5739 +4 0 0 50 -1 18 15 0.0000 4 183 1293 10540 2989 SCDaemon\001 +4 0 0 50 -1 16 11 0.0000 4 133 662 10896 6176 wrapper\001 +-6 +6 90 1980 4050 5760 +6 306 3906 3849 5677 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 1375 4394 1375 3936 306 3936 306 4394 1375 4394 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 1222 5616 1222 5158 306 5158 306 5616 1222 5616 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 3819 5005 3819 4547 306 4547 306 5005 3819 5005 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 3819 5616 3819 5158 2902 5158 2902 5616 3819 5616 +2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5 + 2536 5627 2536 5168 1619 5168 1619 5627 2536 5627 +4 0 0 50 -1 16 11 0.0000 4 173 835 458 4242 OpenPGP\001 +4 0 0 50 -1 16 11 0.0000 4 132 2770 611 4853 APDU and ISO-7816 access code\001 +4 0 0 50 -1 16 11 0.0000 4 132 448 458 5464 CCID\001 +4 0 0 50 -1 16 11 0.0000 4 132 601 3055 5464 CT-API\001 +4 0 0 50 -1 16 11 0.0000 4 132 560 1792 5464 PC/SC\001 +-6 +6 2139 3753 3208 4211 +2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5 + 3208 4211 3208 3753 2139 3753 2139 4211 3208 4211 +4 0 0 50 -1 16 11 0.0000 4 132 784 2291 4058 Gluecode\001 +-6 +2 1 2 2 0 7 50 -1 -1 4.500 0 0 -1 0 0 1 + 2597 5739 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 0 2 + 1 1 1.00 40.73 81.47 + 2139 4028 1405 4150 +2 1 2 1 0 7 50 -1 -1 3.000 0 0 -1 0 0 4 + 153 3753 1833 3753 1833 4364 3972 4364 +2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5 + 3972 2072 153 2072 153 5739 3972 5739 3972 2072 +4 0 0 50 -1 18 15 0.0000 4 224 866 1375 2989 gpg 1.4\001 +-6 +6 4888 4058 5346 5433 +2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5 + 5346 5433 5346 4058 4888 4058 4888 5433 5346 5433 +4 0 0 50 -1 16 11 1.5708 4 132 611 5194 5128 Assuan\001 +-6 +6 4680 1980 8640 5760 +2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5 + 5346 3753 5346 2378 4888 2378 4888 3753 5346 3753 +2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5 + 8554 5739 4735 5739 4735 2072 8554 2072 8554 5739 +4 0 0 50 -1 16 11 1.5708 4 173 804 5194 3447 ssh-agent\001 +-6 +6 5805 3447 7332 4975 +6 5957 3447 7179 4211 +2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5 + 7179 4211 7179 3447 5957 3447 5957 4211 7179 4211 +4 0 0 50 -1 16 11 0.0000 4 173 937 6110 3753 Private Key\001 +4 0 0 50 -1 16 11 0.0000 4 173 896 6110 4058 Operations\001 +-6 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 1 + 7195 4883 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 1 + 7195 4883 +2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5 + 7332 4975 7332 4517 6721 4517 6721 4975 7332 4975 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 1 2 + 1 1 1.00 40.73 81.47 + 1 1 1.00 40.73 81.47 + 6568 4211 7027 4517 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 1 2 + 1 1 1.00 40.73 81.47 + 1 1 1.00 40.73 81.47 + 6568 4211 6110 4517 +2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5 + 6416 4975 6416 4517 5805 4517 5805 4975 6416 4975 +4 0 0 50 -1 16 11 0.0000 4 132 397 6874 4822 Card\001 +4 0 0 50 -1 16 11 0.0000 4 132 356 5957 4822 Disk\001 +-6 +6 7638 3600 8401 4058 +2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5 + 8401 4058 8401 3600 7638 3600 7638 4058 8401 4058 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 1 + 7638 3814 +4 0 0 50 -1 16 11 0.0000 4 132 530 7790 3905 Cache\001 +-6 +6 9471 2225 9929 3600 +2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5 + 9929 3600 9929 2225 9471 2225 9471 3600 9929 3600 +4 0 0 50 -1 16 11 1.5708 4 132 611 9776 3294 Assuan\001 +-6 +6 6480 360 8640 1440 +2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5 + 8554 1339 6568 1339 6568 423 8554 423 8554 1339 +4 0 0 50 -1 18 15 0.0000 4 234 967 7027 881 pinentry\001 +4 0 0 50 -1 16 10 0.0000 4 153 1375 6874 1187 (GTK+, Qt, Curses)\001 +-6 +6 10570 270 13137 1003 +2 1 1 1 1 2 50 -1 -1 4.000 0 0 -1 1 0 2 + 1 1 1.00 40.73 81.47 + 10632 331 11181 331 +2 1 0 2 1 2 50 -1 -1 6.000 0 0 -1 1 0 2 + 1 1 2.00 81.47 162.94 + 10632 637 11181 637 +2 1 0 1 0 2 50 -1 -1 4.000 0 0 -1 1 0 2 + 1 1 1.00 40.73 81.47 + 10632 942 11181 942 +4 0 0 50 -1 16 10 0.0000 4 163 1762 11365 392 Alternative access paths\001 +4 0 0 50 -1 16 10 0.0000 4 163 1426 11365 698 IPC (pipe or socket)\001 +4 0 0 50 -1 16 10 0.0000 4 122 1232 11365 1003 Internal data flow\001 +-6 +# Smartcard ID-1 +6 6840 6120 8550 7200 +6 7069 6526 7307 6746 +2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2 + 7234 6691 7307 6691 +2 1 0 1 0 0 48 -1 20 0.000 0 0 -1 0 0 2 + 7069 6636 7143 6636 +2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2 + 7069 6581 7143 6581 +2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2 + 7069 6691 7143 6691 +2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2 + 7143 6526 7143 6746 +2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 3 + 7307 6581 7234 6581 7234 6746 +2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2 + 7234 6636 7307 6636 +2 4 0 1 0 31 49 -1 20 0.000 0 0 1 0 0 5 + 7069 6526 7307 6526 7307 6746 7069 6746 7069 6526 +-6 +2 4 0 1 -1 7 50 -1 20 0.000 0 0 1 0 0 5 + 8472 7185 6904 7185 6904 6197 8472 6197 8472 7185 +-6 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 0 2 + 1 1 1.00 40.73 81.47 + 5346 3142 5957 3753 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 0 2 + 1 1 1.00 40.73 81.47 + 5346 4669 5957 3905 +2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 1 2 + 1 1 1.00 40.73 81.47 + 1 1 1.00 40.73 81.47 + 7179 3814 7638 3814 +2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5 + 11731 7480 10693 7480 10693 6991 11731 6991 11731 7480 +3 2 0 2 1 2 50 -1 -1 6.000 0 1 0 3 + 1 1 2.00 81.47 162.94 + 8022 3600 8096 2225 7513 1360 + 0.000 -1.000 0.000 +3 2 0 2 1 2 50 -1 -1 0.000 0 1 0 3 + 0 0 2.00 81.47 162.94 + 7332 4730 8737 4486 9471 2897 + 0.000 -1.000 0.000 +3 2 0 2 1 2 50 -1 -1 6.000 0 1 0 3 + 1 1 2.00 81.47 162.94 + 3238 3997 4216 4242 4888 4730 + 0.000 -1.000 0.000 +3 2 0 2 1 2 50 -1 -1 6.000 0 1 0 3 + 1 1 2.00 81.47 162.94 + 11243 6502 11304 6747 11181 6991 + 0.000 -1.000 0.000 +3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3 + 1 1 1.00 40.73 81.47 + 10693 7235 9471 7174 8493 6869 + 0.000 -1.000 0.000 +3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3 + 1 1 1.00 40.73 81.47 + 9898 5647 9532 6380 8493 6563 + 0.000 -1.000 0.000 +3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3 + 1 1 1.00 40.73 81.47 + 12465 5647 11731 6624 8493 6747 + 0.000 -1.000 0.000 +3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3 + 1 1 1.00 40.73 81.47 + 2077 5647 3177 6502 6843 6624 + 0.000 -1.000 0.000 +3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3 + 1 1 1.00 40.73 81.47 + 733 5647 2444 6808 6843 6747 + 0.000 -1.000 0.000 +3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3 + 1 1 1.00 40.73 81.47 + 3361 5647 4155 6319 6843 6502 + 0.000 -1.000 0.000 +4 0 0 50 -1 18 15 0.0000 4 214 1191 5957 2989 gpg-agent\001 +4 0 0 50 -1 16 11 0.0000 4 173 387 10998 7297 pcsd\001 diff --git a/doc/gnupg-card-architecture.pdf b/doc/gnupg-card-architecture.pdf Binary files differnew file mode 100644 index 0000000..8592943 --- /dev/null +++ b/doc/gnupg-card-architecture.pdf diff --git a/doc/gnupg-card-architecture.png b/doc/gnupg-card-architecture.png Binary files differnew file mode 100644 index 0000000..3740d40 --- /dev/null +++ b/doc/gnupg-card-architecture.png diff --git a/doc/gnupg-logo-tr.png b/doc/gnupg-logo-tr.png Binary files differnew file mode 100644 index 0000000..af21af9 --- /dev/null +++ b/doc/gnupg-logo-tr.png diff --git a/doc/gnupg-logo.eps b/doc/gnupg-logo.eps new file mode 100644 index 0000000..d428f23 --- /dev/null +++ b/doc/gnupg-logo.eps @@ -0,0 +1,2704 @@ +%!PS-Adobe-3.0 EPSF-3.0 +%%Creator: (ImageMagick) +%%Title: (gnupg-logo.eps) +%%CreationDate: (Thu Mar 8 17:48:33 2007) +%%BoundingBox: 0 0 118 38 +%%HiResBoundingBox: 0 0 118.11 38 +%%DocumentData: Clean7Bit +%%LanguageLevel: 1 +%%Pages: 1 +%%EndComments + +%%BeginDefaults +%%EndDefaults + +%%BeginProlog +% +% Display a color image. The image is displayed in color on +% Postscript viewers or printers that support color, otherwise +% it is displayed as grayscale. +% +/DirectClassPacket +{ + % + % Get a DirectClass packet. + % + % Parameters: + % red. + % green. + % blue. + % length: number of pixels minus one of this color (optional). + % + currentfile color_packet readhexstring pop pop + compression 0 eq + { + /number_pixels 3 def + } + { + currentfile byte readhexstring pop 0 get + /number_pixels exch 1 add 3 mul def + } ifelse + 0 3 number_pixels 1 sub + { + pixels exch color_packet putinterval + } for + pixels 0 number_pixels getinterval +} bind def + +/DirectClassImage +{ + % + % Display a DirectClass image. + % + systemdict /colorimage known + { + columns rows 8 + [ + columns 0 0 + rows neg 0 rows + ] + { DirectClassPacket } false 3 colorimage + } + { + % + % No colorimage operator; convert to grayscale. + % + columns rows 8 + [ + columns 0 0 + rows neg 0 rows + ] + { GrayDirectClassPacket } image + } ifelse +} bind def + +/GrayDirectClassPacket +{ + % + % Get a DirectClass packet; convert to grayscale. + % + % Parameters: + % red + % green + % blue + % length: number of pixels minus one of this color (optional). + % + currentfile color_packet readhexstring pop pop + color_packet 0 get 0.299 mul + color_packet 1 get 0.587 mul add + color_packet 2 get 0.114 mul add + cvi + /gray_packet exch def + compression 0 eq + { + /number_pixels 1 def + } + { + currentfile byte readhexstring pop 0 get + /number_pixels exch 1 add def + } ifelse + 0 1 number_pixels 1 sub + { + pixels exch gray_packet put + } for + pixels 0 number_pixels getinterval +} bind def + +/GrayPseudoClassPacket +{ + % + % Get a PseudoClass packet; convert to grayscale. + % + % Parameters: + % index: index into the colormap. + % length: number of pixels minus one of this color (optional). + % + currentfile byte readhexstring pop 0 get + /offset exch 3 mul def + /color_packet colormap offset 3 getinterval def + color_packet 0 get 0.299 mul + color_packet 1 get 0.587 mul add + color_packet 2 get 0.114 mul add + cvi + /gray_packet exch def + compression 0 eq + { + /number_pixels 1 def + } + { + currentfile byte readhexstring pop 0 get + /number_pixels exch 1 add def + } ifelse + 0 1 number_pixels 1 sub + { + pixels exch gray_packet put + } for + pixels 0 number_pixels getinterval +} bind def + +/PseudoClassPacket +{ + % + % Get a PseudoClass packet. + % + % Parameters: + % index: index into the colormap. + % length: number of pixels minus one of this color (optional). + % + currentfile byte readhexstring pop 0 get + /offset exch 3 mul def + /color_packet colormap offset 3 getinterval def + compression 0 eq + { + /number_pixels 3 def + } + { + currentfile byte readhexstring pop 0 get + /number_pixels exch 1 add 3 mul def + } ifelse + 0 3 number_pixels 1 sub + { + pixels exch color_packet putinterval + } for + pixels 0 number_pixels getinterval +} bind def + +/PseudoClassImage +{ + % + % Display a PseudoClass image. + % + % Parameters: + % class: 0-PseudoClass or 1-Grayscale. + % + currentfile buffer readline pop + token pop /class exch def pop + class 0 gt + { + currentfile buffer readline pop + token pop /depth exch def pop + /grays columns 8 add depth sub depth mul 8 idiv string def + columns rows depth + [ + columns 0 0 + rows neg 0 rows + ] + { currentfile grays readhexstring pop } image + } + { + % + % Parameters: + % colors: number of colors in the colormap. + % colormap: red, green, blue color packets. + % + currentfile buffer readline pop + token pop /colors exch def pop + /colors colors 3 mul def + /colormap colors string def + currentfile colormap readhexstring pop pop + systemdict /colorimage known + { + columns rows 8 + [ + columns 0 0 + rows neg 0 rows + ] + { PseudoClassPacket } false 3 colorimage + } + { + % + % No colorimage operator; convert to grayscale. + % + columns rows 8 + [ + columns 0 0 + rows neg 0 rows + ] + { GrayPseudoClassPacket } image + } ifelse + } ifelse +} bind def + +/DisplayImage +{ + % + % Display a DirectClass or PseudoClass image. + % + % Parameters: + % x & y translation. + % x & y scale. + % label pointsize. + % image label. + % image columns & rows. + % class: 0-DirectClass or 1-PseudoClass. + % compression: 0-none or 1-RunlengthEncoded. + % hex color packets. + % + gsave + /buffer 512 string def + /byte 1 string def + /color_packet 3 string def + /pixels 768 string def + + currentfile buffer readline pop + token pop /x exch def + token pop /y exch def pop + x y translate + currentfile buffer readline pop + token pop /x exch def + token pop /y exch def pop + currentfile buffer readline pop + token pop /pointsize exch def pop + /Times-Roman findfont pointsize scalefont setfont + x y scale + currentfile buffer readline pop + token pop /columns exch def + token pop /rows exch def pop + currentfile buffer readline pop + token pop /class exch def pop + currentfile buffer readline pop + token pop /compression exch def pop + class 0 gt { PseudoClassImage } { DirectClassImage } ifelse + grestore +} bind def +%%EndProlog +%%Page: 1 1 +%%PageBoundingBox: 0 0 118 38 +userdict begin +DisplayImage +0 0 +118.11 38.189 +12.000000 +300 97 +0 +0 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEFFBFE3F675C3EC33A7E30795DE008EDB008CDB +008DDB008FDC0092DD0093DD0093DD0093DD0093DD0091DC008FDC008DDB008CDB008EDB +0996DE38AAE47AC5EDC3E5F7FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEBF7FC91CFF031A6E30090DC008CDB008FDC0092DD0093DD0093DD +0093DD0092DD0091DC0090DC0090DC008FDC0090DC0091DC0091DD0092DD0093DD0093DD +0092DD008FDC008CDB0091DC35A8E397D2F1F0F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFEDF8FD81C8EE1B9DE0008CDB008FDC0093DD0093DD0093DD0091DD008FDC008DDB +008DDB0092DD0E99DF1B9EE126A3E22AA5E320A1E11A9EE00A97DE0091DC008DDB008DDB +008FDC0092DD0093DD0092DD008FDC008DDB229FE189CCEFF1F9FDFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +A1D7F2239FE1008CDB0090DC0093DD0093DD0092DD008EDC008DDB0C97DE37A9E474C3EC +A4D7F3C8E7F8E6F4FCF4FAFDFCFEFFFFFFFFFEFFFFFCFEFFEBF7FCCDEAF8A5D8F370C2EC +32A7E30895DE008DDB008FDC0093DD0093DD0090DC008CDB28A2E2ACDBF4FFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDEF1FB4CB2E6 +008EDB008FDC0093DD0093DD0092DD008DDB0091DC3FACE597D2F1DFF1FBFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFF7FBFEE7F4FCD5EDF9CBE9F8C4E5F7CFEAF8DDF1FAEEF8FD +EFF8FDD6EDF995D1F140ADE50593DD008FDC0093DD0093DD008FDC008EDC56B6E8E6F5FC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB1DEF51A9CE0008CDB +0093DD0093DD0093DD008EDB0493DD55B5E8C3E5F7FFFFFFFFFFFFFFFFFFFFFFFFF9FDFE +CDE9F89BD4F165BDEA38AAE41F9FE10D98DF0294DD0091DC008FDC0091DC0193DD0B97DE +1D9FE13AABE468BFEB8DCEF07AC5ED39A9E40A95DE0092DD0093DD0092DD008CDB229FE0 +BBE2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8ACDEF0090DC0090DC0093DD +0093DD0091DC008DDB44AEE6C7E7F8FFFFFFFFFFFFFFFFFFFFFFFFC9E7F871C2EC2AA3E2 +0192DD008DDB008DDB008FDC0090DC0091DC0092DD0092DD0093DD0092DD0092DD0091DD +0090DC008FDC008DDB008EDB0996DE23A2E2189DE00192DD0093DD0093DD0093DD008FDC +0592DD96D2F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF73C3EC008DDB0091DD0093DD0093DD +008EDB1198DF96D2F1FFFFFFFFFFFFFFFFFFF6FBFE9FD6F241ADE50092DD008CDB008FDC +0092DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0092DD0091DC0092DD0093DD0093DD0093DD0093DD0093DD +0091DC008EDC82CAEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6CC0EB008BDB0092DD0093DD0093DD008CDB +34A7E3D3ECF9FFFFFFFFFFFFFFFFFFA4D8F22BA3E2008DDB008EDB0092DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0092DD008DDB7CC8EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF78C6ED008DDB0092DD0093DD0093DD008CDB55B6E8 +F0F9FDFFFFFFFFFFFFC9E8F842ADE5008EDB008FDC0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0092DD008DDB89CDEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF9AD4F1008EDB0092DD0093DD0093DD008CDB61BCEAFCFEFF +FFFFFFFEFFFF87CBEF0894DD008DDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0092DD008FDCA6D9F3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFC4E6F70793DD0091DC0093DD0093DD008CDB5AB9E9FEFEFFFFFFFF +E6F5FC4BB1E7008CDB0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0090DC0D96DED2ECF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFF0F9FD28A3E2008EDB0093DD0093DD008DDB40AEE5F8FCFEFFFFFFD3ECF9 +29A2E2008CDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0092DD0090DC008FDC008DDB008DDB008DDB008DDB008FDC0091DC0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD008DDB33A8E4F7FBFEFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF68BFEB008BDB0093DD0093DD008FDC1D9EE1E6F4FCFFFFFFC8E8F8179ADF +008EDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC008CDB +0091DC1B9EE139ABE454B6E86AC0EB68BFEB52B6E837AAE4199DE00090DC008CDB0090DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD008CDB7EC8EEFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFC5E6F70191DC0092DD0093DD0092DD0190DCB8E1F6FFFFFFC9E9F81499DF008FDB +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC008EDC2EA6E380C8EE +C3E5F7F0F8FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEEF8FDBDE3F679C5ED29A3E2 +008EDB008FDC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0091DC0894DED2ECF9FFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FEFFFF3FAEE5008DDB0093DD0093DD008CDB65BEEAFFFFFFD9EFFA189BDF008EDC0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0091DD008DDB2FA5E3A7D9F3F9FDFEFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FBFE +A0D6F229A3E2008CDB0092DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD008DDB4CB4E7FFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +B3DFF5008FDB0093DD0093DD0090DC189CE0ECF7FCF0F9FD2FA6E3008EDB0093DD0093DD +0093DD0093DD0093DD0093DD0093DD008FDC0693DD85CBEEF5FBFEFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFF2FAFD79C6ED0291DD0090DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0291DCC3E6F7FFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFEFF +3AACE5008EDB0093DD0093DD008CDB8DCFF0FFFFFF56B7E8008CDB0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008EDB1A9CE0BDE3F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFB3DFF51298DF008FDC0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008DDB4EB4E7FFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC8E7F8 +0191DC0092DD0093DD0090DC189DE0F9FCFEA2D8F3008DDB0093DD0093DD0093DD0093DD +0093DD0093DD0093DD008EDC1F9EE0D5EDF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFCDEAF8199CE0008FDC0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0493DDD1ECF9FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF65BEEB +008CDB0093DD0093DD008CDB80C9EEEDF7FD1199DF0090DC0093DD0093DD0093DD0093DD +0093DD0093DD0090DC1398DFD1ECF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC3E6F70B95DD0091DC0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB78C6EDFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0F8FD179DE0 +0090DC0093DD0092DD0594DEE4F3FB60BCEA008CDB0093DD0093DD0093DD0093DD0093DD +0093DD0092DD008FDCACDCF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FD7F2008EDB0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC29A5E3F9FCFE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB4DFF5008FDC +0093DD0093DD008EDB49B2E7CBE9F80492DD0092DD0093DD0093DD0093DD0093DD0093DD +0093DD008DDB64BDEBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF51B5E8008DDB0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0091DCC8E8F8 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6AC0EB008CDB +0093DD0093DD008DDB8DCFF057B8E9008DDB0093DD0093DD0093DD0093DD0093DD0093DD +0091DC1199DFE7F5FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDBEFFA0B96DE0091DC0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB7FC9EE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFF36AAE4008FDC +0093DD0093DD0694DD85CBEF0996DE0092DD0093DD0093DD0093DD0093DD0093DD0093DD +008CDB75C5ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF69BFEB008CDB0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008EDB46B0E7 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0091DC23A2E252B6E8008EDC0093DD0093DD0093DD0093DD0093DD0093DD0092DD +0895DDD9EFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD0EBF90493DD0092DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0090DC189DE0 +F1F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC6E7F70091DD0093DD +0093DD0091DC1FA0E1169CE00091DC0093DD0093DD0093DD0093DD0093DD0093DD008EDB +40AEE6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFEFF2EA7E3008FDC0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0394DD +D2ECF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA5D9F3008EDB0093DD +0093DD0093DD0294DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008DDB +89CDEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF72C3EC008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC +B8E1F5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8CCFF0008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC +BAE2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA8DAF3008EDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008EDB +9FD6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF77C5ED008CDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0495DE +D4EDF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC8E8F80092DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008DDB +8CCFF0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6AC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC0C99DF +E4F3FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDBF0FB0797DE0092DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F4FC0E99DF0092DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEEF7FD139BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6DC1EB008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF +F1F8FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1F8FD129BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB +7FC9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFF7FBFEF4FAFDF4FAFEF4FAFEF4FAFE66BEEA008DDB0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC119BDF +E3F3FCF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFE +F4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFE +F4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEE3F3FC119BDF0091DC +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0087D9 +80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF58B8E91E9BDF1EA0E11EA0E11EA0E10D98DF0092DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0294DD +1C9FE11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E1 +1EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E1 +1EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11C9FE10294DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008EDB008FDC58B7E8 +E3F3FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F3FBB6E0F591D0F071C2EC +53B5E841AEE637AAE436AAE436A9E43FADE554B6E872C3EC91D0F0B5DFF5DDF0FAFCFDFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFEFEFFE0F2FBDDF0FADDF1FADDF1FADDF1FADDF1FADDF1FADDF1FADDF1FADDF1FA +DDF1FADDF1FADDF1FADDF1FADDF1FADDF0FAE5F4FBEEF8FDF6FBFEFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F3FBB7E0F593D0F071C2EC53B5E8 +41AEE536AAE436AAE436A9E43EADE553B6E870C2EC90D0F0B6DFF5DEF1FBFCFDFEFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF3DADE5008BDA0090DC0090DC0090DC0092DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC +0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC +0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC008EDB37A8E4B1DEF4FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFEFFFFC7E7F780C8EE39AAE40E98DF008FDC008DDB008CDB +008DDB008EDB008FDC008FDC008FDC008EDB008DDB008CDB008DDB008FDC0A96DE2CA4E2 +62BCEAA2D7F2DAEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFDFEFF3FADE60993DD0997DE0997DE0997DE0997DE0997DE0997DE0997DE0997DE +0997DE0997DE0997DE0997DE0997DE0996DE0D99DF159BE023A1E13AABE467BEEAA2D6F2 +DBEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFC7E7F77FC7EE37A9E40F98DF008FDC008DDB008CDB008DDB +008EDB008FDC008FDC008FDC008EDC008DDB008CDB008DDB008FDC0A97DE2CA4E260BBEA +A4D7F3DAEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0092DD008EDB008DDB2EA5E3A1D6F2FCFEFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFF9FDFEA1D7F238A9E40091DC008CDB008FDC0091DC0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD008FDC +008DDB008DDB0895DE40ACE590CFF0EBF6FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF58B8E9008BDA0092DD0092DD0092DD0092DD0092DD0092DD0092DD0092DD +0092DD0092DD0092DD0092DD0092DD0092DD0091DC0091DC0090DC008FDC008DDB008DDB +0995DE4CB2E7B4DFF5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFF9FDFEA1D6F239A9E40091DC008CDB008FDC0091DC0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD008FDC008DDB +008DDB0996DE3FACE591D0F0ECF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0091DC008DDB0090DC3DABE4A1D7F2F8FCFEFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFAFDDF434A7E3008DDB008EDC0092DD0093DD0093DD0093DD0093DD0092DD0090DC +008EDB008DDB008CDB008DDB008DDB008CDB008DDB008EDB0090DC0092DD0093DD0093DD +0093DD0093DD0092DD008EDB0089D99DD6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF62BCEA008DDB0093DD0093DD0093DD0093DD0093DD0093DD0091DC008DDB +008DDB008DDB008DDB008DDB008DDB008EDB0090DC0092DD0093DD0093DD0093DD0093DD +0092DD008DDB008FDC4CB1E7D1ECF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +B0DDF535A7E3008DDB008EDC0092DD0093DD0093DD0093DD0093DD0092DD0090DC008EDB +008DDB008CDB008DDB008DDB008CDB008DDB008EDB0090DC0092DD0093DD0093DD0093DD +0093DD0092DD008EDC0089D9A8DAF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC +008DDB008DDB1A9CE061BAEAC0E4F7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF8FC +63BCEA008EDC008EDC0093DD0093DD0093DD0093DD0093DD0091DD008DDB0090DC22A1E1 +4BB3E76FC2EC86CCEF94D2F194D2F186CCEF6DC1EB4AB2E722A1E10092DD008CDB008FDC +0093DD0093DD0093DD0093DD008EDB9DD6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0091DC25A3E261BCEA +61BCEA61BCEA61BCEA61BCEA5BBAE944AFE621A1E10090DC008DDB0092DD0093DD0093DD +0093DD0093DD0093DD008CDB1097DEABDBF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFECF7FD63BBEA +008FDC008EDC0093DD0093DD0093DD0093DD0093DD0091DD008DDB0091DC22A1E14AB2E7 +6EC1EB87CCEF94D2F194D2F185CBEF6CC0EB4AB2E723A1E10092DD008CDB008FDC0093DD +0093DD0093DD0093DD008EDBA8DAF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0090DC008CDB008EDB1299DF +50B4E7A3D7F2ECF7FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD5EDF92BA4E2 +008CDB0092DD0093DD0093DD0093DD0093DD0092DD008DDB0C96DE63BCEABDE3F6F5FBFE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FBFEC7E7F780C8EE2BA4E2 +008FDC008EDB0092DD0093DD008EDB9ED6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB66BEEBFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF4FAFDBDE3F655B6E80090DC0090DC0093DD +0093DD0093DD0093DD0093DD0090DC008FDCA0D7F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD6EEFA2DA4E2008BDB +0092DD0093DD0093DD0093DD0093DD0093DD008DDB0B96DE63BCE9BEE3F6F5FBFEFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FBFEC8E7F782C9EE2CA4E2008FDC +008EDB0092DD0093DD008EDBA9DAF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0092DD008FDC008DDB008DDB0494DD2AA4E268BEEAA6D9F3E6F4FB +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFE9F6FC93D1F1FEFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC2E6F71A9BE0008EDB +0093DD0093DD0093DD0093DD0093DD0091DC008FDC5CB9E9D6EEFAFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FCFE +B1DEF549B0E60090DC008EDB008EDB9ED6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAEDCF41499DF008FDC +0093DD0093DD0093DD0093DD0093DD0090DC0894DDC6E7F8FFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC8E8F81A9BDF008EDB0093DD +0093DD0093DD0093DD0093DD0091DC008FDC5AB8E8D4ECF9FFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FCFEB1DEF5 +49B0E60090DC008EDB008EDBA9DAF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0091DC008FDC +008DDB008DDB008FDC0996DE2DA6E35FBAE99BD4F1D3ECF9F9FCFEFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFF4FAFD3AAAE440AEE6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD0ECF91399DF008EDC0093DD +0093DD0093DD0093DD0093DD008FDC0B95DE9ED5F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFB5DFF536A8E30087D99AD4F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC6E7F80F96DE +0091DC0093DD0093DD0093DD0093DD0093DD008EDB2CA6E3F6FBFEFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCEEBF9169ADF008EDB0093DD0093DD +0093DD0093DD0093DD0090DC0A95DE9FD6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFB7E0F537A8E40087D9A5D8F3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0092DD0091DC0090DC008FDC008EDB008DDB008DDB008EDB0394DD199DE035A9E4 +60BBE98ECEF0B8E1F6DCF0FAFCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFEEF8FD43AEE60087D951B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE3F3FB209FE1008EDB0093DD0093DD +0093DD0093DD0093DD008FDC1399DEC0E5F7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFF9FDFE84C9EEAADBF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF99D4F2 +008EDB0093DD0093DD0093DD0093DD0093DD0093DD008CDBA2D8F2FFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F3FB209FE1008EDB0093DD0093DD0093DD +0093DD0093DD0090DC0F97DEBBE2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFAFDFE85CAEEB3DFF5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0092DD0091DC008FDC008EDB008DDB008DDB008CDB008DDB008EDB +0090DC0495DD0E99DF1E9FE131A7E34AB2E76FC2EC91D0F0B0DDF4D3ECF9F0F8FDFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFE4F4FC36A8E3008CDB008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFEFF48B1E7008CDB0093DD0093DD0093DD +0093DD0093DD0091DC0793DDBDE3F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEFF +2FA7E3008FDC0093DD0093DD0093DD0093DD0093DD008EDB3AACE5FEFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFEFF4AB2E7008CDB0093DD0093DD0093DD0093DD +0093DD0091DC0692DDB9E2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0090DC +008EDB008CDB008EDC0294DD139BDF2CA5E342AFE659B8E969BFEB7CC7ED91D0F0ACDBF4 +C3E5F7D5EDF9E6F4FCF4FAFDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +CDEAF924A0E1008DDB0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8ECFF0008CDB0093DD0093DD0093DD0093DD +0093DD0093DD008DDB94D2F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FDFEE1F2FBC7E7F7BDE3F6BDE3F6 +C0E4F6D7EEF9F1F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +93D1F0008DDB0093DD0093DD0093DD0093DD0093DD0092DD0795DEDBF0FAFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8CCFF0008CDB0093DD0093DD0093DD0093DD0093DD +0093DD008DDB92D1F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0090DC008CDB0090DC1C9EE0 +4AB1E778C5EDAFDCF4D2EBF9EBF6FCFCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFADDCF4 +1398DF008EDB0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE0F2FB0F98DF0090DC0093DD0093DD0093DD0093DD +0093DD008DDB4CB3E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEAF6FC9ED6F29ED6F29ED6F29ED6F29ED6F29ED6F29ED4F1D7EEFA +FFFFFFFFFFFFFFFFFFFFFFFFF4FBFEAEDCF45DB9E928A3E20B97DE0091DC008FDC008FDC +008FDC0695DE1A9DE044AFE691CFF0E0F2FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE7F5FC9ED5F29ED6F29ED6F2 +9ED6F29ED6F29ED6F29ED4F1B6E0F5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB9E1F69ED4F19ED6F29ED6F2 +9ED6F29ED6F29ED6F29ED4F2DEF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +D4EDF90594DD0092DD0093DD0093DD0093DD0093DD0093DD008EDCA9DBF3FFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFE4F3FB1099DF0090DC0093DD0093DD0093DD0093DD0093DD +008DDB49B2E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0091DC008DDB0090DC2AA3E275C4ECBDE3F6F1F9FD +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFF7FC8EE0090DC +0090DC0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC1EB008CDB0093DD0093DD0093DD0093DD0093DD +0092DC0A95DDD8EEFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFDBF0FA0092DD008CDB008EDB008EDB008EDB008EDB0087D98FD0F0 +FFFFFFFFFFFFFFFFFFA1D7F32AA2E2008EDB008DDB0090DC0091DD0092DD0093DD0093DD +0093DD0092DD0091DC008EDB008CDB1198DF7FC8EEF7FCFEFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD1EBF9008FDC008CDB008EDB +008EDB008EDB008EDB0087D953B6E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF57B8E90087D9008EDB008EDB +008EDB008EDB008DDB008CDBC4E6F7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +F6FBFE1EA0E10090DC0093DD0093DD0093DD0093DD0093DD008CDB88CDEFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008CDB0093DD0093DD0093DD0093DD0093DD0091DC +0995DED6EDF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0091DC008CDB0D97DE60BAE9B8E0F5F9FCFEFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDDF1FA49B0E6008DDB0092DD +0093DD0093DD0093DD0093DD008ADA4DB3E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFE1F3FB0D98DF0091DD0093DD0093DD0093DD0093DD0093DD +008CDB66BFEAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEEF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB93D2F1 +FFFFFFF6FBFE5DBAE9008DDB008FDC0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0091DC008BDB3BAAE4E1F2FBFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE8F5FC0F9ADF0091DC0093DD +0093DD0093DD0093DD008DDB71C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7BC7ED008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDEF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FEFFFF33A9E4008FDC0093DD0093DD0093DD0093DD0093DD008DDB72C3ECFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFE2F2FB0C97DE0091DC0093DD0093DD0093DD0093DD0093DD008DDB +65BEEBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0092DD008DDB0D96DE71C1ECDBEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA4D8F31A9BDF008DDB0093DD0093DD +0093DD0093DD008FDC008EDB1C9ADF6ABFEBFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF84CBEE008CDB0093DD0093DD0093DD0093DD0093DD0092DD +0492DDCEEAF8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB98D4F1 +FFFFFF50B4E7008BDA0092DD0093DD0093DD0093DD0092DD0092DD0092DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB2AA3E2E7F5FCFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEEF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF81C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFF37ABE4008FDC0093DD0093DD0093DD0093DD0093DD008DDB69BFEBFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFF84CBEF008CDB0093DD0093DD0093DD0093DD0093DD0092DD0393DD +CFEAF8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD +008FDC0091DC63BCEAD9EFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDDF1FB57B7E8008EDB0090DC0093DD0093DD0093DD +0090DC008DDB33A7E3A5D8F3F1F9FDACDCF4FDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFBFDFF2CA6E3008FDC0093DD0093DD0093DD0093DD0093DD008FDB +32A8E4FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDBA1D8F2 +83CAEE008BDA0093DD0093DD008FDC008DDB008EDB0091DC0093DD0091DC008EDB008DDB +0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD008BDA4EB4E7FFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FEFFFF33A9E4008FDC0093DD0093DD0093DD0093DD0093DD008CDB73C3ECFFFFFFFFFFFF +FFFFFFFFFFFFFEFEFF31A8E4008FDC0093DD0093DD0093DD0093DD0093DD008FDC2BA6E3 +FCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0092DD008CDB +2AA3E2B7E0F5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFF6FBFE8DCEEF1499DF008CDB0092DD0093DD0093DD0091DC008CDB +209EE097D2F1F9FCFEFFFFFFC6E7F756B7E9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFD4ECF90394DD0092DD0093DD0093DD0093DD0093DD0093DD008CDB +6EC1ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0092DD45B0E6 +0695DE0092DD0090DC008FDC31A7E37DC7EEADDCF4C6E7F7CDEAF8C5E6F7A7D9F368BEEB +189CE0008DDB0093DD0093DD0093DD0093DD0093DD0093DD0092DD008FDCBAE2F6FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +F7FCFE21A1E20090DC0093DD0093DD0093DD0093DD0093DD008DDB8BCEEFFFFFFFFFFFFF +FFFFFFFFFFFFD3ECF90493DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0091DC008EDB66BDEA +F1F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFEFFFFA5D8F32CA3E2008DDB0091DC0093DD0093DD0092DD008CDB0B95DE78C5EC +ECF7FCFFFFFFFFFFFFF8FCFE2BA4E245B0E6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFF91D0F1008CDB0093DD0093DD0093DD0093DD0093DD0093DD008EDB +B0DDF5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD0091DC +0092DD008EDB1D9DE0ACDBF4FCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +E8F5FC65BDEA008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB52B6E8FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +D9EFFA0695DD0092DD0093DD0093DD0093DD0093DD0093DD008EDBACDCF4FFFFFFFFFFFF +FFFFFFFFFFFF95D2F1008DDB0093DD0093DD0093DD0093DD0093DD0093DD008EDBACDCF4 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0090DC0793DD97D3F1FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FDFE +ABDBF43BABE4008EDB008FDC0093DD0093DD0093DD008EDB0091DC54B5E7D2ECF9FFFFFF +FFFFFFFFFFFFFFFFFF79C7ED0087D951B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFF57B8E9008DDB0093DD0093DD0093DD0093DD0093DD0092DD0696DE +DBEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD0093DD +008FDC229FE1D8EFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF66BEEA008DDB0093DD0093DD0093DD0093DD0093DD0090DC189EE0F2F9FD +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +9AD4F1008DDB0093DD0093DD0093DD0093DD0093DD0092DD0896DEDDF1FBFFFFFFFFFFFF +FFFFFFFFFFFF56B7E8008DDB0093DD0093DD0093DD0093DD0093DD0092DD0796DEDAEFFA +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD008FDB1399DFB8E1F6FFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEAF6FC96D1F02FA5E3 +008EDB008EDC0093DD0093DD0092DD008DDB008EDB44AEE5BDE3F6FFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFA9DBF3008FDC008CDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFBFDFF2BA5E3008FDC0093DD0093DD0093DD0093DD0093DD0090DC1FA0E1 +F6FBFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD0092DC +0894DDC8E8F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFEEF7FD189DE00090DC0093DD0093DD0093DD0093DD0092DD0495DED6EDFA +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +3BACE5008EDB0093DD0093DD0093DD0093DD0093DD008EDB3DADE5FFFFFFFFFFFFFFFFFF +FFFFFFFCFEFF2BA6E3008FDC0093DD0093DD0093DD0093DD0093DD0090DC23A2E2F9FCFE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB008FDC169ADFC7E8F8FFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FCFEBBE2F66BBFEB189CE0008DDB008FDC +0093DD0092DD0090DC008CDB0292DD47AFE6AEDCF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFCEEBF90F97DE0090DC008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFE6F4FC0D99DF0091DC0093DD0093DD0093DD0093DD0093DD008EDB42AFE6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD008DDB +61BCEAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFF6BC0EC008DDB0093DD0093DD0093DD0093DD0093DD0090DCC1E5F7 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB7E1F5 +0190DC0093DD0093DD0093DD0093DD0093DD0093DD008DDBA2D7F2FFFFFFFFFFFFFFFFFF +FFFFFFEAF6FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD008EDB3CACE5FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008ADA1198DECAE9F8FFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEFF8FDB7E0F571C2EC28A2E20090DC008CDB0090DC0091DC008EDB +008DDB0091DC27A2E273C3ECCDE9F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +E0F2FB219FE1008EDC0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFD0EBF80294DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB5CBAE9 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0092DD0292DD +CBE9F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFA7DAF3008DDB0093DD0093DD0093DD0093DD0093DD008FDCBCE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2FAFD2BA4E2 +008FDC0093DD0093DD0093DD0093DD0093DD008EDC2BA5E3F5FBFEFFFFFFFFFFFFFFFFFF +FFFFFFCFEBF80193DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB58B9E8FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF3DADE5038EDCB9E2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3FAFDD8EEFA +B1DDF479C5ED44AFE6169BE0008DDB0089DA008BDA008CDB008DDB0091DC1A9DE046B0E6 +89CCEFC5E6F7F7FCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9F6FC +31A6E3008DDB0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFC0E4F70090DC0093DD0093DD0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FCFEF6FBFE +F6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF5FBFEFDFEFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0090DC27A4E2 +FAFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBEE4F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FBFE4FB3E7008DDB +0093DD0093DD0093DD0093DD0093DD0090DC0592DDC2E5F7FFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFB8E1F5008EDC0093DD0093DD0093DD0093DD0093DD0093DD008CDB75C4ECFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FDFEF6FBFEF6FBFE +F6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF5FBFEFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF37AAE48FD0F0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFAFDFEDCF0FABEE3F6A7D9F38CCEEF72C3EC56B7E836A9E4159BE00091DC +008DDB008CDB0090DC0796DE199DE02EA6E347B0E674C3EC9BD4F1C6E6F7EFF8FDFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE6F5FC35A8E3 +008DDB0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFAEDCF4008EDB0093DD0093DD0093DD0093DD0093DD0093DD008CDB7FC9EE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFADDCF4229DE0 +22A1E122A1E122A1E122A1E122A1E122A0E12FA7E3EBF6FCFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB51B5E8 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB62BDEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCEEAF83FADE5008DDB0093DD +0093DD0093DD0093DD0093DD0091DC008EDB95D3F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFAADCF4008EDC0093DD0093DD0093DD0093DD0093DD0093DD008CDB84CBEFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFADDDF4229DE022A1E1 +22A1E122A1E122A1E122A1E122A0E133A9E4EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFCFEFFADDCF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFCFEFFEFF8FDE3F3FBD4EDF9C4E6F7BAE1F6B5E0F5B2DEF5B6E0F5BAE2F6 +C5E6F7CCE9F8D7EEFAE4F4FBF1F9FDFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD8EEFA2BA3E2008DDB +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFA8D9F4008EDB0093DD0093DD0093DD0093DD0093DD0093DD008CDB82CAEE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC2E5F7008EDC +008FDC0090DC0090DC0090DC0090DC008CDB23A2E2FAFDFEFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB63BDEA +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB5DBAE9F4FAFE +F4FAFEF4FAFEF4FAFEF2FAFDE9F5FCCBE9F89DD5F250B4E70794DD008EDC0093DD0093DD +0093DD0093DD0093DD008EDB0491DD98D4F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFF9ED6F2008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB8FD0F0FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBBE2F6008CDB0090DC +0090DC0090DC0090DC0090DC008CDB23A2E2FAFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFE4F61B9CE0008EDB0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF9CD5F2008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB94D2F1 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCAE8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC33A9E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB6FC2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0092DD0B98DE1EA0E1 +1EA0E11EA0E11EA0E11B9FE1109ADF0093DD008DDB008EDB0092DD0093DD0093DD0093DD +0093DD0090DC008CDB2BA3E2B8E1F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFF9ED6F2008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB8FD0F0FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FCFF00793DD008FDC0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFA7D9F4008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB88CDEF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0093DD0092DD0090DC +0090DC0090DC0090DC0090DC0091DC0092DD0093DD0093DD0093DD0093DD0091DC008EDB +008CDB1B9CE083CAEEF3FAFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFF9DD6F2008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB90D0F0FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDEF1FB54B5E8008DDB0091DC0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFABDBF4008EDB0093DD0093DD0093DD0093DD0093DD0093DD008CDB80C9EE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0093DD0092DD0090DC +0090DC0090DC0090DC0090DC008FDC008FDC008EDB008DDB008CDB008FDC0F98DF49B1E6 +97D2F1EBF6FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFA7DAF3008EDC0093DD0093DD0093DD0093DD0093DD0093DD008CDB89CDEFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFDFFFF98D3F1179BDF008CDB0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD0093DD008DDB78C5ED +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0092DD0D98DF22A1E1 +22A1E122A1E122A1E123A2E130A7E335A9E446B0E65EBAE981C8EEB3DEF5E3F3FBFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFB8E1F5008EDC0093DD0093DD0093DD0093DD0093DD0093DD008CDB7CC7EDFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFB7E0F53CABE5008DDB0090DC0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFCEEAF80293DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB65BEEB +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB5EBAEAF6FBFE +F6FBFEF6FBFEF6FBFEF6FBFEFEFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFCCEAF80193DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB65BEEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFF +BBE2F648B0E60090DC008EDC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFE2F2FB0B98DF0091DC0093DD0093DD0093DD0093DD0093DD008DDB4DB4E7 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB62BDEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFE7F5FC0E99DF0091DD0093DD0093DD0093DD0093DD0093DD008EDB47B1E7FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFECF7FC9BD4F138A9E4 +0091DC008EDB0092DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFAFCFF26A3E20090DC0093DD0093DD0093DD0093DD0093DD008FDC2EA7E3 +FDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFAFDFE27A4E2008FDC0093DD0093DD0093DD0093DD0093DD008FDC2DA6E3FCFEFE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFF8FDBAE1F568BEEB1A9CE0008DDB008EDC +0092DD0093DD0093DD0093DD0093DD0093DD0090DC008DDB0091DC0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFF50B5E8008DDB0093DD0093DD0093DD0093DD0093DD0091DC0F9ADF +E7F5FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF4DB4E7008EDB0093DD0093DD0093DD0093DD0093DD0091DC119BDFEAF6FD +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFDDF0FAA5D8F35DB9E91D9EE1008FDC008DDB0090DC0093DD0093DD +0093DD0093DD0093DD0092DD008DDB008EDB23A1E184CBEE79C6ED0090DC0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFF86CCEF008CDB0093DD0093DD0093DD0093DD0093DD0093DD0090DC +C2E5F7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF8ACDEF008CDB0093DD0093DD0093DD0093DD0093DD0093DD0090DCBEE4F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEFFE8F5FCC1E5F7 +96D2F168BEEB34A8E40996DE008EDB008DDB0090DC0093DD0093DD0093DD0093DD0093DD +0092DD008FDC008CDB0794DD4FB3E7A9DAF3F7FCFEF5FBFE34A8E40090DC0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFC8E8F80192DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB +83CAEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFC8E8F80191DC0093DD0093DD0093DD0093DD0093DD0093DD008DDB86CCEF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFCFEFFFAFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FAFDFEF3FAFDEBF7FCD9EFFAC5E6F7AEDCF494D1F175C4EC4CB3E72CA5E3119ADF0091DC +008DDB008DDB008FDC0092DD0093DD0093DD0093DD0093DD0092DD0091DC008EDC008CDB +0090DC2BA3E27CC7EDD5EDF9FFFFFFFFFFFFF7FCFE39ABE4008DDB0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFF6FBFE1FA0E10090DC0093DD0093DD0093DD0093DD0093DD008EDB +43B0E6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFF9FCFF25A3E2008FDC0093DD0093DD0093DD0093DD0093DD008EDB3BADE5 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFE3F3FBA7D9F372C2EC53B5E83CACE533A9E427A3E224A2E2 +1D9FE1149CE00B97DE0194DD008FDC008CDB008CDB008BDB008DDB008EDB0090DC0091DC +0091DC0091DC0090DC008FDC008EDC008DDB008CDB008DDB0091DC159BDF3EACE584CAEE +C4E6F7F8FCFEFFFFFFFFFFFFFFFFFFF1F9FD49B1E6008DDB0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF6FC2EC008CDB0093DD0093DD0093DD0093DD0093DD0092DD +0B97DEDEF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF81C9EE008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFF6EC2EC008CDB0093DD0093DD0093DD0093DD0093DD0092DD0896DE +DDF0FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2FAFDDAEFFAB6DFF592D0F075C4EC52B5E8 +36A9E428A4E21C9EE1129ADF0D98DF0A97DE0595DE0595DE0595DE0595DE0595DE0A97DE +0C98DF129BDF1D9FE12BA5E33BABE555B6E87CC7ED9DD5F2C3E5F7ECF6FCFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFE8F6FC41ADE5008CDB0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFCEEAF90392DC0092DD0093DD0093DD0093DD0093DD0093DD +008CDB82CBEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7BC7ED008CDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFCFEAF80393DD0092DD0093DD0093DD0093DD0093DD0093DD008CDB +81CAEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFDFEFFF5FBFEEFF8FDE6F4FCE0F2FBD6EEFAD5EDF9D5EDF9D5EDF9D5EDF9DFF1FB +E3F3FBEDF7FDF3FAFDFBFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFCAE8F826A1E1008DDB0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF4AB3E7008DDB0093DD0093DD0093DD0093DD0093DD +0090DC1A9DE0EDF7FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD +0093DD0093DD0093DD008DDB71C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF67BEEB008DDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFF4AB3E7008DDB0093DD0093DD0093DD0093DD0093DD0090DC +199DE0EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFEFFFF91D0F00C95DE008EDC0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC1E5F70090DC0092DD0093DD0093DD0093DD0093DD +0093DD008CDB7DC8EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFECF7FD119BDF0091DC0093DD +0093DD0093DD0093DD008DDB60BBEAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFEFF36AAE5008FDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFC4E6F70191DC0092DD0093DD0093DD0093DD0093DD0093DD +008CDB78C6EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +D0EBF945AEE5008DDB0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF59B9E9008CDB0093DD0093DD0093DD0093DD +0093DD0091DC0A95DECFEBF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5FAFE1EA0E10090DC0093DD +0093DD0093DD0093DD008FDC2FA7E3FEFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEAF80392DD0092DD0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5BBAE9008BDB0093DD0093DD0093DD0093DD0093DD +0091DD0994DDCEEAF8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE1F2FB72C2EC +0B95DE008DDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE3F3FB189CE0008FDC0093DD0093DD0093DD +0093DD0093DD008EDC2DA5E2EDF8FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3BACE5008EDC0093DD +0093DD0093DD0093DD0092DD0392DDC9E8F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52B6E8008EDB0093DD0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F3FB199CE00090DC0093DD0093DD0093DD0093DD +0093DD008EDC2BA4E2EDF8FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F4FB79C5ED1499DF008CDB +0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFADDCF4008FDB0092DD0093DD0093DD +0093DD0093DD0093DD008DDB44AFE6F1F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF65BEEB008CDB0093DD +0093DD0093DD0093DD0093DD008EDB43AFE6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF86CCEF008DDB0093DD0093DD0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAFDDF4008FDC0092DD0093DD0093DD0093DD +0093DD0093DD008DDB40ADE5EFF9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD +0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCAE8F866BDEA159ADF008CDB0091DC0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF86CCEF008DDB0092DD0093DD +0093DD0093DD0093DD0093DD008DDB37A9E4D8EEFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD1ECF90092DD +0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA3D8F3008DDB0093DD +0093DD0093DD0093DD0093DD0093DD008EDB64BCEAF5FBFDFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFEFF8FD6EC0EB008FDC0092DD0092DD0093DD0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF85CBEF008DDB0092DD0093DD0093DD +0093DD0093DD0093DD008DDB37A9E3D9EFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD5EEF90093DD0092DD +0093DD0093DD0093DD0093DD008FDC37AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFDEF1FB93D0F03EACE50192DD008DDB0091DC0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF71C3EC008CDB0092DD +0093DD0093DD0093DD0093DD0093DD008EDB159ADF98D3F1F7FCFEFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFEFF98D3F10091DC +0092DD0093DD0093DD0093DD0093DD008FDC33A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF8FD179DE00090DC +0093DD0093DD0093DD0093DD0093DD0093DD008DDB2FA5E39DD5F2DEF1FBF6FBFEFBFDFE +FAFDFEF0F9FDD2ECF988CCEF25A1E1008DDB0092DD0091DC0896DE0194DD0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF75C4ED008CDB0092DD0093DD +0093DD0093DD0093DD0093DD008EDB1599DF97D3F1F7FCFEFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFF9BD5F10091DD0092DD +0093DD0093DD0093DD0093DD008FDC33A9E4FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF4FAFD +C6E6F787CBEF3EACE50C97DE008DDB008EDC0092DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF86CBEF008FDC +008FDC0093DD0093DD0093DD0093DD0093DD0090DC008EDB2BA4E28DCEF0D9EFFAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2F3FB9AD3F138A9E40090DC0092DD +0093DD0093DD0093DD0093DD0093DD0090DC20A1E1F6FBFEFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8ECFF0008BDA +0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC008EDB0A97DE21A1E12AA5E3 +29A4E3199EE00394DD008DDB0090DC0093DD008FDC21A1E187CCEF0191DC0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF88CCEF008FDC008FDC +0093DD0093DD0093DD0093DD0093DD0090DC008EDB2CA4E28ECEF0DBEFFAFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE3F3FB99D3F138A9E40090DC0092DD0093DD +0093DD0093DD0093DD0093DD008FDC23A2E2F8FCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FCFEE6F4FCCDE9F8AEDCF484CAEE4DB3E71F9FE1 +0092DC008CDB008EDC0091DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAADBF4 +1C9CE0008CDB0092DD0093DD0093DD0093DD0093DD0093DD008FDC008DDB0996DE33A8E3 +5FBBEA84CBEE8FD0F08FD0F089CDEF6CC1EB3BABE50F98DF008DDB008FDC0093DD0093DD +0093DD0093DD0093DD0093DD0092DD008DDB008FDCD5EDF9FFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBEE3F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFDFE47B1E6 +008BDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DD0090DC008FDC +0090DC0090DC0092DD0093DD0093DD008FDC0B95DDC8E8F8B7E1F6008EDB0093DD0093DD +0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAADBF41C9CE0 +008CDB0092DD0093DD0093DD0093DD0093DD0093DD008FDC008DDB0A96DE32A8E35DBAE9 +83CAEE8FD0F08FD0F08ACDEF6CC0EB3CABE51099DF008DDB008FDC0093DD0093DD0093DD +0093DD0093DD0093DD0092DD008EDB0090DCD6EEFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE1F2FBBAE1F68DCEF0 +6BC0EB58B8E94AB2E742AEE642AFE642AFE642AFE642AEE64AB2E751B5E856B8E861BCEA +61BCEA61BCEA57B8E94DB3E73BACE524A2E20E99DF0093DD008EDC008DDB008EDB0090DC +0092DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +E3F3FB5FBAE90291DC008DDB0091DD0093DD0093DD0093DD0093DD0093DD0092DD008FDC +008DDB008CDB008DDB008DDB008DDB008DDB008FDC0091DC0093DD0093DD0093DD0093DD +0093DD0091DC008EDB008CDB0494DD35A8E484CAEEE9F6FCFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFEEF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB6EC1EC +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFBEE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBAE2F6 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFF8FD +42AEE6008ADA0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB0E96DEB5E0F5FFFFFFA9DAF4008EDB0093DD0093DD +0093DD0093DD0092DD0A97DEDEF2FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF62BDEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB63BDEAFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F4FB +61BBE90191DC008DDB0091DD0093DD0093DD0093DD0093DD0093DD0092DD008FDC008DDB +008CDB008DDB008DDB008DDB008DDB008FDC0091DC0093DD0093DD0093DD0093DD0093DD +0091DC008EDB008CDB0393DD34A8E481C9EEE7F5FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCEEAF881C8EE3DACE50C97DE008FDC008DDB +008DDB008DDB008EDB008EDB008EDB008EDB008EDB008EDB008EDB008EDB008DDB008DDB +008DDB008DDB008DDB008EDB008EDC0090DC0091DC0092DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFC4E6F75BB7E90C97DE008CDB008DDB0090DC0092DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0091DC008FDC008DDB +008EDC1199DF4BB2E78DCDF0D1EBF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFE9F5FC0997DE008EDB0090DC0090DC0090DC0090DC008ADA58B8E9 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFB6E0F5008CDB0090DC0090DC0090DC0090DC0090DC008ADA9FD6F3 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +F5FBFE70C2EC0894DD008CDB0090DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD +0093DD0092DD008EDB008DDB3BAAE4CBE9F8FFFFFFFFFFFFA7D9F4008BDA0090DC0090DC +0090DC0090DC008FDC0092DCD3EDF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFF50B5E8008ADA0090DC0090DC0090DC0090DC0090DC008ADA4DB4E8FFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFC2E5F75AB7E80D97DE008DDB008EDB0090DC0092DD0093DD0093DD0093DD0093DD +0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0091DD008FDC008DDB008EDC +1199DF4AB1E78DCEEFD1EBF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFF1F9FDA6D9F339A9E4008CDB0086D90088DA008BDB008CDB008DDB +008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB +008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB +008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB +008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB +008DDB008DDB008DDB008DDB0086D947B1E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFDDF1FA93D0F050B3E71B9DE00293DD008EDC008DDB008CDB +008CDB008DDB008DDB008DDB008CDB008CDB008DDB008EDB0091DC0D98DF35A8E36ABFEB +AFDCF4E5F4FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFD8EEFA26A2E222A0E122A1E122A1E122A1E122A1E1229DE05AB9E9 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFA1D7F3229CE022A1E122A1E122A1E122A1E122A1E1229CE08FD0F0 +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFCFEAF965BCEA1B9DE00090DC008DDB008CDB008CDB008DDB008CDB008DDB +008EDC0B97DE44AEE5A6D8F3FBFDFEFFFFFFFFFFFFFFFFFFB4DFF5229DE022A1E122A1E1 +22A1E122A1E122A1E1219EE1BFE4F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFDFEFF4DB4E7229EE022A1E122A1E122A1E122A1E122A1E1229EE047B1E6FBFDFE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFDFF1FB96D1F14EB3E71B9DE00293DD008EDC008DDB008CDB008CDB +008DDB008DDB008DDB008CDB008CDB008DDB008EDB0091DC0D97DE34A8E36BBFEBAEDCF4 +E5F4FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFBFDFFABDCF466BCEA60BBE968BFEB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB +6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB +6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB +6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB +6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB +6BC0EB6BC0EB6BC0EB6BC0EB6BBDEA9AD4F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0F8FDD0EBF9B4DEF599D3F185CBEF +73C3EC6BC0EB6BC0EB6BC0EB70C2EC82CAEE93D1F0A8DAF3C5E6F7E3F2FBFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFBFEFEF5FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFF8FCFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF8FCFE +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFEEF8FDC5E6F7A0D6F285CBEF77C5ED6DC1EC80C9EE94D1F1 +B4DEF5DEF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEFFF6FBFEF6FBFEF6FBFE +F6FBFEF6FBFEF6FBFEF6FBFEFAFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFEFFFFF5FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF4FBFDFDFEFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0F8FDD1EBF9B2DEF597D3F185CBEE72C3EC +6BC0EB6BC0EB6BC0EB70C2EC81C9EE92D0F0A9DAF3C4E6F7E2F2FBFFFFFFFFFFFFFFFFFF +FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + +end +%%PageTrailer +%%Trailer +%%EOF diff --git a/doc/gnupg-logo.pdf b/doc/gnupg-logo.pdf Binary files differnew file mode 100644 index 0000000..a2aab4a --- /dev/null +++ b/doc/gnupg-logo.pdf diff --git a/doc/gnupg-logo.png b/doc/gnupg-logo.png Binary files differnew file mode 100644 index 0000000..a1556df --- /dev/null +++ b/doc/gnupg-logo.png diff --git a/doc/gnupg-module-overview.pdf b/doc/gnupg-module-overview.pdf new file mode 100644 index 0000000..dcc5f39 --- /dev/null +++ b/doc/gnupg-module-overview.pdf @@ -0,0 +1,381 @@ +%PDF-1.4 +1 0 obj +<< +/Pages 2 0 R +/Type /Catalog +>> +endobj +2 0 obj +<< +/Type /Pages +/Kids [ 3 0 R ] +/Count 1 +>> +endobj +3 0 obj +<< +/Type /Page +/Parent 2 0 R +/Resources << +/XObject << /Im0 8 0 R >> +/ProcSet 6 0 R >> +/MediaBox [0 0 1052 744] +/CropBox [0 0 1052 744] +/Contents 4 0 R +/Thumb 11 0 R +>> +endobj +4 0 obj +<< +/Length 5 0 R +>> +stream +q +1052 0 0 744 0 0 cm +/Im0 Do +Q + +endstream +endobj +5 0 obj +32 +endobj +6 0 obj +[ /PDF /Text /ImageC ] +endobj +7 0 obj +<< +>> +endobj +8 0 obj +<< +/Type /XObject +/Subtype /Image +/Name /Im0 +/Filter [ /RunLengthDecode ] +/Width 1052 +/Height 744 +/ColorSpace 10 0 R +/BitsPerComponent 8 +/SMask 15 0 R +/Length 9 0 R +>> +stream +‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ©ÿ~ûúùÑŹŸ‹y‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹~vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vTb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb•€m¸§˜éãÞ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿðÿþþ~žŠx’^.Ì„@ÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜ~ŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽ]DÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÖŠBµu9Y:I8'ßÖ΂ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿùÿ~õóñF5%¥j4ý£Nÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤fOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oç•HC+µ¤”‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿÿÿþþ~F5%Í„@ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤iOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý¢N\<Á²¤‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿƒÿ~ {¤j3ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤oOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oø M÷ôò‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~üûúü¢Nÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¸w9 {‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~Óǽ\-ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OøŸM$‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~£~Ê‚?ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O%
‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî + +<<"ââÕ‚ÿðÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî +oG"ÛD¹w9 +¬o5ÿ¤Oì˜I5"¤i3è•Hèj•H +tK$ÚŒD•`.@)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî +¡h2ÿ¤Oÿ¤O6#”_.öžL˜b/óœKÿ¤Oÿ¤O?)ŒZ+ÿ¤Oì˜Iþ +<'–`.ÔˆBJ0]-ÿ¤Oì˜Iþ +yN%ßE›d0@)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî +X9ÙŒCÿ¤OôLþ + xM%œd0 ¹w9ì˜Iþ + {O&šc0 ½z;ì˜Iþ +xM%@)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî + +ãä[þÿf÷øcþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf$$·¸JþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿxfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÛÜX‰‰f‚ÿöÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî +úd¦§Cçè]þ +||2ûüeþÿfòóa;;ÍÎR88FFêë^þÿf99’“;ïð`>>ÇÈP((¡¢Aff)bb'þÿfþÿfþÿf¦§CþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÛÜX‰‰f‚ÿöÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî +ûd ¡¢Açè]þ +œœ¤ððüððüððüÈÈÒþ +e( ÞßYçè]þ +ûüeþÿfþÿf¬E00þÿfïð`þ +ÿfþÿfþÿfçè]þ + +óôbþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ
ÿfþÿfþÿfÛÜX‰‰f‚ÿöÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî +((*ççòððümms ððüððü||‚ððüððüããî'')mmsjjp<<?îîúííù335XX]ssy::=þ +ÿfþÿfþÿfçè]þ +ÿfþÿfþÿfçè]þ + +ŽŽ•ððü88:NNRððüððüððüððüððüììøÀÀÊ::=ððüððüWW[
ððüððüððüððü,,.]]bððüððüððüððü\\a99<ððüððüððüððüððüððüððüääï +qqwððüððüããî WW[ððüððüÄÄÎþ + +ZZ_ððüððüHHKHHKððüððüððüuu{ððüËËÕþ +ÿfþÿfþÿfçè]þ +€4þÿfþÿfïð`þ + +,,.,,.ððüððüWW[..0ððüððüððüððü + +ï +ääïððüÄÄÎþ +xx~ððüððüððüððüððüððüððü©©²IIM!<<?ZZ_ððüððüHHKHHKððüððüððüuu{ððü®®·þ +‰‰»»Å””›$$&þUUYààëððüÞÞéþþ +WW[¦¦®††Œ((*ììøððüþ2 +99<ŸŸ§••œ##%
××áððümms ððüððü||‚ððüððüÊÊÔþ==@££«¡¡©**,!!#ååð””›þ5xx~¹¹ÃŸŸ§002
779ØØãððüIIM&&(¾¾Èèèóððüuu{ððüððüˆˆŽþ +((*~~„ÕÕß&&(ííùWW[557ððüððüððüððüððüÈÈÒGGJ@@CººÄððüððüððüððüððüððüîîú335ððüððüððüððüððüððü°°¹þ +‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî +þþ +‚ÿ‚ÿ‚ÿæÿ á‚ÿ‚ÿ‚ÿ‚ÿüÿ,¦ã + +??þÿfþÿfAAyy0ôõbII +ÞßYþÿfþÿfÃÄNoo,((þÿfþÿf\\%€344**þ +@@îï`þÿfþÿfÆÇPoo,$$þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf»¼KÛÛ‚ÿöÿ~þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿufþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf + +ûüeûüeº»Kœ?èé]þÿf¯°FôõbþÿfþÿfÏÐSþÿfíî_§¨CþÿfÎÏSÏÐS×ØVþ +((þÿfþÿf\\%ÔÕUþÿfž?õöbþÿf‡ˆ6TT"þÿfþÿfþÿf$$·¸Jþÿf£¤Bþ +•Ù + +÷øcþÿfUU"CCæç\ÜÝXEEþ +tt.ãä[¤¥BÓÔU×ØVþÿfþÿfþÿfll+tt.þÿfüýe++[[$ßàZ®¯F ++þÿfþÿf\\%||2þÿfþÿfóôbþ +''þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf»¼KÛÛ‚ÿöÿ~þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿufþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf + +00³´HSS!þÿfþÿfll+ + +¦§Cþÿf×ØVAA&&¨©Dþÿf×ØVþÿfþ7ÿfþÿfll+tt.þÿfþÿfÙÚWAAII“”;==þÿfþÿf\\%||2þÿfþÿfóôbþ +}}2üýeþÿfþÿfÛÜXCCGG–—<99þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf»¼KÛÛ‚ÿöÿ~þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿufþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf +õöbþÿfþÿfJJþÿfþÿf!!
—˜=þÿfþÿfùúd**–—<þÿf«¬Eþ +BBéê^þÿfäå\<<±²Gþÿfþÿfëì^þ +š›>þÿfâã[AAþ + +@@ˆ‰7DD
((þÿfþÿfbb' +zz1€3!!
WW#þÿfþÿfãä[UU":YY$ÍÎRþÿfëì^þ +üýeþÿfüýe88((þÿfþÿfdd(³´Hþÿfþÿf¤¥B þÿfþÿfaa'XX#þÿfþÿfþÿþf )WW#þÿfëì^þ +þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfðñ`UU5Ñÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoeeÂÿ~ôôê3þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿ$fþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ +ÂÃNçè]ww0âã[þÿf«¬Eþÿfþÿfþÿf€3LLþÿfþÿfLLss.þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÑÑT””r¤ÿþ÷þŸþIþþ=þÝþ×þ +þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿféê]cdBÑÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoee¿ÿ~kk@ãä[þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿ$fþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÁÂM¤¤z‚ÿóÿ RR3ïï`þÿfþÿfþÿf{{1CCþÿfþÿfþÿfÂÃNþ +aa'îï`þÿf:88þÿfþÿf÷øcþ + +88ÁÂNþÿfþÿf«¬Eþÿfþÿfþÿf€3LLþÿfþÿfŸ @RR!þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿxfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfž?Ë˵§ÿþÎþûÿþñþ.þsþ÷þþ¼ûÿþâþDþåþB
+þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÂÃN§¨ˆÑÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoee¿ÿøøñþ +þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfûüe +ììäÑÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoee¼ÿ~ééÙWW0¯°Fö÷cþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfóóaŽ9€€T÷÷ï‚ÿíÿppMyz1÷øcþÿfõöb +``&ßàZ¹ºJ!!
þ +ss.þÿfþÿfhh*%%ÉÊQÚÛXHH + +žŸ@þÿfùúd$$\\%ÞßYÇÈP‡ˆ6þÿfpp-!!
ÄÅOÞßY^^&õöbþÿfëì^þ + +òòìÔÿ~áâÔÍÎRþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿféê^qq-ÑÒTº»K""‰Š7þÿfþÿf,,›œ>þÿfþÿfþÿfþÿfþÿfþÿfÆÇP‘:Ö×V¥¦B¹ºJþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿlfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÊËQþ +HHÁÂN''@@þÿfþÿf°±G00 + +%%˜™=þÿfþÿfëì^þ +þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþgÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfçè]CD²³•Îÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoee¶ÿÄÄ£wwKþ +'----))þ +##-------------- +##-------------- þ
~
------------------------------------------------!II\p!II------------------------~-------------------------------------------------------------------------------------
---iiGôôï‚ÿóÿþÎþX.332&&,----- +##-------------- þ
~
----------------------------------!!
----------------------------------~-------------------------------------------------------------------------------------1---------------------------------þ +—Þƒÿ +—Þƒÿ +—Þ +—Þg¿ë†ÿ +óœKÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OŠY+š†sÂÿ +—Þ¯Ýô‚ÿ‚ÿˆÿ~oZGÁ|<ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¤i3’}j‚ÿ‚ÿ‚ÿ‚ÿ«ÿ„||ˆˆ‚ÿ‚ÿ‘ÿrhhrhh¿ÿþþ~*ë—Iÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÉ>s^J‚ÿÆÿ~ÖËÁ^<ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O^=ØÍÄ‚ÿ‚ÿèÿ)¤âÂÿ~Œwc¹w9ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OòœKüûúÅÿ™ß‚ÿ‚ÿˆÿ~ʽ±rI#ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OI/âÚÒ‚ÿ‚ÿ‚ÿ‚ÿ®ÿ„||ˆˆ‚ÿ‚ÿ‘ÿrhhrhh¿ÿ~¼¬“_.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤$Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OR4åÞׂÿÉÿ~?/ é–Hÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oé–HA1"‚ÿ‚ÿëÿ…Ëïœà†ÌïÈÿ~îêå0ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤$Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O«n5«˜‡Èÿ…Ëï–Þ†Ìï‚ÿ‚ÿ‹ÿ~&ð›Jÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OàEYE3‚ÿ‚ÿ‚ÿ‚ÿ®ÿ„||ˆˆ‚ÿ‚ÿ‘ÿrhhrhh¿ÿ~- òœKÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤$Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÖŠB}hT‚ÿÌÿ~ß×ÏfB ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤'Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OfA áÙÒ‚ÿ‚ÿîÿ +ûúù‚ÿ‚ÿñÿ +1 ¢h2ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O«n5 +~Q'ä“Gþ +ä“Gþ +ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oè•Hþ +¨l4ÿ¤Oÿ¤Oÿ¤OÇ€>
„U)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NËÿW¸é•ÞV·è‚ÿ‚ÿ‘ÿ)àØЀS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O@)ø +¨l4ÿ¤Oÿ¤Oÿ¤OÇ€>
„U)ÿ¤OÿU¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP3‚ÿÒÿ~óúý‡Ìï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…~Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ë~ï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëïh…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…ËïE‡ªK°…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…ËïÀä÷‚ÿ‚ÿÓÿrhhrhhÂÿ~6'ø Mÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O g2ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤OZ:1 À{;ã’FÀ{;8$K0ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÈ>
ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O +¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿ~êäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÜD +\;¼y:˃?ŠY+e1ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O7#•U`.ý£Nÿ¤OøŸMÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O8$nG"ÜDÜDÜDÜDÞEÿ¤OøŸMÿ¤Oè•Hþ +ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oè•Hþ +¨l4ÿ¤Oÿ¤OÊ‚? +„U)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ.¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NÈÿ˜ß‚ÿ‚ÿŽÿ~àØЂS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O@)jD!ÜDÜD΄@a>ßEÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OøŸMÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤O$¸v9ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O +¨l4ÿ¤Oÿ¤OÊ‚? +„U)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤*Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~™Ôñ +'‘]-ÿ¤Oÿ¤Oÿ¤OÕ‰B<' +G.ŠY+H.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oû¡N´t8ÿ¤Oÿ¤Oÿ¤O׊Cþ +(”_.ÿ¤Oÿ¤Oÿ¤OÛDD, 0³s7ÿ¤OÈ>
ÿ¤Oÿ¤O„U) å“Gÿ¤Oä“GQ4|P&ü¢Nÿ¤O5"“_.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿ~êäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OF-^<ÿ¤Oÿ¤Oÿ¤Oÿ¤OŒZ+"ÿ¤Oÿ¤OÞEI/ +'‘]-ÿ¤Oÿ¤OöžL8$цA:%A*æ”Gÿ¤OD, +€R(ä“Gþ +I/ˆW*L1ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O8$€R(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oä“Gþ +›d0$hC öžLÿ¤Oè•Hþ +¨l4ÿ¤OÍ„@ +…V)ÿ¤Oÿ¤Oÿ¤Oä“GQ4|P&ü¢Nÿ¤OgB b?ÿ¤Oÿ¤Oÿ¤O% g2ÿ¤O™b/" 4!É>ÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NÈÿ˜ß‚ÿ‚ÿŽÿPàØЂS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O@)|P&ÿ¤Oÿ¤Oÿ¤Oû¡N Ÿf1óœK8$Í„@*
šc0è•Hþ +¨l4ÿ¤OÍ„@ +…V)ÿ¤Oÿ¤Oÿ¤OäU“GQ4|P&ü¢Nÿ¤OgB b?ÿ¤Oÿ¤Oÿ¤O% g2ÿ¤O–`." 6#̃?ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +b?ÜD²r7¦k3ÿ¤OøŸM vL%ÜD‹Y+æ”GÈ>
ÿ¤Oe1׊Cÿ¤Oü¢N+
iD!ßEÄ~=&zN&ÿ¤Oÿ¤O +¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿ,êäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oé–Hþ +kE!ÿ¤Oè•Hþ +¨l4Ï…@†V*ÿ¤Oÿ¤Oÿ¤Oü¢N+
iD!ßEÄ~=&zN&ÿ¤O¶u8ý£Nÿ¤OцAïšJ΄@¨l4ÛD[;,ÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NËÿ +lE!ÛD¼y:
¤i3ÿ¤Oÿ¤O$¸v9ÿ¤Oü¢N+
iD!ßEÄ~=&zN&ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O +¨l4Ï…@†V*ÿ¤Oÿ¤Oÿ¤Oü¢N+U
iD!ßEÄ~=&zN&ÿ¤O¶u8ý£Nÿ¤OцAïšJ˃?ªm5ÚŒDX90ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¿{;ú¡Mÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O²r7÷ŸMÿ¤Oÿ¤OˆW*8$ÿ¤OôLþ +yN%̃?ÿ¤Oÿ¤Oÿ¤O¹w9 ý£Nÿ¤Oÿ¤O±r7,ÿ¤OøŸMÇ€>ÿ¤O}P'L1ÿ¤O«n5 +ðšJÿ¤Oë—I¹w9ÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NËÿ +yN%̃?ÿ¤Oÿ¤Oÿ¤O¹w9U ý£Nÿ¤Oÿ¤O±r7,ÿ¤OøŸMÇ€>ÿ¤O}P'L1ÿ¤O§k4òœKÿ¤Oê–H»x:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +§k4ÿ¤Oÿ¤O’^-
+ +ÿ¤Oÿ¤O +¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¼y:ú¡Mÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OŒZ+A*ÿ¤Oÿ¤Oÿ¤O¿{;ÿ¤OôLþ + +ÿ¤Oí˜I3! +_=³s7ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OiD!ëåà‚ÿ‚ÿñÿ +¡h2jD!(öžLÿ¤Oÿ¤O’^-
+ +ÿ¤Oÿ¤OT6yN%ÿ¤O)
£i2ÿ¤OïšJ5" ^<²r7þ£Oÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NËÿ + +ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O +¡h2jD!(öžLÿ¤Oÿ¤O’^-U
+ +ÿ¤Oÿ¤OT6yN%ÿ¤O)
£i2ÿ¤Oí˜I3! +_=³s7ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +ÿ¤OrI#Z:ÿ¤Oÿ¤Oÿ¤O~Q'H.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oá‘F°q7ÿ¤Oÿ¤Oÿ¤Oÿ¤OцA™b/‡W*F-ÿ¤Oÿ¤Oÿ¤O½z;ÿ¤OvL%[;ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÈ>²r7R' +÷ŸMÿ¤O g2-ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O +¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿ,êäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oè•Hþ +ÿ¤OôLþ +†V*ÿ¤OõžL$lE!ÿ¤Oÿ¤O g2-ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¤i3,Õ‰Bñ›Kÿ¤Oÿ¤Oÿ¤O¿{;gB
5"÷%ŸMÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NËÿ +†V*ÿ¤OõžL$lE!ÿ¤Oÿ¤O g2-Uÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¤i3,Õ‰Bñ›Kÿ¤Oÿ¤Oÿ¤O½z;fB 7#øŸMÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O='[;ÿ¤Oÿ¤Oÿ¤Oÿ¤O‹Y+ +ü¢N±r7
øŸMÿ¤Oÿ¤OŠY+5"ÿ¤OôLþ +¨l4ÿ¤Oÿ¤OÇ€>¹w9ÿ¤OÉ>ñ›Kÿ¤Oÿ¤OŸf1kE!ÿ¤Oÿ¤Oî™J_=P3ÿ¤Oÿ¤O»x:e1ÿ¤Oÿ¤Oî™JÄ%~=ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NËÿ +¨l4ÿ¤Oÿ¤OÇ€>¹w9ÿ¤OÉ>Uñ›Kÿ¤Oÿ¤OŸf1kE!ÿ¤Oÿ¤Oî™J_=P3ÿ¤Oÿ¤O¹w9Ÿf1ÿ¤Oÿ¤Oì˜IÈ>ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +gB â‘F·v9¥j3ÿ¤OòœK
}P'å“G£i2Ø‹CÈ>
ÿ¤Oÿ¤OŸf1 é–Hÿ¤O8$N2ÙŒCµt8”_.ÿ¤Oÿ¤O! +¤i*3û¡Nÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÙŒCY9¾z;̃?‡W*•`.ÿ¤Oú¡M"d@á‘F¹w9¡h2ÿ¤OôLþ +€R(ä“G™b/
N2ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O8$€R(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oä“Gþ +`>ÿ¤O¼y:þ +¨l4ÿ¤Oÿ¤Oÿ¤O{O&í˜Iÿ¤O8$N2ÙŒCµt8”_.ÿ¤Oÿ¤Oÿ¤OB*þ +ºx:ä“G[,è•Hÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NËÿ +¨l4ÿ¤Oÿ¤Oÿ¤O{O&í˜Iÿ¤O8$N2ÙŒCµt8”_.ÿ¤Oÿ¤Oÿ¤OB*þ +$]-ÿ¤Oÿ¤Oÿ¤OÇ€>4! +\;{O&]<ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oú¡MzN&1 +V7ÖŠBÿ¤Oÿ¤OÛDF- %’^-ÿ¤Oÿ¤Oÿ¤OÒ‡A=''g¬o5ÿ¤OÈ>
ÿ¤Oÿ¤Oý£N1 hC ÿ¤Oê–HR5R'þ£Oÿ¤Oÿ¤O}P'”_.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÛDP3
3!¤i3ÿ¤Oÿ¤Oÿ¤OÝŽDG. +$]-ÿ¤Oÿ¤OôLþ +¨l4ÿ¤Oÿ¤Oÿ¤Oú¡M1 U7ÿ¤Oê–HR5R'þ£Oÿ¤Oÿ¤Oÿ¤O]- óœKÿ¤Oÿ¤Oþ£OxM%1 µt8ÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NÈÿ +—Þ‚ÿ‚ÿŽÿAàØЂS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O@)|P&ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OðšJþ + xM%žf1 +µt8ÿ¤OS(]-ÿ¤Oê–HR5R'þ£Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O +¨l4ÿ¤Oÿ¤Oÿ¤Oú¡M1 U7ÿ¤OêU–HR5R'þ£Oÿ¤Oÿ¤Oÿ¤O]- óœKÿ¤Oÿ¤Oþ£OuK$ 2 ·v9ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +—Þ‚ÿ‚ÿŽÿ~àØЂS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OvL%S5ÿ¤Oÿ¤Oÿ¤Oÿ¤*Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +lE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤*Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£NËÿ +lE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤*Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ +‚ÿÒÿP˜Óñ +þ£Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OðšJþþ‚ÿÉÿ~¥’€¨l4ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O§l4¦“‚ÿ‚ÿëÿ +èáÛ‚ÿÌÿD˜Óñ +û +SSW<<?þþ +èèôððüððüƒƒ‰þ + +ÚÚåððüððü’’™þ +—ÞM´çàòûøÿ;yÆí +—Þ/§ã‚ÿºÿ +—Þ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ³ÿ~˜Óñ + +îï`þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿ~fþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfqþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfýþf‰‰7µµ˜‚ÿ‚ÿÙÿ~à×Ï;,~Q'è•Hÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤uOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OßEhC ZF4ëæá‚ÿùÿ~˜Óñ +¸v9ïšJÏ…@:%^<ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OðšJþ£Où Mÿ¤Oÿ¤O
ßEþ£Où Mÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OôLÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O–`.! +ºx:ïšJ΄@8$b?ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤EOÿ¤Oÿ¤Oÿ¤OÔˆB$ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊŒÿ~˜Óñ +.Ä~=ÿ¤OF-þ +΄@ÿ¤Oÿ¤Oÿ¤OÍ„@.öžLÿ¤O™b/#/Ç€>ÿ¤Oÿ¤O®p6(Z:ðšJÔˆB#ƒT) +¢h2ÿ¤Oÿ¤OÄ~=3!
Q4Õ‰Bÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊŒÿ~˜Óñ +ÿ¤Oÿ¤Oÿ¤Oÿ(¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O$´t8ÿ¤Oÿ¤Oã’FmF"W8ÿ¤Oü¢Nþ +è•HІ@,ÿ¤OÜDÊ~‚?í˜IL1vL%ã’FÄ~=øŸM‚T(@)ÿ¤Oÿ¤OôLí˜I
¹w9ú¡MŽ[, +û¡Nÿ¤Oÿ¤Oÿ¤O¼y:(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OßEÆ=÷ŸM~Q'D,ÿ¤OØ‹C
̃?ì˜II/zN&ÔˆBþ +è•HІ@,ÿ¤O‚T(iD!ÿ~¤Oÿ¤OßE´t8ù Mä“Gÿ¤OöžLŠY+0ÿ¤Oÿ¤OôL›d0T6ÿ¤Oÿ¤Oÿ¤O ÜDÿ¤Oÿ¤Oÿ¤Ošc0C+ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OøŸMå“Gÿ¤OõžL‡W*4!ÿ¤O~Q'mF"ÿ¤EOÿ¤OÝŽD¶u8ÔˆBü¢Nÿ¤OòœKÿ¤O—a/X9ÿ¤Oÿ¤Oÿ¤OàEÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊæÿþlþáÈÿþ¤þ©ìÿ~˜Óñ +ÿ¤Oÿ¤Oÿ¤Oÿ(¤Oÿ¤O¤i3ÞEÿ¤O$±r7ü¢Nü¢Nñ›KS5a>ÿ¤Oü¢Nþ +è•HІ@,ÿ¤Od@‰X*ÿ~¤Oÿ¤Oÿ¤Oÿ¤Oû¡NzN&.;&T60ÿ¤Oÿ¤OôL}P'((((È>ÿ¤Oÿ¤Oÿ¤Oºx:(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¡h2á‘Fú¡MxM%-<'S54!ÿ¤O`>[,ÿ¤EOÿ¤Oÿ¤Oÿ¤OÔˆB#ÿ¤Oÿ¤OôLÿ¤OyN%((((˃?ÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊøÿþåþ¤þþÖûÿþlþáþþþÀþ˜þ¨þïûÿþÂþ˜þ þäûÿþûþ¸þ˜þ·þôþÿþ¤þ©þ¤þçûÿþ«þàþÿ˜Óñ +ÿ¤Oÿ¤Oÿ¤OðšJІ@,ÿ¤Oÿ¤O +è•HІ@,ÿ¤O{O&mF"ÿ¤Oÿ¤OÜD”_.¦k3*
é–Hÿ¤OÄ~=0ÿ¤Oÿ¤OôL”_.O3ÿ+¤Oÿ¤Oÿ¤OÇ€>øŸMÿ¤Oÿ¤Oÿ¤Oì˜IÍ„@ÿ¤Oÿ¤Oÿ¤OßEþ +ÿ¤Oÿ¤Oÿ¤Oè•HІ@,ÿ¤Oÿ¤O +è•HІ@,ÿ¤OÏ…@
Ñ~†AïšJT6hC ”_.9%÷ŸMóœKM2)
ÿ¤Oÿ¤Oì˜Iâ‘F¼y:ù M“_. ý£Nÿ¤Oÿ¤Oÿ¤Oÿ¤O]- +¹w9òœKÍ„@4!Z:ÿ¤O]-<'øŸMòœKJ0-ÿ¤Õ?ÓˆEAïšJQ4lE!ÔˆB$ÿ¤Oÿ¤OôLÿ¤OßE¿{;ù M\,! +þ£Oÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊûÿþ þ¦ûÿþàþæþÿþlþáþVþòûÿþ‡þ¾þ½þjþÁþëûÿþèþRþ¥û¦þ[þÙþ¤þ©þéþaþýþ¦þ¤ûÿ;˜Óñ + +oG"ñ›Kÿ¤Oÿ¤O$´t8ÿ¤Oÿ¤Oÿ¤Oé–H + +qI#óœKÿ¤Oÿ¤Oºx:.
7#Í„@ÿ¤OÔˆB +ÿ¤Oÿ¤Oÿ¤OY9ºx:,ÿ¤Oÿ¤O +è•HІ@,ÿ¤Oÿ¤O¤i3$ +Q4í˜Iò~œKH.4!¯q6$€R(ÿ¤OU7ç•H¸v9- 9%Ï…@ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O g2/ + +sJ$ôLÿ¤OðšJF-5"¯q6"ƒT)ÿ¤O¡h2# +S5ïšJÔˆ9B$ÿ¤Oÿ¤OôLÿ¤Oÿ¤Oµt8+
:%Ò‡Aÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊûÿþ”þµûÿþýþüþÿþlþÞþRþýûÿþ•þ³þÿþâþ¥þxþ|þûþæþ[þÝøÞþõþ¤þ©þÿþ~þÉþbþìûÿ~˜Óñ +ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤~Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N +$$&$$&ï +ò +‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ¦ÿ~˜Óñ +þÿþìþ +þÿþìþ +þºþäþþþèþÿþ8þNþÙþµþþ”þÿþìþ +þþoþñûÿþ$þ´øÿþéþþÉþüò +þþqþóûÿþºþ.þ
þ7þÍþÿþÔþ øÿþYþþºþ,ûÿþþèþÐþ,ûÿþ¤þ$þþQþíþðþFþþ5þ¯þ"þƒþÿþUþþçþ¸þ-þþ9þÏþÿþòþPþþþ[þóþÿþ ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ¦ÿ~˜Óñ + +endstream +endobj +9 0 obj +457292 +endobj +10 0 obj +/DeviceRGB +endobj +11 0 obj +<< +/Filter [ /RunLengthDecode ] +/Width 106 +/Height 75 +/ColorSpace 10 0 R +/BitsPerComponent 8 +/Length 12 0 R +>> +stream +‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ›ÿ +endstream +endobj +12 0 obj +9346 +endobj +13 0 obj +<< +>> +endobj +14 0 obj +9346 +endobj +15 0 obj +<< +/Type /XObject +/Subtype /Image +/Name /Ma0 +/Filter [ /RunLengthDecode ] +/Width 1052 +/Height 744 +/ColorSpace /DeviceGray +/BitsPerComponent 8 +/Length 16 0 R +>> +stream +‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿÿ€ +endstream +endobj +16 0 obj +12327 +endobj +17 0 obj +<< +/Title (þÿ +/CreationDate (D:20221010135803) +/ModDate (D:20221010135803) +/Producer (https://imagemagick.org) +>> +endobj +xref +0 18 +0000000000 65535 f +0000000010 00000 n +0000000059 00000 n +0000000118 00000 n +0000000302 00000 n +0000000387 00000 n +0000000405 00000 n +0000000443 00000 n +0000000464 00000 n +0000457957 00000 n +0000457979 00000 n +0000458006 00000 n +0000467497 00000 n +0000467518 00000 n +0000467540 00000 n +0000467561 00000 n +0000480082 00000 n +0000480104 00000 n +trailer +<< +/Size 18 +/Info 17 0 R +/Root 1 0 R +/ID [<82dfca7e38da96118e28c32df36dd8031dbd96f4470decd5fafe68b1366d6064> <82dfca7e38da96118e28c32df36dd8031dbd96f4470decd5fafe68b1366d6064>] +>> +startxref +480279 +%%EOF diff --git a/doc/gnupg-module-overview.png b/doc/gnupg-module-overview.png Binary files differnew file mode 100644 index 0000000..cae6c48 --- /dev/null +++ b/doc/gnupg-module-overview.png diff --git a/doc/gnupg-module-overview.svg b/doc/gnupg-module-overview.svg new file mode 100644 index 0000000..5b22f0d --- /dev/null +++ b/doc/gnupg-module-overview.svg @@ -0,0 +1,892 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<svg + xmlns:dc="http://purl.org/dc/elements/1.1/" + xmlns:cc="http://creativecommons.org/ns#" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" + xmlns:svg="http://www.w3.org/2000/svg" + xmlns="http://www.w3.org/2000/svg" + xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" + xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" + width="1052.3622" + height="744.09448" + id="svg5013" + version="1.1" + inkscape:version="0.48.3.1 r9886" + sodipodi:docname="gnupg-module-overview.svg"> + <sodipodi:namedview + pagecolor="#ffffff" + bordercolor="#666666" + borderopacity="1" + objecttolerance="10" + gridtolerance="10" + guidetolerance="10" + inkscape:pageopacity="0" + inkscape:pageshadow="2" + inkscape:window-width="1672" + inkscape:window-height="978" + id="namedview5247" + showgrid="false" + inkscape:zoom="1.0964545" + inkscape:cx="549.42213" + inkscape:cy="371.37197" + inkscape:window-x="0" + inkscape:window-y="0" + inkscape:window-maximized="1" + inkscape:current-layer="svg5013" + showguides="true" + inkscape:guide-bbox="true"> + <inkscape:grid + id="grid3097" + type="xygrid" + empspacing="5" + visible="true" + enabled="true" + snapvisiblegridlinesonly="true" /> + </sodipodi:namedview> + <metadata + id="metadata5249"> + <rdf:RDF> + <cc:Work + rdf:about=""> + <dc:format>image/svg+xml</dc:format> + <dc:type + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> + <dc:title /> + </cc:Work> + </rdf:RDF> + </metadata> + <defs + id="defs5015"> + <marker + inkscape:stockid="Arrow2Sstart" + orient="auto" + refY="0" + refX="0" + id="Arrow2Sstart" + style="overflow:visible"> + <path + id="path4021" + style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round" + d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" + transform="matrix(0.3,0,0,0.3,-0.69,0)" + inkscape:connector-curvature="0" /> + </marker> + <marker + inkscape:stockid="Arrow2Mend" + orient="auto" + refY="0" + refX="0" + id="Arrow2Mend" + style="overflow:visible"> + <path + id="path4018" + style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round" + d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" + transform="scale(-0.6,-0.6)" + inkscape:connector-curvature="0" /> + </marker> + <marker + inkscape:stockid="Arrow1Mend" + orient="auto" + refY="0" + refX="0" + id="Arrow1Mend" + style="overflow:visible"> + <path + id="path4000" + d="M 0,0 5,-5 -12.5,0 5,5 0,0 z" + style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt" + transform="matrix(-0.4,0,0,-0.4,-4,0)" + inkscape:connector-curvature="0" /> + </marker> + <marker + orient="auto" + markerHeight="3" + markerWidth="4" + markerUnits="strokeWidth" + refY="5" + refX="0" + viewBox="0 0 10 10" + id="ArrowEnd"> + <path + id="path5018" + d="M 0,0 10,5 0,10 z" + inkscape:connector-curvature="0" /> + </marker> + <marker + orient="auto" + markerHeight="3" + markerWidth="4" + markerUnits="strokeWidth" + refY="5" + refX="10" + viewBox="0 0 10 10" + id="ArrowStart"> + <path + id="path5021" + d="M 10,0 0,5 10,10 z" + inkscape:connector-curvature="0" /> + </marker> + <marker + inkscape:stockid="ArrowEndo" + orient="auto" + markerHeight="3" + markerWidth="4" + markerUnits="strokeWidth" + refY="5" + refX="0" + viewBox="0 0 10 10" + id="ArrowEndo"> + <path + id="path4964" + d="M 0,0 10,5 0,10 z" + inkscape:connector-curvature="0" /> + </marker> + <marker + inkscape:isstock="true" + style="overflow:visible" + id="marker6214" + refX="0" + refY="0" + orient="auto" + inkscape:stockid="Arrow2Send"> + <path + inkscape:connector-curvature="0" + transform="matrix(-0.3,0,0,-0.3,0.69,0)" + d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:0.625;stroke-linejoin:round;stroke-opacity:1" + id="path6216" /> + </marker> + <marker + inkscape:isstock="true" + style="overflow:visible" + id="marker4916" + refX="0" + refY="0" + orient="auto" + inkscape:stockid="Arrow2Send"> + <path + inkscape:connector-curvature="0" + transform="matrix(-0.3,0,0,-0.3,0.69,0)" + d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" + style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:0.625;stroke-linejoin:round;stroke-opacity:1" + id="path4918" /> + </marker> + <marker + inkscape:isstock="true" + style="overflow:visible" + id="marker4916-9" + refX="0" + refY="0" + orient="auto" + inkscape:stockid="Arrow2Send"> + <path + inkscape:connector-curvature="0" + transform="matrix(-0.3,0,0,-0.3,0.69,0)" + d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" + style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:0.625;stroke-linejoin:round;stroke-opacity:1" + id="path4918-0" /> + </marker> + <marker + inkscape:stockid="Arrow2Send" + orient="auto" + refY="0" + refX="0" + id="marker4292" + style="overflow:visible" + inkscape:isstock="true" + inkscape:collect="always"> + <path + inkscape:connector-curvature="0" + id="path4294" + style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:0.625;stroke-linejoin:round;stroke-opacity:1" + d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z" + transform="matrix(-0.3,0,0,-0.3,0.69,0)" /> + </marker> + </defs> + <path + sodipodi:nodetypes="ccc" + style="fill:none;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)" + d="m 287.5667,471.57196 0,97.32813 125.9533,0" + id="path4897" + inkscape:connector-curvature="0" /> + <path + sodipodi:nodetypes="cccc" + style="fill:none;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)" + d="m 287.5667,378.67655 312.68618,0 307.44416,0 -0.19429,-59.6196" + id="path4683" + inkscape:connector-curvature="0" /> + <path + inkscape:connector-curvature="0" + id="path6223" + d="m 287.70069,169.03486 -0.12386,102.03147" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)" + sodipodi:nodetypes="cc" /> + <path + inkscape:connector-curvature="0" + id="path5608" + d="m 567.28751,169.03486 -0.12386,102.03147" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)" + sodipodi:nodetypes="cc" /> + <path + inkscape:connector-curvature="0" + id="path6212" + d="M 740.82251,277.66035 740.69865,174.39089" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)" + sodipodi:nodetypes="cc" /> + <path + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" + d="m 523.40929,311.79252 0,124.65874" + id="path6073" + inkscape:connector-curvature="0" + sodipodi:nodetypes="cc" /> + <path + sodipodi:nodetypes="cc" + inkscape:connector-curvature="0" + id="path6047" + d="m 740.69179,316.07585 0,119.95752" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" /> + <path + inkscape:connector-curvature="0" + id="path3376-9" + d="m 287.6031,433.13662 0,-57.34608 0,-57.34607" + style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)" + sodipodi:nodetypes="ccc" /> + <rect + style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect3352" + width="97.554695" + height="40.571972" + x="391.51746" + y="636.94879" + ry="13.673332" + rx="13.673332" /> + <text + y="662.4939" + x="409.48114" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + id="text3354"> + <tspan + id="tspan3356" + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Keyserver</tspan> + </text> + <path + inkscape:connector-curvature="0" + id="path3378" + d="m 440.28156,586.50326 0,45.86759" + style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker4916)" + sodipodi:nodetypes="cc" /> + <path + sodipodi:nodetypes="cc" + style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker4916)" + d="m 556.46073,586.50326 0,45.86759" + id="path3376" + inkscape:connector-curvature="0" /> + <path + style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker4916)" + d="m 429.01048,170.98678 0,100.99292" + id="path6342" + inkscape:connector-curvature="0" + sodipodi:nodetypes="cc" /> + <path + style="fill:none;stroke:#0093dd;stroke-width:2.75242877;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" + d="m 907.57277,170.14422 0,113.50352" + id="path5123" + inkscape:connector-curvature="0" + sodipodi:nodetypes="cc" /> + <path + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" + d="m 673.43067,568.61382 -98.4701,0" + id="path6243" + inkscape:connector-curvature="0" + sodipodi:nodetypes="cc" /> + <path + inkscape:connector-curvature="0" + id="path6201" + d="m 453.30881,317.35087 0.18784,34.85336 53.29577,-0.16228 190.29392,-0.16229 0.18785,-30.27572" + style="fill:none;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)" + sodipodi:nodetypes="ccccc" /> + <rect + rx="4.3253841" + ry="4.3253841" + y="276.6272" + x="675.82629" + height="40.530724" + width="123.10358" + id="rect6187" + style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" /> + <text + id="text5121" + transform="scale(1.0507543,0.95169727)" + style="font-size:13.02898884px;line-height:125%;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="674.47369" + y="315.29083" + sodipodi:linespacing="125%"> + <tspan + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4497">gpg-agent</tspan> + </text> + <rect + style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect6197" + width="123.10358" + height="40.530724" + x="846.021" + y="276.6272" + ry="4.3253841" + rx="4.3253841" /> + <rect + style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect6192" + width="123.10358" + height="40.530724" + x="675.82629" + y="129.8378" + ry="4.3253841" + rx="4.3253841" /> + <path + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" + d="m 498.35189,473.54808 0,75.31261" + id="path6069" + inkscape:connector-curvature="0" + sodipodi:nodetypes="cc" /> + <rect + style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect6177" + width="164.51004" + height="40.445511" + x="416.09686" + y="548.39105" + ry="4.3253841" + rx="4.3253841" /> + <rect + style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect6173" + width="123.10358" + height="40.530724" + x="367.47192" + y="276.6272" + ry="4.3253841" + rx="4.3253841" /> + <rect + rx="4.3253841" + ry="4.3253841" + y="276.6272" + x="505.63153" + height="40.530724" + width="123.10358" + id="rect6168" + style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" /> + <rect + rx="13.673332" + ry="13.673332" + y="433.47479" + x="691.91449" + height="40.571972" + width="97.554695" + id="rect6083" + style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" /> + <path + sodipodi:nodetypes="cc" + inkscape:connector-curvature="0" + id="path6071" + d="m 473.29453,317.56143 0,118.88983" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" /> + <path + sodipodi:nodetypes="cc" + inkscape:connector-curvature="0" + id="path6056" + d="m 129.94217,317.56143 0,119.95753" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" /> + <rect + style="fill:#f0f0fc;fill-opacity:1;stroke:#0093dd;stroke-width:2.06634402;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect5612" + width="403.86743" + height="39.392567" + x="225.40582" + y="130.97597" /> + <path + style="fill:none;stroke:#524646;stroke-width:1;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:0.5,0.5;stroke-dashoffset:0" + d="m 58.463573,227.2185 928.110467,0 0,382.29175 -928.110467,0 0,-382.29175 z" + id="path5025" + inkscape:connector-curvature="0" /> + <text + id="text5061" + transform="scale(1.0507332,0.95171638)" + style="font-size:13.0976572px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="518.80000" + y="315.28461"> + <tspan + style="font-size:13.76214409px" + id="tspan4513">gpgsm</tspan> + </text> + <text + id="text5073" + transform="scale(1.0507333,0.95171629)" + style="font-size:13.02924919px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="395.6857" + y="315.28461"> + <tspan + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4515">gpg</tspan> + </text> + <rect + rx="13.673332" + ry="12.771004" + y="548.32782" + x="673.75952" + height="40.571972" + width="133.86456" + id="rect6095" + style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" /> + <text + id="text5105" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="680.94543" + y="573.11676"> + <tspan + style="font-size:12.38593006px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4529">CRL/Certificate Cache</tspan> + </text> + <text + id="text5129" + transform="scale(1.0507438,0.95170678)" + style="font-size:13.02911949px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="830.64813" + y="317.11887"> + <tspan + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4509">scdaemon</tspan> + </text> + <rect + style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#020202;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect5628" + width="67.014503" + height="121.84404" + x="103.36046" + y="-968.49481" + ry="7.6290565" + rx="7.6290565" + transform="matrix(0,1,-1,0,0,0)" /> + <text + y="142.0016" + x="875.88068" + id="text5135" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"> + <tspan + id="tspan4507" + style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Smartcard</tspan> + </text> + <g + id="g5153" + transform="matrix(1.3762144,0,0,1.3762144,61.101249,-38.173118)"> + <path + inkscape:connector-curvature="0" + id="path5155" + d="m 19.4715,229.854 61.1008,0 c 2.6103,0 4.7291,1.919 4.7291,4.283 l 0,19.78 c 0,2.364 -2.1188,4.283 -4.7291,4.283 l -61.1008,0 c -2.6102,0 -4.729,-1.919 -4.729,-4.283 l 0,-19.78 c 0,-2.364 2.1188,-4.283 4.729,-4.283 z" + style="fill:#feff66;fill-rule:evenodd;stroke:#000000;stroke-width:0.283465" /> + <text + id="text5157" + style="font-size:9.94777203px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="21.563971" + y="247.59825"> + <tspan + style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4517">watchgnupg</tspan> + </text> + </g> + <text + id="text5181" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="702.94672" + y="457.17776"> + <tspan + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4527">Private Keys</tspan> + </text> + <text + id="text5199" + transform="scale(1.0230018,0.97751538)" + style="font-size:15.83039284px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="317.46622" + y="158.42787"> + <tspan + style="font-size:16.51457214px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan5886">GPGME aware Applications</tspan> + </text> + <text + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + id="text5632" + x="710.88654" + y="153.50237"> + <tspan + style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan5634">Pinentry</tspan> + </text> + <path + inkscape:connector-curvature="0" + id="path6067" + d="m 567.29104,317.51986 -0.12386,226.20179" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)" + sodipodi:nodetypes="cc" /> + <rect + rx="13.673332" + ry="13.673332" + y="433.47479" + x="449.57455" + height="40.571972" + width="97.554695" + id="rect6088" + style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" /> + <text + id="text5175" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="463.25439" + y="457.33569"> + <tspan + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4521">Public Keys</tspan> + </text> + <text + id="text5089" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="472.05396" + y="572.03088"> + <tspan + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4523">dirmngr</tspan> + </text> + <rect + style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect6111" + width="97.554695" + height="40.571972" + x="81.164833" + y="433.47479" + ry="13.673332" + rx="13.673332" /> + <text + y="457.33569" + x="96.524628" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + id="text5163"> + <tspan + id="tspan4519" + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Log Socket</tspan> + </text> + <path + sodipodi:nodetypes="cc" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)" + d="m 429.1316,317.51986 -0.12386,226.20179" + id="path6179" + inkscape:connector-curvature="0" /> + <path + sodipodi:nodetypes="cc" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)" + d="m 629.27326,296.76206 42.33457,0.0512" + id="path6203" + inkscape:connector-curvature="0" /> + <g + id="g6225" + transform="matrix(1.3762144,0,0,1.3762144,118.49324,-38.173118)"> + <rect + style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.40000001;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect6205" + width="89.450874" + height="29.450878" + x="78.150215" + y="228.74368" + ry="3.1429582" + rx="3.1429582" /> + <g + id="g6207" + transform="matrix(1,0,0,1.0478715,-311.25716,-12.101961)"> + <text + y="258.88663" + x="393.02432" + style="font-size:9.46736145px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + transform="scale(1.0507438,0.95170677)" + id="text6209"> + <tspan + id="tspan6211" + style="font-size:10px">gpgconf</tspan> + </text> + </g> + </g> + <rect + rx="13.673332" + ry="13.673332" + y="433.47479" + x="238.81912" + height="40.571972" + width="97.554695" + id="rect6217" + style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" /> + <text + y="457.37265" + x="252.14281" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + id="text6219"> + <tspan + id="tspan6221" + style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Config Files</tspan> + </text> + <path + inkscape:connector-curvature="0" + id="path6294" + d="m 799.10128,296.76206 42.33458,0.0512" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)" + sodipodi:nodetypes="cc" /> + <rect + rx="13.673332" + ry="13.673332" + y="636.94879" + x="507.69662" + height="40.571972" + width="97.554695" + id="rect3358" + style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" /> + <text + id="text3360" + style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="509.57916" + y="661.91278"> + <tspan + style="font-size:12.38593006px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan3362">CRLs/Certificates</tspan> + </text> + <path + sodipodi:nodetypes="cc" + style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)" + d="m 398.90883,378.89687 0,-59.343" + id="path4891" + inkscape:connector-curvature="0" /> + <path + inkscape:connector-curvature="0" + id="path4893" + d="m 601.00042,378.89687 0,-59.343" + style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)" + sodipodi:nodetypes="cc" /> + <path + sodipodi:nodetypes="cc" + style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)" + d="m 771.49503,378.89687 0,-59.343" + id="path4895" + inkscape:connector-curvature="0" /> + <g + id="g5086" + transform="translate(0,-6)"> + <rect + style="fill:#f0f0fc;fill-opacity:1;stroke:#0093dd;stroke-width:1.99633956;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect2987" + width="159.27866" + height="228.80177" + x="849.40546" + y="454.11374" /> + <text + xml:space="preserve" + style="font-size:18.12819099px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;font-family:Liberation Sans;-inkscape-font-specification:Liberation Sans" + x="913.58813" + y="498.23856" + id="text3759" + sodipodi:linespacing="125%"><tspan + sodipodi:role="line" + id="tspan3761" + x="913.58813" + y="498.23856" + style="font-size:23.30767632px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Roboto;-inkscape-font-specification:Roboto">GnuPG</tspan></text> + <g + id="g6169" + transform="matrix(0.49007212,0,0,0.49007212,836.80821,295.5608)"> + <rect + y="390.43344" + x="58.297867" + height="47.099998" + width="70" + id="rect3132" + style="fill:#0093dd;fill-opacity:1;fill-rule:nonzero;stroke:none" /> + <rect + y="371.00229" + x="63.037552" + height="19.485378" + width="15.009007" + id="rect4103" + style="fill:#0093dd;fill-opacity:1;fill-rule:nonzero;stroke:none" /> + <rect + y="371.22836" + x="108.41566" + height="19.239996" + width="15.18455" + id="rect4105" + style="fill:#0093dd;fill-opacity:1;fill-rule:nonzero;stroke:none" /> + <path + id="path6045" + d="m 93.922866,345.53344 c -22.46905,0.16165 -30.875,20.99835 -30.875,25.56249 6.14654,0 12.81165,0.34375 14.21875,0.34375 0.33001,0 0.39884,8e-5 0.71875,0 1.67836,-6.87024 7.86511,-11.96874 15.25,-11.96874 7.352024,0 13.507864,5.05103 15.218754,11.87499 0.38707,-1.8e-4 0.56404,0 0.96875,0 12.63916,0 14.125,0.0937 14.125,0.0937 0,0 -5.04885,-26.08179 -29.625004,-25.90624 z" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:none" + inkscape:connector-curvature="0" /> + <path + sodipodi:nodetypes="ccsc" + id="path7026" + d="m 68.567186,370.73896 c 11.42171,-23.28824 27.43165,-20.04817 36.688924,-18.61339 0,0 -12.173084,-5.82971 -23.874214,-0.082 -11.47547,5.63682 -12.81471,18.69542 -12.81471,18.69542 z" + style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none" + inkscape:connector-curvature="0" /> + <path + sodipodi:nodetypes="cssscccccccccc" + id="path7997" + d="m 58.047866,413.78343 c 0,0 7.78901,-8.70131 14.0625,-11 8.1875,-3 18.1875,-2.0625 34.750004,-5.375 5.86257,-1.17251 7.6875,-2.625 16.625,-7.25 0.75499,-0.39069 5.375,-0.3125 5.375,-0.3125 l -0.375,6.25 c -10.1875,10.6875 -33.437504,16.65625 -35.375004,16.5625 19.667484,2.63843 30.165594,-7.55691 34.437504,-8.1875 -9.9375,21.125 -45.187504,20.0625 -45.187504,20.0625 20.437504,5.5625 37.062504,-2.75 37.062504,-2.75 -9.3125,15.40625 -43.687504,13.3125 -43.687504,13.3125 -3.59375,0.3125 -6.5,2.625 -6.5,2.625 l -11.0625,0.3125 -0.125,-24.25 z" + style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none" + inkscape:connector-curvature="0" /> + </g> + <text + id="text5079" + style="font-size:10.04583168px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Palatino-Roman" + x="958.4126" + y="672.75244"> + <tspan + style="font-size:9px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4550">2016-02-16</tspan> + </text> + <path + inkscape:connector-curvature="0" + id="path5029" + d="m 858.59964,575.15188 0,0 0,0 0,0 0,0 z" + style="fill:none;stroke:#000000;stroke-width:1.37621439" /> + <path + inkscape:connector-curvature="0" + id="path5031" + d="m 850.64237,521.64467 0,0 0,0 0,0 0,0 z" + style="fill:none;stroke:#000000;stroke-width:1.37621439" /> + <path + inkscape:connector-curvature="0" + id="path5081" + d="m 925.49559,530.74765 0,0 0,0 0,0 0,0 z" + style="fill:none;stroke:#000000;stroke-width:1.37621439" /> + <text + id="text5219" + transform="scale(1.0657564,0.93830074)" + style="font-size:7.41257px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="811.75702" + y="581.03601"> + <tspan + style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan4544">closely linked</tspan> + </text> + <g + transform="translate(0,-2)" + id="g5069"> + <text + y="611.05994" + x="812.3645" + style="font-size:7.41257px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Helvetica" + transform="scale(1.0657564,0.93830074)" + id="text5221"> + <tspan + id="tspan4546" + style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Assuan protocol</tspan> + </text> + <path + inkscape:connector-curvature="0" + id="path5618" + d="m 865.13523,560.69899 80.92233,0.0512" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.5048576, 2.7524288;stroke-dashoffset:0;marker-end:url(#marker6214)" + sodipodi:nodetypes="cc" /> + </g> + <path + sodipodi:nodetypes="cc" + inkscape:connector-curvature="0" + id="path4323" + d="m 865.13523,532.18831 84.92605,0" + style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" /> + <text + y="510.38229" + x="915.55554" + style="font-size:10.04583168px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Palatino-Roman" + id="text6327"> + <tspan + id="tspan6329" + style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">architecture</tspan> + </text> + <g + transform="translate(0,-2)" + id="g5074"> + <text + y="640.84277" + x="811.75702" + style="font-size:7.41257px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Helvetica" + transform="scale(1.0657564,0.93830073)" + id="text5217"> + <tspan + id="tspan4548" + style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">execute/access</tspan> + </text> + <path + inkscape:connector-curvature="0" + id="path4912-6" + d="m 865.13523,587.99572 81.37511,0" + style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.5048576, 2.7524288;stroke-dashoffset:0;marker-end:url(#marker4916)" + sodipodi:nodetypes="cc" /> + </g> + <g + transform="translate(0,22.156206)" + id="g5053"> + <rect + rx="4.3253841" + ry="3.3909659" + y="612.22021" + x="865.13519" + height="18.246916" + width="84.926071" + id="rect6354" + style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" /> + <text + id="text6350" + transform="scale(1.0657564,0.93830074)" + style="font-size:7.41257px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="832.3197" + y="664.93915"> + <tspan + style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#000000;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan6352">process</tspan> + </text> + <rect + style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.40877044;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" + id="rect6356" + width="84.926071" + height="16.446747" + x="865.13519" + y="636.65216" + ry="13.673332" + rx="6.1170168" /> + <text + y="691.21802" + x="837.2547" + style="font-size:7.41257px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica" + transform="scale(1.0657564,0.93830074)" + id="text6358"> + <tspan + id="tspan6360" + style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#000000;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">object</tspan> + </text> + </g> + <g + transform="translate(0,-2)" + id="g5079"> + <path + inkscape:connector-curvature="0" + id="path5019" + d="m 865.06095,613.70189 83.42501,-0.114" + style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)" + sodipodi:nodetypes="cc" /> + <text + id="text5065" + transform="scale(1.0657564,0.93830073)" + style="font-size:7.41257px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Helvetica" + x="811.75702" + y="666.24689"> + <tspan + style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans" + id="tspan5067">configure</tspan> + </text> + </g> + </g> +</svg> diff --git a/doc/gnupg.info b/doc/gnupg.info new file mode 100644 index 0000000..d3b8fe5 --- /dev/null +++ b/doc/gnupg.info @@ -0,0 +1,224 @@ +This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi. + +This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3, +October 2022). + + (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc. +(C) 2013, 2014, 2015 Werner Koch. +(C) 2015, 2016, 2017 g10 Code GmbH. + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU General Public License as + published by the Free Software Foundation; either version 3 of the + License, or (at your option) any later version. The text of the + license can be found in the section entitled "Copying". +INFO-DIR-SECTION GNU Utilities +START-INFO-DIR-ENTRY +* gpg2: (gnupg). OpenPGP encryption and signing tool. +* gpgsm: (gnupg). S/MIME encryption and signing tool. +* gpg-agent: (gnupg). The secret key daemon. +* dirmngr: (gnupg). X.509 CRL and OCSP server. +* dirmngr-client: (gnupg). X.509 CRL and OCSP client. +END-INFO-DIR-ENTRY + + +Indirect: +gnupg.info-1: 990 +gnupg.info-2: 305399 + +Tag Table: +(Indirect) +Node: Top990 +Node: Installation2917 +Node: Invoking GPG-AGENT5266 +Node: Agent Commands7032 +Node: Agent Options8836 +Ref: option --options9116 +Ref: option --homedir9442 +Ref: option --log-file14860 +Ref: option --no-allow-mark-trusted15233 +Ref: option --no-user-trustlist15437 +Ref: option --allow-preset-passphrase15903 +Ref: option --no-allow-loopback-pinentry16056 +Ref: option --extra-socket24409 +Ref: option --enable-ssh-support25875 +Ref: option --ssh-fingerprint-digest28212 +Node: Agent Configuration29869 +Node: Agent Signals35359 +Node: Agent Examples36819 +Node: Agent Protocol37386 +Node: Agent PKDECRYPT39540 +Node: Agent PKSIGN41452 +Node: Agent GENKEY43756 +Node: Agent IMPORT45653 +Node: Agent EXPORT46097 +Node: Agent ISTRUSTED46312 +Node: Agent GET_PASSPHRASE48687 +Node: Agent CLEAR_PASSPHRASE51128 +Node: Agent PRESET_PASSPHRASE51519 +Node: Agent GET_CONFIRMATION52357 +Node: Agent HAVEKEY53029 +Node: Agent LEARN53661 +Node: Agent PASSWD53959 +Node: Agent UPDATESTARTUPTTY54425 +Node: Agent GETEVENTCOUNTER54903 +Node: Agent GETINFO55705 +Node: Agent OPTION56409 +Node: Invoking DIRMNGR59467 +Node: Dirmngr Commands60365 +Node: Dirmngr Options62818 +Ref: Dirmngr Options-Footnote-181071 +Node: Dirmngr Configuration81206 +Node: Dirmngr Signals84336 +Node: Dirmngr Examples85364 +Node: Dirmngr Protocol86046 +Node: Dirmngr LOOKUP86696 +Node: Dirmngr ISVALID88067 +Node: Dirmngr CHECKCRL90640 +Node: Dirmngr CHECKOCSP91697 +Node: Dirmngr CACHECERT93003 +Node: Dirmngr VALIDATE93842 +Node: Invoking GPG94410 +Node: GPG Commands95640 +Node: General GPG Commands96534 +Node: Operational GPG Commands97223 +Ref: option --export-ownertrust114524 +Node: OpenPGP Key Management116637 +Node: GPG Options138596 +Node: GPG Configuration Options139929 +Ref: gpg-option --options153467 +Ref: trust-model-tofu158035 +Node: GPG Key related Options178353 +Node: GPG Input and Output183549 +Node: OpenPGP Options197253 +Node: Compliance Options201981 +Node: GPG Esoteric Options205925 +Ref: GPG Esoteric Options-Footnote-1233647 +Node: Deprecated Options233801 +Node: GPG Configuration235304 +Node: GPG Examples241192 +Node: Unattended Usage of GPG250002 +Node: Programmatic use of GnuPG250633 +Node: Ephemeral home directories251184 +Node: The quick key manipulation interface252491 +Node: Unattended GPG key generation253078 +Node: Invoking GPGSM262397 +Node: GPGSM Commands263266 +Node: General GPGSM Commands263704 +Node: Operational GPGSM Commands264392 +Node: Certificate Management266426 +Node: GPGSM Options271402 +Node: Configuration Options271976 +Ref: gpgsm-option --options272245 +Node: Certificate Options275368 +Ref: gpgsm-option --validation-model278972 +Node: Input and Output279952 +Ref: option --p12-charset280535 +Ref: gpgsm-option --with-key-data281779 +Ref: gpgsm-option --with-validation282053 +Node: CMS Options282931 +Node: Esoteric Options283951 +Node: GPGSM Configuration291184 +Node: GPGSM Examples296852 +Node: Unattended Usage297049 +Node: Automated signature checking297640 +Node: CSR and certificate creation299463 +Node: GPGSM Protocol305399 +Node: GPGSM ENCRYPT306655 +Node: GPGSM DECRYPT309330 +Node: GPGSM SIGN310166 +Node: GPGSM VERIFY311622 +Node: GPGSM GENKEY312138 +Node: GPGSM LISTKEYS313153 +Ref: gpgsm-cmd listkeys313312 +Node: GPGSM EXPORT314065 +Node: GPGSM IMPORT315029 +Node: GPGSM DELETE315770 +Node: GPGSM GETAUDITLOG316277 +Ref: gpgsm-cmd getauditlog316446 +Node: GPGSM GETINFO316790 +Node: GPGSM OPTION317639 +Node: Invoking SCDAEMON320992 +Node: Scdaemon Commands321666 +Node: Scdaemon Options322794 +Node: Card applications332236 +Node: OpenPGP Card332901 +Node: NKS Card333374 +Node: DINSIG Card333700 +Node: PKCS#15 Card334076 +Node: Geldkarte Card334346 +Node: SmartCard-HSM334737 +Node: Undefined Card335333 +Node: Scdaemon Configuration335746 +Node: Scdaemon Examples336784 +Node: Scdaemon Protocol336967 +Node: Scdaemon SERIALNO338486 +Node: Scdaemon LEARN339332 +Node: Scdaemon READCERT340179 +Node: Scdaemon READKEY340581 +Node: Scdaemon PKSIGN340867 +Node: Scdaemon PKDECRYPT341593 +Node: Scdaemon GETATTR342343 +Node: Scdaemon SETATTR342545 +Node: Scdaemon WRITEKEY342750 +Node: Scdaemon GENKEY343452 +Node: Scdaemon RANDOM343655 +Node: Scdaemon PASSWD343878 +Node: Scdaemon CHECKPIN344269 +Node: Scdaemon RESTART345272 +Node: Scdaemon APDU345805 +Node: Specify a User ID346778 +Ref: how-to-specify-a-user-id346936 +Node: Trust Values351794 +Ref: trust-values351923 +Node: Helper Tools352528 +Node: watchgnupg353380 +Ref: option watchgnupg --tcp354202 +Node: gpgv355780 +Node: addgnupghome360979 +Node: gpgconf361675 +Ref: gpgconf-Footnote-1363862 +Node: Invoking gpgconf364160 +Node: Format conventions370852 +Node: Listing components376183 +Node: Checking programs378266 +Node: Listing options381004 +Node: Changing options388710 +Node: Listing global options390412 +Node: Querying versions392392 +Node: Files used by gpgconf395090 +Node: applygnupgdefaults395696 +Node: gpg-preset-passphrase396566 +Node: Invoking gpg-preset-passphrase397601 +Node: gpg-connect-agent399003 +Node: Invoking gpg-connect-agent399717 +Node: Controlling gpg-connect-agent403263 +Node: dirmngr-client409736 +Node: gpgparsemail413087 +Node: gpgtar413400 +Node: gpg-check-pattern418128 +Node: Web Key Service420430 +Node: gpg-wks-client420743 +Node: gpg-wks-server426549 +Node: Howtos431906 +Node: Howto Create a Server Cert432178 +Node: System Notes440591 +Node: W32 Notes441802 +Node: Debugging442224 +Node: Debugging Tools443052 +Node: kbxutil443332 +Node: Debugging Hints444863 +Node: Common Problems445994 +Node: Architecture Details451231 +Node: Component interaction451541 +Ref: fig:moduleoverview451727 +Node: GnuPG-1 and GnuPG-2451834 +Ref: fig:cardarchitecture452124 +Node: Copying452239 +Node: Contributors489763 +Node: Glossary496018 +Node: Option Index498537 +Node: Environment Index579841 +Node: Index585434 + +End Tag Table diff --git a/doc/gnupg.info-1 b/doc/gnupg.info-1 new file mode 100644 index 0000000..3d95d00 --- /dev/null +++ b/doc/gnupg.info-1 @@ -0,0 +1,7172 @@ +This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi. + +This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3, +October 2022). + + (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc. +(C) 2013, 2014, 2015 Werner Koch. +(C) 2015, 2016, 2017 g10 Code GmbH. + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU General Public License as + published by the Free Software Foundation; either version 3 of the + License, or (at your option) any later version. The text of the + license can be found in the section entitled "Copying". +INFO-DIR-SECTION GNU Utilities +START-INFO-DIR-ENTRY +* gpg2: (gnupg). OpenPGP encryption and signing tool. +* gpgsm: (gnupg). S/MIME encryption and signing tool. +* gpg-agent: (gnupg). The secret key daemon. +* dirmngr: (gnupg). X.509 CRL and OCSP server. +* dirmngr-client: (gnupg). X.509 CRL and OCSP client. +END-INFO-DIR-ENTRY + + +File: gnupg.info, Node: Top, Next: Installation, Up: (dir) + +Using the GNU Privacy Guard +*************************** + +This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3, +October 2022). + + (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc. +(C) 2013, 2014, 2015 Werner Koch. +(C) 2015, 2016, 2017 g10 Code GmbH. + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU General Public License as + published by the Free Software Foundation; either version 3 of the + License, or (at your option) any later version. The text of the + license can be found in the section entitled "Copying". + + This manual documents how to use the GNU Privacy Guard system as well +as the administration and the architecture. + +* Menu: + +* Installation:: A short installation guide. + +* Invoking GPG-AGENT:: How to launch the secret key daemon. +* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon. +* Invoking GPG:: Using the OpenPGP protocol. +* Invoking GPGSM:: Using the S/MIME protocol. +* Invoking SCDAEMON:: How to handle Smartcards. +* Specify a User ID:: How to Specify a User Id. +* Trust Values:: How GnuPG displays trust values. + +* Helper Tools:: Description of small helper tools +* Web Key Service:: Tools for the Web Key Service + +* Howtos:: How to do certain things. +* System Notes:: Notes pertaining to certain OSes. +* Debugging:: How to solve problems + +* Copying:: GNU General Public License says + how you can copy and share GnuPG +* Contributors:: People who have contributed to GnuPG. + +* Glossary:: Short description of terms used. +* Option Index:: Index to command line options. +* Environment Index:: Index to environment variables and files. +* Index:: Index of concepts and symbol names. + + +File: gnupg.info, Node: Installation, Next: Invoking GPG-AGENT, Prev: Top, Up: Top + +1 A short installation guide +**************************** + +Unfortunately the installation guide has not been finished in time. +Instead of delaying the release of GnuPG 2.0 even further, I decided to +release without that guide. The chapter on gpg-agent and gpgsm do +include brief information on how to set up the whole thing. Please +watch the GnuPG website for updates of the documentation. In the +meantime you may search the GnuPG mailing list archives or ask on the +gnupg-users mailing list for advise on how to solve problems or how to +get that whole thing up and running. + + ** Building the software + + Building the software is described in the file 'INSTALL'. Given that +you are already reading this documentation we can only give some extra +hints. + + To comply with the rules on GNU systems you should have build time +configured 'gnupg' using: + + ./configure --sysconfdir=/etc --localstatedir=/var + + This is to make sure that system wide configuration files are +searched in the directory '/etc' and variable data below '/var'; the +default would be to also install them below '/usr/local' where the +binaries get installed. If you selected to use the '--prefix=/' you +obviously don't need those option as they are the default then. + + ** Notes on setting a root CA key to trusted + + X.509 is based on a hierarchical key infrastructure. At the root of +the tree a trusted anchor (root certificate) is required. There are +usually no other means of verifying whether this root certificate is +trustworthy than looking it up in a list. GnuPG uses a file +('trustlist.txt') to keep track of all root certificates it knows about. +There are 3 ways to get certificates into this list: + + * Use the list which comes with GnuPG. However this list only + contains a few root certificates. Most installations will need + more. + + * Let 'gpgsm' ask you whether you want to insert a new root + certificate. This feature is enabled by default; you may disable + it using the option 'no-allow-mark-trusted' into 'gpg-agent.conf'. + + * Manually maintain the list of trusted root certificates. For a + multi user installation this can be done once for all users on a + machine. Specific changes on a per-user base are also possible. + + +File: gnupg.info, Node: Invoking GPG-AGENT, Next: Invoking DIRMNGR, Prev: Installation, Up: Top + +2 Invoking GPG-AGENT +******************** + +'gpg-agent' is a daemon to manage secret (private) keys independently +from any protocol. It is used as a backend for 'gpg' and 'gpgsm' as +well as for a couple of other utilities. + + The agent is automatically started on demand by 'gpg', 'gpgsm', +'gpgconf', or 'gpg-connect-agent'. Thus there is no reason to start it +manually. In case you want to use the included Secure Shell Agent you +may start the agent using: + + gpg-connect-agent /bye + +If you want to manually terminate the currently-running agent, you can +safely do so with: + + gpgconf --kill gpg-agent + +You should always add the following lines to your '.bashrc' or whatever +initialization file is used for all shell invocations: + + GPG_TTY=$(tty) + export GPG_TTY + +It is important that this environment variable always reflects the +output of the 'tty' command. For W32 systems this option is not +required. + + Please make sure that a proper pinentry program has been installed +under the default filename (which is system dependent) or use the option +'pinentry-program' to specify the full name of that program. It is +often useful to install a symbolic link from the actual used pinentry +(e.g. '/usr/local/bin/pinentry-gtk') to the expected one (e.g. +'/usr/local/bin/pinentry'). + +*Note Option Index::, for an index to 'GPG-AGENT''s commands and +options. + +* Menu: + +* Agent Commands:: List of all commands. +* Agent Options:: List of all options. +* Agent Configuration:: Configuration files. +* Agent Signals:: Use of some signals. +* Agent Examples:: Some usage examples. +* Agent Protocol:: The protocol the agent uses. + + +File: gnupg.info, Node: Agent Commands, Next: Agent Options, Up: Invoking GPG-AGENT + +2.1 Commands +============ + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +'--version' + Print the program version and licensing information. Note that you + cannot abbreviate this command. + +'--help' +'-h' + Print a usage message summarizing the most useful command-line + options. Note that you cannot abbreviate this command. + +'--dump-options' + Print a list of all available options and commands. Note that you + cannot abbreviate this command. + +'--server' + Run in server mode and wait for commands on the 'stdin'. The + default mode is to create a socket and listen for commands there. + +'--daemon [COMMAND LINE]' + Start the gpg-agent as a daemon; that is, detach it from the + console and run it in the background. + + As an alternative you may create a new process as a child of + gpg-agent: 'gpg-agent --daemon /bin/sh'. This way you get a new + shell with the environment setup properly; after you exit from this + shell, gpg-agent terminates within a few seconds. + +'--supervised' + Run in the foreground, sending logs by default to stderr, and + listening on provided file descriptors, which must already be bound + to listening sockets. This command is useful when running under + systemd or other similar process supervision schemes. This option + is not supported on Windows. + + In -supervised mode, different file descriptors can be provided for + use as different socket types (e.g. ssh, extra) as long as they + are identified in the environment variable 'LISTEN_FDNAMES' (see + sd_listen_fds(3) on some Linux distributions for more information + on this convention). + + +File: gnupg.info, Node: Agent Options, Next: Agent Configuration, Prev: Agent Commands, Up: Invoking GPG-AGENT + +2.2 Option Summary +================== + +Options may either be used on the command line or, after stripping off +the two leading dashes, in the configuration file. + +'--options FILE' + Reads configuration from FILE instead of from the default per-user + configuration file. The default configuration file is named + 'gpg-agent.conf' and expected in the '.gnupg' directory directly + below the home directory of the user. This option is ignored if + used in an options file. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'-v' +'--verbose' + Outputs additional information while running. You can increase the + verbosity by giving several verbose commands to 'gpg-agent', such + as '-vv'. + +'-q' +'--quiet' + Try to be as quiet as possible. + +'--batch' + Don't invoke a pinentry or do any other thing requiring human + interaction. + +'--faked-system-time EPOCH' + This option is only useful for testing; it sets the system time + back or forth to EPOCH which is the number of seconds elapsed since + the year 1970. + +'--debug-level LEVEL' + Select the debug level for investigating problems. LEVEL may be a + numeric value or a keyword: + + 'none' + No debugging at all. A value of less than 1 may be used + instead of the keyword. + 'basic' + Some basic debug messages. A value between 1 and 2 may be + used instead of the keyword. + 'advanced' + More verbose debug messages. A value between 3 and 5 may be + used instead of the keyword. + 'expert' + Even more detailed messages. A value between 6 and 8 may be + used instead of the keyword. + 'guru' + All of the debug messages you can get. A value greater than 8 + may be used instead of the keyword. The creation of hash + tracing files is only enabled if the keyword is used. + + How these messages are mapped to the actual debugging flags is not + specified and may change with newer releases of this program. They + are however carefully selected to best aid in debugging. + +'--debug FLAGS' + This option is only useful for debugging and the behavior may + change at any time without notice. FLAGS are bit encoded and may + be given in usual C-Syntax. The currently defined bits are: + + '0 (1)' + X.509 or OpenPGP protocol related data + '1 (2)' + values of big number integers + '2 (4)' + low level crypto operations + '5 (32)' + memory allocation + '6 (64)' + caching + '7 (128)' + show memory statistics + '9 (512)' + write hashed data to files named 'dbgmd-000*' + '10 (1024)' + trace Assuan protocol + '12 (4096)' + bypass all certificate validation + +'--debug-all' + Same as '--debug=0xffffffff' + +'--debug-wait N' + When running in server mode, wait N seconds before entering the + actual processing loop and print the pid. This gives time to + attach a debugger. + +'--debug-quick-random' + This option inhibits the use of the very secure random quality + level (Libgcrypt’s 'GCRY_VERY_STRONG_RANDOM') and degrades all + request down to standard random quality. It is only used for + testing and should not be used for any production quality keys. + This option is only effective when given on the command line. + + On GNU/Linux, another way to quickly generate insecure keys is to + use 'rngd' to fill the kernel's entropy pool with lower quality + random data. 'rngd' is typically provided by the 'rng-tools' + package. It can be run as follows: 'sudo rngd -f -r /dev/urandom'. + +'--debug-pinentry' + This option enables extra debug information pertaining to the + Pinentry. As of now it is only useful when used along with + '--debug 1024'. + +'--no-detach' + Don't detach the process from the console. This is mainly useful + for debugging. + +'--steal-socket' + In '--daemon' mode, gpg-agent detects an already running gpg-agent + and does not allow to start a new instance. This option can be + used to override this check: the new gpg-agent process will try to + take over the communication sockets from the already running + process and start anyway. This option should in general not be + used. + +'-s' +'--sh' +'-c' +'--csh' + Format the info output in daemon mode for use with the standard + Bourne shell or the C-shell respectively. The default is to guess + it based on the environment variable 'SHELL' which is correct in + almost all cases. + +'--grab' +'--no-grab' + Tell the pinentry to grab the keyboard and mouse. This option + should be used on X-Servers to avoid X-sniffing attacks. Any use + of the option '--grab' overrides an used option '--no-grab'. The + default is '--no-grab'. + +'--log-file FILE' + Append all logging output to FILE. This is very helpful in seeing + what the agent actually does. Use 'socket://' to log to socket. + If neither a log file nor a log file descriptor has been set on a + Windows platform, the Registry entry + 'HKCU\Software\GNU\GnuPG:DefaultLogFile', if set, is used to + specify the logging output. + +'--no-allow-mark-trusted' + Do not allow clients to mark keys as trusted, i.e. put them into + the 'trustlist.txt' file. This makes it harder for users to + inadvertently accept Root-CA keys. + +'--no-user-trustlist' + Entirely ignore the user trust list and consider only the global + trustlist ('/etc/gnupg/trustlist.txt'). This implies the *note + option --no-allow-mark-trusted::. + +'--sys-trustlist-name FILE' + Changes the default name for the global trustlist from + "trustlist.txt" to FILE. If FILE does not contain any slashes and + does not start with "~/" it is searched in the system configuration + directory ('/etc/gnupg'). + +'--allow-preset-passphrase' + This option allows the use of 'gpg-preset-passphrase' to seed the + internal cache of 'gpg-agent' with passphrases. + +'--no-allow-loopback-pinentry' +'--allow-loopback-pinentry' + Disallow or allow clients to use the loopback pinentry features; + see the option 'pinentry-mode' for details. Allow is the default. + + The '--force' option of the Assuan command 'DELETE_KEY' is also + controlled by this option: The option is ignored if a loopback + pinentry is disallowed. + +'--no-allow-external-cache' + Tell Pinentry not to enable features which use an external cache + for passphrases. + + Some desktop environments prefer to unlock all credentials with one + master password and may have installed a Pinentry which employs an + additional external cache to implement such a policy. By using + this option the Pinentry is advised not to make use of such a cache + and instead always ask the user for the requested passphrase. + +'--allow-emacs-pinentry' + Tell Pinentry to allow features to divert the passphrase entry to a + running Emacs instance. How this is exactly handled depends on the + version of the used Pinentry. + +'--ignore-cache-for-signing' + This option will let 'gpg-agent' bypass the passphrase cache for + all signing operation. Note that there is also a per-session + option to control this behavior but this command line option takes + precedence. + +'--default-cache-ttl N' + Set the time a cache entry is valid to N seconds. The default is + 600 seconds. Each time a cache entry is accessed, the entry's + timer is reset. To set an entry's maximum lifetime, use + 'max-cache-ttl'. Note that a cached passphrase may not be evicted + immediately from memory if no client requests a cache operation. + This is due to an internal housekeeping function which is only run + every few seconds. + +'--default-cache-ttl-ssh N' + Set the time a cache entry used for SSH keys is valid to N seconds. + The default is 1800 seconds. Each time a cache entry is accessed, + the entry's timer is reset. To set an entry's maximum lifetime, + use 'max-cache-ttl-ssh'. + +'--max-cache-ttl N' + Set the maximum time a cache entry is valid to N seconds. After + this time a cache entry will be expired even if it has been + accessed recently or has been set using 'gpg-preset-passphrase'. + The default is 2 hours (7200 seconds). + +'--max-cache-ttl-ssh N' + Set the maximum time a cache entry used for SSH keys is valid to N + seconds. After this time a cache entry will be expired even if it + has been accessed recently or has been set using + 'gpg-preset-passphrase'. The default is 2 hours (7200 seconds). + +'--enforce-passphrase-constraints' + Enforce the passphrase constraints by not allowing the user to + bypass them using the "Take it anyway" button. + +'--min-passphrase-len N' + Set the minimal length of a passphrase. When entering a new + passphrase shorter than this value a warning will be displayed. + Defaults to 8. + +'--min-passphrase-nonalpha N' + Set the minimal number of digits or special characters required in + a passphrase. When entering a new passphrase with less than this + number of digits or special characters a warning will be displayed. + Defaults to 1. + +'--check-passphrase-pattern FILE' +'--check-sym-passphrase-pattern FILE' + Check the passphrase against the pattern given in FILE. When + entering a new passphrase matching one of these pattern a warning + will be displayed. If FILE does not contain any slashes and does + not start with "~/" it is searched in the system configuration + directory ('/etc/gnupg'). The default is not to use any pattern + file. The second version of this option is only used when creating + a new symmetric key to allow the use of different patterns for such + passphrases. + + Security note: It is known that checking a passphrase against a + list of pattern or even against a complete dictionary is not very + effective to enforce good passphrases. Users will soon figure up + ways to bypass such a policy. A better policy is to educate users + on good security behavior and optionally to run a passphrase + cracker regularly on all users passphrases to catch the very simple + ones. + +'--max-passphrase-days N' + Ask the user to change the passphrase if N days have passed since + the last change. With '--enforce-passphrase-constraints' set the + user may not bypass this check. + +'--enable-passphrase-history' + This option does nothing yet. + +'--pinentry-invisible-char CHAR' + This option asks the Pinentry to use CHAR for displaying hidden + characters. CHAR must be one character UTF-8 string. A Pinentry + may or may not honor this request. + +'--pinentry-timeout N' + This option asks the Pinentry to timeout after N seconds with no + user input. The default value of 0 does not ask the pinentry to + timeout, however a Pinentry may use its own default timeout value + in this case. A Pinentry may or may not honor this request. + +'--pinentry-formatted-passphrase' + This option asks the Pinentry to enable passphrase formatting when + asking the user for a new passphrase and masking of the passphrase + is turned off. + + If passphrase formatting is enabled, then all non-breaking space + characters are stripped from the entered passphrase. Passphrase + formatting is mostly useful in combination with passphrases + generated with the GENPIN feature of some Pinentries. Note that + such a generated passphrase, if not modified by the user, skips all + passphrase constraints checking because such constraints would + actually weaken the generated passphrase. + +'--pinentry-program FILENAME' + Use program FILENAME as the PIN entry. The default is installation + dependent. With the default configuration the name of the default + pinentry is 'pinentry'; if that file does not exist but a + 'pinentry-basic' exist the latter is used. + + On a Windows platform the default is to use the first existing + program from this list: 'bin\pinentry.exe', + '..\Gpg4win\bin\pinentry.exe', '..\Gpg4win\pinentry.exe', + '..\GNU\GnuPG\pinentry.exe', '..\GNU\bin\pinentry.exe', + 'bin\pinentry-basic.exe' where the file names are relative to the + GnuPG installation directory. + +'--pinentry-touch-file FILENAME' + By default the filename of the socket gpg-agent is listening for + requests is passed to Pinentry, so that it can touch that file + before exiting (it does this only in curses mode). This option + changes the file passed to Pinentry to FILENAME. The special name + '/dev/null' may be used to completely disable this feature. Note + that Pinentry will not create that file, it will only change the + modification and access time. + +'--scdaemon-program FILENAME' + Use program FILENAME as the Smartcard daemon. The default is + installation dependent and can be shown with the 'gpgconf' command. + +'--disable-scdaemon' + Do not make use of the scdaemon tool. This option has the effect + of disabling the ability to do smartcard operations. Note, that + enabling this option at runtime does not kill an already forked + scdaemon. + +'--disable-check-own-socket' + 'gpg-agent' employs a periodic self-test to detect a stolen socket. + This usually means a second instance of 'gpg-agent' has taken over + the socket and 'gpg-agent' will then terminate itself. This option + may be used to disable this self-test for debugging purposes. + +'--use-standard-socket' +'--no-use-standard-socket' +'--use-standard-socket-p' + Since GnuPG 2.1 the standard socket is always used. These options + have no more effect. The command 'gpg-agent + --use-standard-socket-p' will thus always return success. + +'--display STRING' +'--ttyname STRING' +'--ttytype STRING' +'--lc-ctype STRING' +'--lc-messages STRING' +'--xauthority STRING' + These options are used with the server mode to pass localization + information. + +'--keep-tty' +'--keep-display' + Ignore requests to change the current 'tty' or X window system's + 'DISPLAY' variable respectively. This is useful to lock the + pinentry to pop up at the 'tty' or display you started the agent. + +'--listen-backlog N' + Set the size of the queue for pending connections. The default is + 64. + +'--extra-socket NAME' + The extra socket is created by default, you may use this option to + change the name of the socket. To disable the creation of the + socket use "none" or "/dev/null" for NAME. + + Also listen on native gpg-agent connections on the given socket. + The intended use for this extra socket is to setup a Unix domain + socket forwarding from a remote machine to this socket on the local + machine. A 'gpg' running on the remote machine may then connect to + the local gpg-agent and use its private keys. This enables + decrypting or signing data on a remote machine without exposing the + private keys to the remote machine. + +'--enable-extended-key-format' +'--disable-extended-key-format' + Since version 2.2.22 keys are created in the extended private key + format by default. Changing the passphrase of a key will also + convert the key to that new format. This key format is supported + since GnuPG version 2.1.12 and thus there should be no need to + disable it. Anyway, the disable option still allows to revert to + the old behavior for new keys; be aware that keys are never + migrated back to the old format. If the enable option has been + used the disable option won't have an effect. The advantage of the + extended private key format is that it is text based and can carry + additional meta data. In extended key format the OCB mode is used + for key protection. + +'--enable-ssh-support' +'--enable-putty-support' + + The OpenSSH Agent protocol is always enabled, but 'gpg-agent' will + only set the 'SSH_AUTH_SOCK' variable if this flag is given. + + In this mode of operation, the agent does not only implement the + gpg-agent protocol, but also the agent protocol used by OpenSSH + (through a separate socket). Consequently, it should be possible + to use the gpg-agent as a drop-in replacement for the well known + ssh-agent. + + SSH Keys, which are to be used through the agent, need to be added + to the gpg-agent initially through the ssh-add utility. When a key + is added, ssh-add will ask for the password of the provided key + file and send the unprotected key material to the agent; this + causes the gpg-agent to ask for a passphrase, which is to be used + for encrypting the newly received key and storing it in a gpg-agent + specific directory. + + Once a key has been added to the gpg-agent this way, the gpg-agent + will be ready to use the key. + + Note: in case the gpg-agent receives a signature request, the user + might need to be prompted for a passphrase, which is necessary for + decrypting the stored key. Since the ssh-agent protocol does not + contain a mechanism for telling the agent on which display/terminal + it is running, gpg-agent's ssh-support will use the TTY or X + display where gpg-agent has been started. To switch this display + to the current one, the following command may be used: + + gpg-connect-agent updatestartuptty /bye + + Although all GnuPG components try to start the gpg-agent as needed, + this is not possible for the ssh support because ssh does not know + about it. Thus if no GnuPG tool which accesses the agent has been + run, there is no guarantee that ssh is able to use gpg-agent for + authentication. To fix this you may start gpg-agent if needed + using this simple command: + + gpg-connect-agent /bye + + Adding the '--verbose' shows the progress of starting the agent. + + The '--enable-putty-support' is only available under Windows and + allows the use of gpg-agent with the ssh implementation 'putty'. + This is similar to the regular ssh-agent support but makes use of + Windows message queue as required by 'putty'. + +'--ssh-fingerprint-digest' + + Select the digest algorithm used to compute ssh fingerprints that + are communicated to the user, e.g. in pinentry dialogs. OpenSSH + has transitioned from using MD5 to the more secure SHA256. + +'--auto-expand-secmem N' + Allow Libgcrypt to expand its secure memory area as required. The + optional value N is a non-negative integer with a suggested size in + bytes of each additionally allocated secure memory area. The value + is rounded up to the next 32 KiB; usual C style prefixes are + allowed. For an heavy loaded gpg-agent with many concurrent + connection this option avoids sign or decrypt errors due to out of + secure memory error returns. + +'--s2k-calibration MILLISECONDS' + Change the default calibration time to MILLISECONDS. The given + value is capped at 60 seconds; a value of 0 resets to the + compiled-in default. This option is re-read on a SIGHUP (or + 'gpgconf --reload gpg-agent') and the S2K count is then + re-calibrated. + +'--s2k-count N' + Specify the iteration count used to protect the passphrase. This + option can be used to override the auto-calibration done by + default. The auto-calibration computes a count which requires by + default 100ms to mangle a given passphrase. See also + '--s2k-calibration'. + + To view the actually used iteration count and the milliseconds + required for an S2K operation use: + + gpg-connect-agent 'GETINFO s2k_count' /bye + gpg-connect-agent 'GETINFO s2k_time' /bye + + To view the auto-calibrated count use: + + gpg-connect-agent 'GETINFO s2k_count_cal' /bye + + +File: gnupg.info, Node: Agent Configuration, Next: Agent Signals, Prev: Agent Options, Up: Invoking GPG-AGENT + +2.3 Configuration +================= + +There are a few configuration files needed for the operation of the +agent. By default they may all be found in the current home directory +(*note option --homedir::). + +'gpg-agent.conf' + This is the standard configuration file read by 'gpg-agent' on + startup. It may contain any valid long option; the leading two + dashes may not be entered and the option may not be abbreviated. + This file is also read after a 'SIGHUP' however only a few options + will actually have an effect. This default name may be changed on + the command line (*note option --options::). You should backup + this file. + +'trustlist.txt' + This is the list of trusted keys. You should backup this file. + + Comment lines, indicated by a leading hash mark, as well as empty + lines are ignored. To mark a key as trusted you need to enter its + fingerprint followed by a space and a capital letter 'S'. Colons + may optionally be used to separate the bytes of a fingerprint; this + enables cutting and pasting the fingerprint from a key listing + output. If the line is prefixed with a '!' the key is explicitly + marked as not trusted. + + Here is an example where two keys are marked as ultimately trusted + and one as not trusted: + + # CN=Wurzel ZS 3,O=Intevation GmbH,C=DE + A6935DD34EF3087973C706FC311AA2CCF733765B S + + # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE + DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S + + # CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE + !14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S + + Before entering a key into this file, you need to ensure its + authenticity. How to do this depends on your organisation; your + administrator might have already entered those keys which are + deemed trustworthy enough into this file. Places where to look for + the fingerprint of a root certificate are letters received from the + CA or the website of the CA (after making 100% sure that this is + indeed the website of that CA). You may want to consider + disallowing interactive updates of this file by using the *note + option --no-allow-mark-trusted::. It might even be advisable to + change the permissions to read-only so that this file can't be + changed inadvertently. + + As a special feature a line 'include-default' will include a global + list of trusted certificates (e.g. '/etc/gnupg/trustlist.txt'). + This global list is also used if the local list is not available; + the *note option --no-user-trustlist:: enforces the use of only + this global list. + + It is possible to add further flags after the 'S' for use by the + caller: + + 'relax' + Relax checking of some root certificate requirements. As of + now this flag allows the use of root certificates with a + missing basicConstraints attribute (despite that it is a MUST + for CA certificates) and disables CRL checking for the root + certificate. + + 'cm' + If validation of a certificate finally issued by a CA with + this flag set fails, try again using the chain validation + model. + +'sshcontrol' + This file is used when support for the secure shell agent protocol + has been enabled (*note option --enable-ssh-support::). Only keys + present in this file are used in the SSH protocol. You should + backup this file. + + The 'ssh-add' tool may be used to add new entries to this file; you + may also add them manually. Comment lines, indicated by a leading + hash mark, as well as empty lines are ignored. An entry starts + with optional whitespace, followed by the keygrip of the key given + as 40 hex digits, optionally followed by the caching TTL in seconds + and another optional field for arbitrary flags. A non-zero TTL + overrides the global default as set by '--default-cache-ttl-ssh'. + + The only flag support is 'confirm'. If this flag is found for a + key, each use of the key will pop up a pinentry to confirm the use + of that key. The flag is automatically set if a new key was loaded + into 'gpg-agent' using the option '-c' of the 'ssh-add' command. + + The keygrip may be prefixed with a '!' to disable an entry. + + The following example lists exactly one key. Note that keys + available through a OpenPGP smartcard in the active smartcard + reader are implicitly added to this list; i.e. there is no need to + list them. + + # Key added on: 2011-07-20 20:38:46 + # Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81 + 34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm + +'private-keys-v1.d/' + + This is the directory where gpg-agent stores the private keys. + Each key is stored in a file with the name made up of the keygrip + and the suffix 'key'. You should backup all files in this + directory and take great care to keep this backup closed away. + + Note that on larger installations, it is useful to put predefined +files into the directory '/etc/skel/.gnupg' so that newly created users +start up with a working configuration. For existing users the a small +helper script is provided to create these files (*note addgnupghome::). + + +File: gnupg.info, Node: Agent Signals, Next: Agent Examples, Prev: Agent Configuration, Up: Invoking GPG-AGENT + +2.4 Use of some signals +======================= + +A running 'gpg-agent' may be controlled by signals, i.e. using the +'kill' command to send a signal to the process. + + Here is a list of supported signals: + +'SIGHUP' + This signal flushes all cached passphrases and if the program has + been started with a configuration file, the configuration file is + read again. Only certain options are honored: 'quiet', 'verbose', + 'debug', 'debug-all', 'debug-level', 'debug-pinentry', 'no-grab', + 'pinentry-program', 'pinentry-invisible-char', 'default-cache-ttl', + 'max-cache-ttl', 'ignore-cache-for-signing', 's2k-count', + 'no-allow-external-cache', 'allow-emacs-pinentry', + 'no-allow-mark-trusted', 'disable-scdaemon', and + 'disable-check-own-socket'. 'scdaemon-program' is also supported + but due to the current implementation, which calls the scdaemon + only once, it is not of much use unless you manually kill the + scdaemon. + +'SIGTERM' + Shuts down the process but waits until all current requests are + fulfilled. If the process has received 3 of these signals and + requests are still pending, a shutdown is forced. + +'SIGINT' + Shuts down the process immediately. + +'SIGUSR1' + Dump internal information to the log file. + +'SIGUSR2' + This signal is used for internal purposes. + + +File: gnupg.info, Node: Agent Examples, Next: Agent Protocol, Prev: Agent Signals, Up: Invoking GPG-AGENT + +2.5 Examples +============ + +It is important to set the environment variable 'GPG_TTY' in your login +shell, for example in the '~/.bashrc' init script: + + export GPG_TTY=$(tty) + + If you enabled the Ssh Agent Support, you also need to tell ssh about +it by adding this to your init script: + + unset SSH_AGENT_PID + if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then + export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" + fi + + +File: gnupg.info, Node: Agent Protocol, Prev: Agent Examples, Up: Invoking GPG-AGENT + +2.6 Agent's Assuan Protocol +=========================== + +Note: this section does only document the protocol, which is used by +GnuPG components; it does not deal with the ssh-agent protocol. To see +the full specification of each command, use + + gpg-connect-agent 'help COMMAND' /bye + +or just 'help' to list all available commands. + +The 'gpg-agent' daemon is started on demand by the GnuPG components. + + To identify a key we use a thing called keygrip which is the SHA-1 +hash of an canonical encoded S-Expression of the public key as used in +Libgcrypt. For the purpose of this interface the keygrip is given as a +hex string. The advantage of using this and not the hash of a +certificate is that it will be possible to use the same keypair for +different protocols, thereby saving space on the token used to keep the +secret keys. + + The 'gpg-agent' may send status messages during a command or when +returning from a command to inform a client about the progress or result +of an operation. For example, the INQUIRE_MAXLEN status message may be +sent during a server inquire to inform the client of the maximum usable +length of the inquired data (which should not be exceeded). + +* Menu: + +* Agent PKDECRYPT:: Decrypting a session key +* Agent PKSIGN:: Signing a Hash +* Agent GENKEY:: Generating a Key +* Agent IMPORT:: Importing a Secret Key +* Agent EXPORT:: Exporting a Secret Key +* Agent ISTRUSTED:: Importing a Root Certificate +* Agent GET_PASSPHRASE:: Ask for a passphrase +* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase +* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip +* Agent GET_CONFIRMATION:: Ask for confirmation +* Agent HAVEKEY:: Check whether a key is available +* Agent LEARN:: Register a smartcard +* Agent PASSWD:: Change a Passphrase +* Agent UPDATESTARTUPTTY:: Change the Standard Display +* Agent GETEVENTCOUNTER:: Get the Event Counters +* Agent GETINFO:: Return information about the process +* Agent OPTION:: Set options for the session + + +File: gnupg.info, Node: Agent PKDECRYPT, Next: Agent PKSIGN, Up: Agent Protocol + +2.6.1 Decrypting a session key +------------------------------ + +The client asks the server to decrypt a session key. The encrypted +session key should have all information needed to select the appropriate +secret key or to delegate it to a smartcard. + + SETKEY <keyGrip> + + Tell the server about the key to be used for decryption. If this is +not used, 'gpg-agent' may try to figure out the key by trying to decrypt +the message with each key available. + + PKDECRYPT + + The agent checks whether this command is allowed and then does an +INQUIRY to get the ciphertext the client should then send the cipher +text. + + S: INQUIRE CIPHERTEXT + C: D (xxxxxx + C: D xxxx) + C: END + + Please note that the server may send status info lines while reading +the data lines from the client. The data send is a SPKI like S-Exp with +this structure: + + (enc-val + (<algo> + (<param_name1> <mpi>) + ... + (<param_namen> <mpi>))) + + Where algo is a string with the name of the algorithm; see the +libgcrypt documentation for a list of valid algorithms. The number and +names of the parameters depend on the algorithm. The agent does return +an error if there is an inconsistency. + + If the decryption was successful the decrypted data is returned by +means of "D" lines. + + Here is an example session: + C: PKDECRYPT + S: INQUIRE CIPHERTEXT + C: D (enc-val elg (a 349324324) + C: D (b 3F444677CA))) + C: END + S: # session key follows + S: S PADDING 0 + S: D (value 1234567890ABCDEF0) + S: OK decryption successful + + The “PADDING†status line is only send if gpg-agent can tell what +kind of padding is used. As of now only the value 0 is used to indicate +that the padding has been removed. + + +File: gnupg.info, Node: Agent PKSIGN, Next: Agent GENKEY, Prev: Agent PKDECRYPT, Up: Agent Protocol + +2.6.2 Signing a Hash +-------------------- + +The client asks the agent to sign a given hash value. A default key +will be chosen if no key has been set. To set a key a client first +uses: + + SIGKEY <keyGrip> + + This can be used multiple times to create multiple signature, the +list of keys is reset with the next PKSIGN command or a RESET. The +server tests whether the key is a valid key to sign something and +responds with okay. + + SETHASH --hash=<name>|<algo> <hexstring> + + The client can use this command to tell the server about the data +<hexstring> (which usually is a hash) to be signed. <algo> is the +decimal encoded hash algorithm number as used by Libgcrypt. Either +<algo> or -hash=<name> must be given. Valid names for <name> are: + +'sha1' + The SHA-1 hash algorithm +'sha256' + The SHA-256 hash algorithm +'rmd160' + The RIPE-MD160 hash algorithm +'md5' + The old and broken MD5 hash algorithm +'tls-md5sha1' + A combined hash algorithm as used by the TLS protocol. + +The actual signing is done using + + PKSIGN <options> + + Options are not yet defined, but may later be used to choose among +different algorithms. The agent does then some checks, asks for the +passphrase and as a result the server returns the signature as an SPKI +like S-expression in "D" lines: + + (sig-val + (<algo> + (<param_name1> <mpi>) + ... + (<param_namen> <mpi>))) + + The operation is affected by the option + + OPTION use-cache-for-signing=0|1 + + The default of '1' uses the cache. Setting this option to '0' will +lead 'gpg-agent' to ignore the passphrase cache. Note, that there is +also a global command line option for 'gpg-agent' to globally disable +the caching. + + Here is an example session: + C: SIGKEY <keyGrip> + S: OK key available + C: SIGKEY <keyGrip> + S: OK key available + C: PKSIGN + S: # I did ask the user whether he really wants to sign + S: # I did ask the user for the passphrase + S: INQUIRE HASHVAL + C: D ABCDEF012345678901234 + C: END + S: # signature follows + S: D (sig-val rsa (s 45435453654612121212)) + S: OK + + +File: gnupg.info, Node: Agent GENKEY, Next: Agent IMPORT, Prev: Agent PKSIGN, Up: Agent Protocol + +2.6.3 Generating a Key +---------------------- + +This is used to create a new keypair and store the secret key inside the +active PSE -- which is in most cases a Soft-PSE. A not-yet-defined +option allows choosing the storage location. To get the secret key out +of the PSE, a special export tool has to be used. + + GENKEY [--no-protection] [--preset] [<cache_nonce>] + + Invokes the key generation process and the server will then inquire +on the generation parameters, like: + + S: INQUIRE KEYPARM + C: D (genkey (rsa (nbits 1024))) + C: END + + The format of the key parameters which depends on the algorithm is of +the form: + + (genkey + (algo + (parameter_name_1 ....) + .... + (parameter_name_n ....))) + + If everything succeeds, the server returns the *public key* in a SPKI +like S-Expression like this: + + (public-key + (rsa + (n <mpi>) + (e <mpi>))) + + Here is an example session: + C: GENKEY + S: INQUIRE KEYPARM + C: D (genkey (rsa (nbits 1024))) + C: END + S: D (public-key + S: D (rsa (n 326487324683264) (e 10001))) + S OK key created + + The '--no-protection' option may be used to prevent prompting for a +passphrase to protect the secret key while leaving the secret key +unprotected. The '--preset' option may be used to add the passphrase to +the cache using the default cache parameters. + + The '--inq-passwd' option may be used to create the key with a +supplied passphrase. When used the agent does an inquiry with the +keyword 'NEWPASSWD' to retrieve that passphrase. This option takes +precedence over '--no-protection'; however if the client sends a empty +(zero-length) passphrase, this is identical to '--no-protection'. + + +File: gnupg.info, Node: Agent IMPORT, Next: Agent EXPORT, Prev: Agent GENKEY, Up: Agent Protocol + +2.6.4 Importing a Secret Key +---------------------------- + +This operation is not yet supported by GpgAgent. Specialized tools are +to be used for this. + + There is no actual need because we can expect that secret keys +created by a 3rd party are stored on a smartcard. If we have generated +the key ourselves, we do not need to import it. + + +File: gnupg.info, Node: Agent EXPORT, Next: Agent ISTRUSTED, Prev: Agent IMPORT, Up: Agent Protocol + +2.6.5 Export a Secret Key +------------------------- + +Not implemented. + + Should be done by an extra tool. + + +File: gnupg.info, Node: Agent ISTRUSTED, Next: Agent GET_PASSPHRASE, Prev: Agent EXPORT, Up: Agent Protocol + +2.6.6 Importing a Root Certificate +---------------------------------- + +Actually we do not import a Root Cert but provide a way to validate any +piece of data by storing its Hash along with a description and an +identifier in the PSE. Here is the interface description: + + ISTRUSTED <fingerprint> + + Check whether the OpenPGP primary key or the X.509 certificate with +the given fingerprint is an ultimately trusted key or a trusted Root CA +certificate. The fingerprint should be given as a hexstring (without +any blanks or colons or whatever in between) and may be left padded with +00 in case of an MD5 fingerprint. GPGAgent will answer with: + + OK + + The key is in the table of trusted keys. + + ERR 304 (Not Trusted) + + The key is not in this table. + + Gpg needs the entire list of trusted keys to maintain the web of +trust; the following command is therefore quite helpful: + + LISTTRUSTED + + GpgAgent returns a list of trusted keys line by line: + + S: D 000000001234454556565656677878AF2F1ECCFF P + S: D 340387563485634856435645634856438576457A P + S: D FEDC6532453745367FD83474357495743757435D S + S: OK + + The first item on a line is the hexified fingerprint where MD5 +fingerprints are '00' padded to the left and the second item is a flag +to indicate the type of key (so that gpg is able to only take care of +PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest of +the line, so that we can extend the format in the future. + + Finally a client should be able to mark a key as trusted: + + MARKTRUSTED FINGERPRINT "P"|"S" + + The server will then pop up a window to ask the user whether she +really trusts this key. For this it will probably ask for a text to be +displayed like this: + + S: INQUIRE TRUSTDESC + C: D Do you trust the key with the fingerprint @FPR@ + C: D bla fasel blurb. + C: END + S: OK + + Known sequences with the pattern @foo@ are replaced according to this +table: + +'@FPR16@' + Format the fingerprint according to gpg rules for a v3 keys. +'@FPR20@' + Format the fingerprint according to gpg rules for a v4 keys. +'@FPR@' + Choose an appropriate format to format the fingerprint. +'@@' + Replaced by a single '@'. + + +File: gnupg.info, Node: Agent GET_PASSPHRASE, Next: Agent CLEAR_PASSPHRASE, Prev: Agent ISTRUSTED, Up: Agent Protocol + +2.6.7 Ask for a passphrase +-------------------------- + +This function is usually used to ask for a passphrase to be used for +symmetric encryption, but may also be used by programs which need +special handling of passphrases. This command uses a syntax which helps +clients to use the agent with minimum effort. + + GET_PASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]] \ + [--qualitybar] CACHE_ID \ + [ERROR_MESSAGE PROMPT DESCRIPTION] + + CACHE_ID is expected to be a string used to identify a cached +passphrase. Use a 'X' to bypass the cache. With no other arguments the +agent returns a cached passphrase or an error. By convention either the +hexified fingerprint of the key shall be used for CACHE_ID or an +arbitrary string prefixed with the name of the calling application and a +colon: Like 'gpg:somestring'. + + ERROR_MESSAGE is either a single 'X' for no error message or a string +to be shown as an error message like (e.g. "invalid passphrase"). +Blanks must be percent escaped or replaced by '+''. + + PROMPT is either a single 'X' for a default prompt or the text to be +shown as the prompt. Blanks must be percent escaped or replaced by '+'. + + DESCRIPTION is a text shown above the entry field. Blanks must be +percent escaped or replaced by '+'. + + The agent either returns with an error or with a OK followed by the +hex encoded passphrase. Note that the length of the strings is +implicitly limited by the maximum length of a command. If the option +'--data' is used, the passphrase is not returned on the OK line but by +regular data lines; this is the preferred method. + + If the option '--check' is used, the standard passphrase constraints +checks are applied. A check is not done if the passphrase has been +found in the cache. + + If the option '--no-ask' is used and the passphrase is not in the +cache the user will not be asked to enter a passphrase but the error +code 'GPG_ERR_NO_DATA' is returned. + + If the option '--qualitybar' is used and a minimum passphrase length +has been configured, a visual indication of the entered passphrase +quality is shown. + + CLEAR_PASSPHRASE CACHE_ID + + may be used to invalidate the cache entry for a passphrase. The +function returns with OK even when there is no cached passphrase. + + +File: gnupg.info, Node: Agent CLEAR_PASSPHRASE, Next: Agent PRESET_PASSPHRASE, Prev: Agent GET_PASSPHRASE, Up: Agent Protocol + +2.6.8 Remove a cached passphrase +-------------------------------- + +Use this command to remove a cached passphrase. + + CLEAR_PASSPHRASE [--mode=normal] <cache_id> + + The '--mode=normal' option can be used to clear a CACHE_ID that was +set by gpg-agent. + + +File: gnupg.info, Node: Agent PRESET_PASSPHRASE, Next: Agent GET_CONFIRMATION, Prev: Agent CLEAR_PASSPHRASE, Up: Agent Protocol + +2.6.9 Set a passphrase for a keygrip +------------------------------------ + +This command adds a passphrase to the cache for the specified KEYGRIP. + + PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>] + + The passphrase is a hexadecimal string when specified. When not +specified, the passphrase will be retrieved from the pinentry module +unless the '--inquire' option was specified in which case the passphrase +will be retrieved from the client. + + The TIMEOUT parameter keeps the passphrase cached for the specified +number of seconds. A value of '-1' means infinite while '0' means the +default (currently only a timeout of -1 is allowed, which means to never +expire it). + + +File: gnupg.info, Node: Agent GET_CONFIRMATION, Next: Agent HAVEKEY, Prev: Agent PRESET_PASSPHRASE, Up: Agent Protocol + +2.6.10 Ask for confirmation +--------------------------- + +This command may be used to ask for a simple confirmation by presenting +a text and 2 buttons: Okay and Cancel. + + GET_CONFIRMATION DESCRIPTION + + DESCRIPTIONis displayed along with a Okay and Cancel button. Blanks +must be percent escaped or replaced by '+'. A 'X' may be used to +display confirmation dialog with a default text. + + The agent either returns with an error or with a OK. Note, that the +length of DESCRIPTION is implicitly limited by the maximum length of a +command. + + +File: gnupg.info, Node: Agent HAVEKEY, Next: Agent LEARN, Prev: Agent GET_CONFIRMATION, Up: Agent Protocol + +2.6.11 Check whether a key is available +--------------------------------------- + +This can be used to see whether a secret key is available. It does not +return any information on whether the key is somehow protected. + + HAVEKEY KEYGRIPS + + The agent answers either with OK or 'No_Secret_Key' (208). The +caller may want to check for other error codes as well. More than one +keygrip may be given. In this case the command returns success if at +least one of the keygrips corresponds to an available secret key. + + +File: gnupg.info, Node: Agent LEARN, Next: Agent PASSWD, Prev: Agent HAVEKEY, Up: Agent Protocol + +2.6.12 Register a smartcard +--------------------------- + + LEARN [--send] + + This command is used to register a smartcard. With the '--send' +option given the certificates are sent back. + + +File: gnupg.info, Node: Agent PASSWD, Next: Agent UPDATESTARTUPTTY, Prev: Agent LEARN, Up: Agent Protocol + +2.6.13 Change a Passphrase +-------------------------- + + PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] KEYGRIP + + This command is used to interactively change the passphrase of the +key identified by the hex string KEYGRIP. The '--preset' option may be +used to add the new passphrase to the cache using the default cache +parameters. + + +File: gnupg.info, Node: Agent UPDATESTARTUPTTY, Next: Agent GETEVENTCOUNTER, Prev: Agent PASSWD, Up: Agent Protocol + +2.6.14 Change the standard display +---------------------------------- + + UPDATESTARTUPTTY + + Set the startup TTY and X-DISPLAY variables to the values of this +session. This command is useful to direct future pinentry invocations +to another screen. It is only required because there is no way in the +ssh-agent protocol to convey this information. + + +File: gnupg.info, Node: Agent GETEVENTCOUNTER, Next: Agent GETINFO, Prev: Agent UPDATESTARTUPTTY, Up: Agent Protocol + +2.6.15 Get the Event Counters +----------------------------- + + GETEVENTCOUNTER + + This function return one status line with the current values of the +event counters. The event counters are useful to avoid polling by +delaying a poll until something has changed. The values are decimal +numbers in the range '0' to 'UINT_MAX' and wrapping around to 0. The +actual values should not be relied upon; they shall only be used to +detect a change. + + The currently defined counters are: +'ANY' + Incremented with any change of any of the other counters. +'KEY' + Incremented for added or removed private keys. +'CARD' + Incremented for changes of the card readers stati. + + +File: gnupg.info, Node: Agent GETINFO, Next: Agent OPTION, Prev: Agent GETEVENTCOUNTER, Up: Agent Protocol + +2.6.16 Return information about the process +------------------------------------------- + +This is a multipurpose function to return a variety of information. + + GETINFO WHAT + + The value of WHAT specifies the kind of information returned: +'version' + Return the version of the program. +'pid' + Return the process id of the process. +'socket_name' + Return the name of the socket used to connect the agent. +'ssh_socket_name' + Return the name of the socket used for SSH connections. If SSH + support has not been enabled the error 'GPG_ERR_NO_DATA' will be + returned. + + +File: gnupg.info, Node: Agent OPTION, Prev: Agent GETINFO, Up: Agent Protocol + +2.6.17 Set options for the session +---------------------------------- + +Here is a list of session options which are not yet described with other +commands. The general syntax for an Assuan option is: + + OPTION KEY=VALUE + +Supported KEYs are: + +'agent-awareness' + This may be used to tell gpg-agent of which gpg-agent version the + client is aware of. gpg-agent uses this information to enable + features which might break older clients. + +'putenv' + Change the session's environment to be used for the Pinentry. + Valid values are: + + 'NAME' + Delete envvar NAME + 'NAME=' + Set envvar NAME to the empty string + 'NAME=VALUE' + Set envvar NAME to the string VALUE. + +'use-cache-for-signing' + See Assuan command 'PKSIGN'. + +'allow-pinentry-notify' + This does not need any value. It is used to enable the + PINENTRY_LAUNCHED inquiry. + +'pinentry-mode' + This option is used to change the operation mode of the pinentry. + The following values are defined: + + 'ask' + This is the default mode which pops up a pinentry as needed. + + 'cancel' + Instead of popping up a pinentry, return the error code + 'GPG_ERR_CANCELED'. + + 'error' + Instead of popping up a pinentry, return the error code + 'GPG_ERR_NO_PIN_ENTRY'. + + 'loopback' + Use a loopback pinentry. This fakes a pinentry by using + inquiries back to the caller to ask for a passphrase. This + option may only be set if the agent has been configured for + that. To disable this feature use *note option + --no-allow-loopback-pinentry::. + +'cache-ttl-opt-preset' + This option sets the cache TTL for new entries created by GENKEY + and PASSWD commands when using the '--preset' option. It is not + used a default value is used. + +'s2k-count' + Instead of using the standard S2K count (which is computed on the + fly), the given S2K count is used for new keys or when changing the + passphrase of a key. Values below 65536 are considered to be 0. + This option is valid for the entire session or until reset to 0. + This option is useful if the key is later used on boxes which are + either much slower or faster than the actual box. + +'pretend-request-origin' + This option switches the connection into a restricted mode which + handles all further commands in the same way as they would be + handled when originating from the extra or browser socket. Note + that this option is not available in the restricted mode. Valid + values for this option are: + + 'none' + 'local' + This is a NOP and leaves the connection in the standard way. + + 'remote' + Pretend to come from a remote origin in the same way as + connections from the '--extra-socket'. + + 'browser' + Pretend to come from a local web browser in the same way as + connections from the '--browser-socket'. + + +File: gnupg.info, Node: Invoking DIRMNGR, Next: Invoking GPG, Prev: Invoking GPG-AGENT, Up: Top + +3 Invoking DIRMNGR +****************** + +Since version 2.1 of GnuPG, 'dirmngr' takes care of accessing the +OpenPGP keyservers. As with previous versions it is also used as a +server for managing and downloading certificate revocation lists (CRLs) +for X.509 certificates, downloading X.509 certificates, and providing +access to OCSP providers. Dirmngr is invoked internally by 'gpg', +'gpgsm', or via the 'gpg-connect-agent' tool. + +*Note Option Index::,for an index to 'DIRMNGR''s commands and options. + +* Menu: + +* Dirmngr Commands:: List of all commands. +* Dirmngr Options:: List of all options. +* Dirmngr Configuration:: Configuration files. +* Dirmngr Signals:: Use of signals. +* Dirmngr Examples:: Some usage examples. +* Dirmngr Protocol:: The protocol dirmngr uses. + + +File: gnupg.info, Node: Dirmngr Commands, Next: Dirmngr Options, Up: Invoking DIRMNGR + +3.1 Commands +============ + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +'--version' + Print the program version and licensing information. Note that you + cannot abbreviate this command. + +'--help, -h' + Print a usage message summarizing the most useful command-line + options. Note that you cannot abbreviate this command. + +'--dump-options' + Print a list of all available options and commands. Note that you + cannot abbreviate this command. + +'--server' + Run in server mode and wait for commands on the 'stdin'. The + default mode is to create a socket and listen for commands there. + This is only used for testing. + +'--daemon' + Run in background daemon mode and listen for commands on a socket. + This is the way 'dirmngr' is started on demand by the other GnuPG + components. To force starting 'dirmngr' it is in general best to + use 'gpgconf --launch dirmngr'. + +'--supervised' + Run in the foreground, sending logs to stderr, and listening on + file descriptor 3, which must already be bound to a listening + socket. This is useful when running under systemd or other similar + process supervision schemes. This option is not supported on + Windows. + +'--list-crls' + List the contents of the CRL cache on 'stdout'. This is probably + only useful for debugging purposes. + +'--load-crl FILE' + This command requires a filename as additional argument, and it + will make Dirmngr try to import the CRL in FILE into it's cache. + Note, that this is only possible if Dirmngr is able to retrieve the + CA's certificate directly by its own means. In general it is + better to use 'gpgsm''s '--call-dirmngr loadcrl filename' command + so that 'gpgsm' can help dirmngr. + +'--fetch-crl URL' + This command requires an URL as additional argument, and it will + make dirmngr try to retrieve and import the CRL from that URL into + it's cache. This is mainly useful for debugging purposes. The + 'dirmngr-client' provides the same feature for a running dirmngr. + +'--shutdown' + This commands shuts down an running instance of Dirmngr. This + command has currently no effect. + +'--flush' + This command removes all CRLs from Dirmngr's cache. Client + requests will thus trigger reading of fresh CRLs. + + +File: gnupg.info, Node: Dirmngr Options, Next: Dirmngr Configuration, Prev: Dirmngr Commands, Up: Invoking DIRMNGR + +3.2 Option Summary +================== + +Note that all long options with the exception of '--options' and +'--homedir' may also be given in the configuration file after stripping +off the two leading dashes. + +'--options FILE' + Reads configuration from FILE instead of from the default per-user + configuration file. The default configuration file is named + 'dirmngr.conf' and expected in the home directory. + +'--homedir DIR' + Set the name of the home directory to DIR. This option is only + effective when used on the command line. The default is the + directory named '.gnupg' directly below the home directory of the + user unless the environment variable 'GNUPGHOME' has been set in + which case its value will be used. Many kinds of data are stored + within this directory. + +'-v' +'--verbose' + Outputs additional information while running. You can increase the + verbosity by giving several verbose commands to DIRMNGR, such as + '-vv'. + +'--log-file FILE' + Append all logging output to FILE. This is very helpful in seeing + what the agent actually does. Use 'socket://' to log to socket. + +'--debug-level LEVEL' + Select the debug level for investigating problems. LEVEL may be a + numeric value or by a keyword: + + 'none' + No debugging at all. A value of less than 1 may be used + instead of the keyword. + 'basic' + Some basic debug messages. A value between 1 and 2 may be + used instead of the keyword. + 'advanced' + More verbose debug messages. A value between 3 and 5 may be + used instead of the keyword. + 'expert' + Even more detailed messages. A value between 6 and 8 may be + used instead of the keyword. + 'guru' + All of the debug messages you can get. A value greater than 8 + may be used instead of the keyword. The creation of hash + tracing files is only enabled if the keyword is used. + + How these messages are mapped to the actual debugging flags is not + specified and may change with newer releases of this program. They + are however carefully selected to best aid in debugging. + +'--debug FLAGS' + Set debugging flags. This option is only useful for debugging and + its behavior may change with a new release. All flags are or-ed + and may be given in C syntax (e.g. 0x0042) or as a comma separated + list of flag names. To get a list of all supported flags the + single word "help" can be used. + +'--debug-all' + Same as '--debug=0xffffffff' + +'--tls-debug LEVEL' + Enable debugging of the TLS layer at LEVEL. The details of the + debug level depend on the used TLS library and are not set in + stone. + +'--debug-wait N' + When running in server mode, wait N seconds before entering the + actual processing loop and print the pid. This gives time to + attach a debugger. + +'--disable-check-own-socket' + On some platforms 'dirmngr' is able to detect the removal of its + socket file and shutdown itself. This option disable this + self-test for debugging purposes. + +'-s' +'--sh' +'-c' +'--csh' + Format the info output in daemon mode for use with the standard + Bourne shell respective the C-shell. The default is to guess it + based on the environment variable 'SHELL' which is in almost all + cases sufficient. + +'--force' + Enabling this option forces loading of expired CRLs; this is only + useful for debugging. + +'--use-tor' +'--no-use-tor' + The option '--use-tor' switches Dirmngr and thus GnuPG into "Tor + mode" to route all network access via Tor (an anonymity network). + Certain other features are disabled in this mode. The effect of + '--use-tor' cannot be overridden by any other command or even by + reloading dirmngr. The use of '--no-use-tor' disables the use of + Tor. The default is to use Tor if it is available on startup or + after reloading dirmngr. The test on the available of Tor is done + by trying to connects to a SOCKS proxy at either port 9050 or + 9150); if another type of proxy is listening on one of these ports, + you should use '--no-use-tor'. + +'--standard-resolver' + This option forces the use of the system's standard DNS resolver + code. This is mainly used for debugging. Note that on Windows a + standard resolver is not used and all DNS access will return the + error "Not Implemented" if this option is used. Using this + together with enabled Tor mode returns the error "Not Enabled". + +'--recursive-resolver' + When possible use a recursive resolver instead of a stub resolver. + +'--resolver-timeout N' + Set the timeout for the DNS resolver to N seconds. The default are + 30 seconds. + +'--connect-timeout N' +'--connect-quick-timeout N' + Set the timeout for HTTP and generic TCP connection attempts to N + seconds. The value set with the quick variant is used when the + -quick option has been given to certain Assuan commands. The quick + value is capped at the value of the regular connect timeout. The + default values are 15 and 2 seconds. Note that the timeout values + are for each connection attempt; the connection code will attempt + to connect all addresses listed for a server. + +'--listen-backlog N' + Set the size of the queue for pending connections. The default is + 64. + +'--allow-version-check' + Allow Dirmngr to connect to 'https://versions.gnupg.org' to get the + list of current software versions. If this option is enabled the + list is retrieved in case the local copy does not exist or is older + than 5 to 7 days. See the option '--query-swdb' of the command + 'gpgconf' for more details. Note, that regardless of this option a + version check can always be triggered using this command: + + gpg-connect-agent --dirmngr 'loadswdb --force' /bye + +'--keyserver NAME' + Use NAME as your keyserver. This is the server that 'gpg' + communicates with to receive keys, send keys, and search for keys. + The format of the NAME is a URI: 'scheme:[//]keyservername[:port]' + The scheme is the type of keyserver: "hkp" for the HTTP (or + compatible) keyservers, "ldap" for the LDAP keyservers, or "mailto" + for the Graff email keyserver. Note that your particular + installation of GnuPG may have other keyserver types available as + well. Keyserver schemes are case-insensitive. After the keyserver + name, optional keyserver configuration options may be provided. + These are the same as the '--keyserver-options' of 'gpg', but apply + only to this particular keyserver. + + Most keyservers synchronize with each other, so there is generally + no need to send keys to more than one server. Somes keyservers use + round robin DNS to give a different keyserver each time you use it. + + If exactly two keyservers are configured and only one is a Tor + hidden service (.onion), Dirmngr selects the keyserver to use + depending on whether Tor is locally running or not. The check for + a running Tor is done for each new connection. + + If no keyserver is explicitly configured, dirmngr will use the + built-in default of 'https://keyserver.ubuntu.com'. + + Windows users with a keyserver running on their Active Directory + may use the short form 'ldap:///' for NAME to access this + directory. + + For accessing anonymous LDAP keyservers NAME is in general just a + 'ldaps://ldap.example.com'. A BaseDN parameter should never be + specified. If authentication is required things are more + complicated and two methods are available: + + The modern method (since version 2.2.28) is to use the very same + syntax as used with the option '--ldapserver'. Please see over + there for details; here is an example: + + keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users, + dc=example,dc=com:PASSWORD::starttls + + The other method is to use a full URL for NAME; for example: + + keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME + %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD + + Put this all on one line without any spaces and keep the '%2C' as + given. Replace USERNAME, PASSWORD, and the 'dc' parts according to + the instructions received from your LDAP administrator. Note that + only simple authentication (i.e. cleartext passwords) is supported + and thus using ldaps is strongly suggested (since 2.2.28 "ldaps" + defaults to port 389 and uses STARTTLS). On Windows authentication + via AD can be requested by adding 'gpgNtds=1' after the fourth + question mark instead of the bindname and password parameter. + +'--nameserver IPADDR' + In "Tor mode" Dirmngr uses a public resolver via Tor to resolve DNS + names. If the default public resolver, which is '8.8.8.8', shall + not be used a different one can be given using this option. Note + that a numerical IP address must be given (IPv6 or IPv4) and that + no error checking is done for IPADDR. + +'--disable-ipv4' +'--disable-ipv6' + Disable the use of all IPv4 or IPv6 addresses. + +'--disable-ldap' + Entirely disables the use of LDAP. + +'--disable-http' + Entirely disables the use of HTTP. + +'--ignore-http-dp' + When looking for the location of a CRL, the to be tested + certificate usually contains so called "CRL Distribution Point" + (DP) entries which are URLs describing the way to access the CRL. + The first found DP entry is used. With this option all entries + using the HTTP scheme are ignored when looking for a suitable DP. + +'--ignore-ldap-dp' + This is similar to '--ignore-http-dp' but ignores entries using the + LDAP scheme. Both options may be combined resulting in ignoring + DPs entirely. + +'--ignore-ocsp-service-url' + Ignore all OCSP URLs contained in the certificate. The effect is + to force the use of the default responder. + +'--honor-http-proxy' + If the environment variable 'http_proxy' has been set, use its + value to access HTTP servers. + +'--http-proxy [http://]HOST[:PORT]' + Use HOST and PORT to access HTTP servers. The use of this option + overrides the environment variable 'http_proxy' regardless whether + '--honor-http-proxy' has been set. + +'--ldap-proxy HOST[:PORT]' + Use HOST and PORT to connect to LDAP servers. If PORT is omitted, + port 389 (standard LDAP port) is used. This overrides any + specified host and port part in a LDAP URL and will also be used if + host and port have been omitted from the URL. + +'--only-ldap-proxy' + Never use anything else but the LDAP "proxy" as configured with + '--ldap-proxy'. Usually 'dirmngr' tries to use other configured + LDAP server if the connection using the "proxy" failed. + +'--ldapserverlist-file FILE' + Read the list of LDAP servers to consult for CRLs and X.509 + certificates from file instead of the default per-user ldap server + list file. The default value for FILE is + 'dirmngr_ldapservers.conf'. + + This server list file contains one LDAP server per line in the + format + + HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN:FLAGS + + Lines starting with a '#' are comments. + + Note that as usual all strings entered are expected to be UTF-8 + encoded. Obviously this will lead to problems if the password has + originally been encoded as Latin-1. There is no other solution + here than to put such a password in the binary encoding into the + file (i.e. non-ascii characters won't show up readable).(1) + +'--ldapserver SPEC' + This is an alternative way to specify LDAP servers for CRL and + X.509 certificate retrieval. If this option is used the servers + configured in 'dirmngr_ldapservers.conf' (or the file given by + '--ldapserverlist-file') are cleared. Note that + 'dirmngr_ldapservers.conf' is not read again by a reload signal. + However, '--ldapserver' options are read again. + + SPEC is either a proper LDAP URL or a colon delimited list of the + form + + HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN:FLAGS: + + with an optional prefix of 'ldap:' (but without the two slashes + which would turn this into a proper LDAP URL). FLAGS is a list of + one or more comma delimited keywords: + 'plain' + The default: Do not use a TLS secured connection at all; the + default port is 389. + 'starttls' + Use STARTTLS to secure the connection; the default port is + 389. + 'ldaptls' + Tunnel LDAP through a TLS connection; the default port is 636. + 'ntds' + On Windows authenticate the LDAP connection using the Active + Directory with the current user. + 'areconly' + On Windows use only the A or AAAA record when resolving the + LDAP server name. + + Note that in an URL style specification the scheme 'ldaps://' + refers to STARTTLS and _not_ to LDAP-over-TLS. + +'--ldaptimeout SECS' + Specify the number of seconds to wait for an LDAP query before + timing out. The default are 15 seconds. 0 will never timeout. + +'--add-servers' + This option makes dirmngr add any servers it discovers when + validating certificates against CRLs to the internal list of + servers to consult for certificates and CRLs. + + This option is useful when trying to validate a certificate that + has a CRL distribution point that points to a server that is not + already listed in the ldapserverlist. Dirmngr will always go to + this server and try to download the CRL, but chances are high that + the certificate used to sign the CRL is located on the same server. + So if dirmngr doesn't add that new server to list, it will often + not be able to verify the signature of the CRL unless the + '--add-servers' option is used. + + Note: The current version of dirmngr has this option disabled by + default. + +'--allow-ocsp' + This option enables OCSP support if requested by the client. + + OCSP requests are rejected by default because they may violate the + privacy of the user; for example it is possible to track the time + when a user is reading a mail. + +'--ocsp-responder URL' + Use URL as the default OCSP Responder if the certificate does not + contain information about an assigned responder. Note, that + '--ocsp-signer' must also be set to a valid certificate. + +'--ocsp-signer FPR|FILE' + Use the certificate with the fingerprint FPR to check the responses + of the default OCSP Responder. Alternatively a filename can be + given in which case the response is expected to be signed by one of + the certificates described in that file. Any argument which + contains a slash, dot or tilde is considered a filename. Usual + filename expansion takes place: A tilde at the start followed by a + slash is replaced by the content of 'HOME', no slash at start + describes a relative filename which will be searched at the home + directory. To make sure that the FILE is searched in the home + directory, either prepend the name with "./" or use a name which + contains a dot. + + If a response has been signed by a certificate described by these + fingerprints no further check upon the validity of this certificate + is done. + + The format of the FILE is a list of SHA-1 fingerprint, one per line + with optional colons between the bytes. Empty lines and lines + prefix with a hash mark are ignored. + +'--ocsp-max-clock-skew N' + The number of seconds a skew between the OCSP responder and them + local clock is accepted. Default is 600 (10 minutes). + +'--ocsp-max-period N' + Seconds a response is at maximum considered valid after the time + given in the thisUpdate field. Default is 7776000 (90 days). + +'--ocsp-current-period N' + The number of seconds an OCSP response is considered valid after + the time given in the NEXT_UPDATE datum. Default is 10800 (3 + hours). + +'--max-replies N' + Do not return more that N items in one query. The default is 10. + +'--ignore-cert-extension OID' + Add OID to the list of ignored certificate extensions. The OID is + expected to be in dotted decimal form, like '2.5.29.3'. This + option may be used more than once. Critical flagged certificate + extensions matching one of the OIDs in the list are treated as if + they are actually handled and thus the certificate won't be + rejected due to an unknown critical extension. Use this option + with care because extensions are usually flagged as critical for a + reason. + +'--ignore-cert FPR|FILE' + Entirely ignore certificates with the fingerprint FPR. As an + alternative to the fingerprint a filename can be given in which + case all certificates described in that file are ignored. Any + argument which contains a slash, dot or tilde is considered a + filename. Usual filename expansion takes place: A tilde at the + start followed by a slash is replaced by the content of 'HOME', no + slash at start describes a relative filename which will be searched + at the home directory. To make sure that the FILE is searched in + the home directory, either prepend the name with "./" or use a name + which contains a dot. The format of such a file is a list of SHA-1 + fingerprint, one per line with optional colons between the bytes. + Empty lines and lines prefixed with a hash mark are ignored. + + This option is useful as a quick workaround to exclude certain + certificates from the system store. + +'--hkp-cacert FILE' + Use the root certificates in FILE for verification of the TLS + certificates used with 'hkps' (keyserver access over TLS). If the + file is in PEM format a suffix of '.pem' is expected for FILE. + This option may be given multiple times to add more root + certificates. Tilde expansion is supported. + + If no 'hkp-cacert' directive is present, dirmngr will use the + system CAs. + + ---------- Footnotes ---------- + + (1) The 'gpgconf' tool might be helpful for frontends as it enables +editing this configuration file using percent-escaped strings. + + +File: gnupg.info, Node: Dirmngr Configuration, Next: Dirmngr Signals, Prev: Dirmngr Options, Up: Invoking DIRMNGR + +3.3 Configuration +================= + +Dirmngr makes use of several directories when running in daemon mode: +There are a few configuration files whih control the operation of +dirmngr. By default they may all be found in the current home directory +(*note option --homedir::). + +'dirmngr.conf' + This is the standard configuration file read by 'dirmngr' on + startup. It may contain any valid long option; the leading two + dashes may not be entered and the option may not be abbreviated. + This file is also read after a 'SIGHUP' however not all options + will actually have an effect. This default name may be changed on + the command line (*note option --options::). You should backup + this file. + +'/etc/gnupg/trusted-certs' + This directory should be filled with certificates of Root CAs you + are trusting in checking the CRLs and signing OCSP Responses. + + Usually these are the same certificates you use with the + applications making use of dirmngr. It is expected that each of + these certificate files contain exactly one DER encoded certificate + in a file with the suffix '.crt' or '.der'. 'dirmngr' reads those + certificates on startup and when given a SIGHUP. Certificates which + are not readable or do not make up a proper X.509 certificate are + ignored; see the log file for details. + + Applications using dirmngr (e.g. gpgsm) can request these + certificates to complete a trust chain in the same way as with the + extra-certs directory (see below). + + Note that for OCSP responses the certificate specified using the + option '--ocsp-signer' is always considered valid to sign OCSP + requests. + +'/etc/gnupg/extra-certs' + This directory may contain extra certificates which are preloaded + into the internal cache on startup. Applications using dirmngr + (e.g. gpgsm) can request cached certificates to complete a trust + chain. This is convenient in cases you have a couple intermediate + CA certificates or certificates usually used to sign OCSP + responses. These certificates are first tried before going out to + the net to look for them. These certificates must also be DER + encoded and suffixed with '.crt' or '.der'. + +'~/.gnupg/crls.d' + This directory is used to store cached CRLs. The 'crls.d' part + will be created by dirmngr if it does not exists but you need to + make sure that the upper directory exists. + + To be able to see what's going on you should create the configure +file '~/gnupg/dirmngr.conf' with at least one line: + + log-file ~/dirmngr.log + + To be able to perform OCSP requests you probably want to add the +line: + + allow-ocsp + + To make sure that new options are read and that after the +installation of a new GnuPG versions the installed dirmngr is running, +you may want to kill an existing dirmngr first: + + gpgconf --kill dirmngr + + You may check the log file to see whether all desired root +certificates have been loaded correctly. + + +File: gnupg.info, Node: Dirmngr Signals, Next: Dirmngr Examples, Prev: Dirmngr Configuration, Up: Invoking DIRMNGR + +3.4 Use of signals +================== + +A running 'dirmngr' may be controlled by signals, i.e. using the 'kill' +command to send a signal to the process. + + Here is a list of supported signals: + +'SIGHUP' + This signal flushes all internally cached CRLs as well as any + cached certificates. Then the certificate cache is reinitialized + as on startup. Options are re-read from the configuration file. + Instead of sending this signal it is better to use + gpgconf --reload dirmngr + +'SIGTERM' + Shuts down the process but waits until all current requests are + fulfilled. If the process has received 3 of these signals and + requests are still pending, a shutdown is forced. You may also use + gpgconf --kill dirmngr + instead of this signal + +'SIGINT' + Shuts down the process immediately. + +'SIGUSR1' + This prints some caching statistics to the log file. + + +File: gnupg.info, Node: Dirmngr Examples, Next: Dirmngr Protocol, Prev: Dirmngr Signals, Up: Invoking DIRMNGR + +3.5 Examples +============ + +Here is an example on how to show dirmngr's internal table of OpenPGP +keyserver addresses. The output is intended for debugging purposes and +not part of a defined API. + + gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye + + To inhibit the use of a particular host you have noticed in one of +the keyserver pools, you may use + + gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye + + The description of the 'keyserver' command can be printed using + + gpg-connect-agent --dirmngr 'help keyserver' /bye + + +File: gnupg.info, Node: Dirmngr Protocol, Prev: Dirmngr Examples, Up: Invoking DIRMNGR + +3.6 Dirmngr's Assuan Protocol +============================= + +Assuan is the IPC protocol used to access dirmngr. This is a +description of the commands implemented by dirmngr. + +* Menu: + +* Dirmngr LOOKUP:: Look up a certificate via LDAP +* Dirmngr ISVALID:: Validate a certificate using a CRL or OCSP. +* Dirmngr CHECKCRL:: Validate a certificate using a CRL. +* Dirmngr CHECKOCSP:: Validate a certificate using OCSP. +* Dirmngr CACHECERT:: Put a certificate into the internal cache. +* Dirmngr VALIDATE:: Validate a certificate for debugging. + + +File: gnupg.info, Node: Dirmngr LOOKUP, Next: Dirmngr ISVALID, Up: Dirmngr Protocol + +3.6.1 Return the certificate(s) found +------------------------------------- + +Lookup certificate. To allow multiple patterns (which are ORed) quoting +is required: Spaces are to be translated into "+" or into "%20"; +obviously this requires that the usual escape quoting rules are applied. +The server responds with: + + S: D <DER encoded certificate> + S: END + S: D <second DER encoded certificate> + S: END + S: OK + + In this example 2 certificates are returned. The server may return +any number of certificates; OK will also be returned when no +certificates were found. The dirmngr might return a status line + + S: S TRUNCATED <n> + + To indicate that the output was truncated to N items due to a +limitation of the server or by an arbitrary set limit. + + The option '--url' may be used if instead of a search pattern a +complete URL to the certificate is known: + + C: LOOKUP --url CN%3DWerner%20Koch,o%3DIntevation%20GmbH,c%3DDE?userCertificate + + If the option '--cache-only' is given, no external lookup is done so +that only certificates from the cache are returned. + + With the option '--single', the first and only the first match will +be returned. Unless option '--cache-only' is also used, no local lookup +will be done in this case. + + +File: gnupg.info, Node: Dirmngr ISVALID, Next: Dirmngr CHECKCRL, Prev: Dirmngr LOOKUP, Up: Dirmngr Protocol + +3.6.2 Validate a certificate using a CRL or OCSP +------------------------------------------------ + + ISVALID [--only-ocsp] [--force-default-responder] CERTID|CERTFPR + + Check whether the certificate described by the CERTID has been +revoked. Due to caching, the Dirmngr is able to answer immediately in +most cases. + + The CERTID is a hex encoded string consisting of two parts, delimited +by a single dot. The first part is the SHA-1 hash of the issuer name +and the second part the serial number. + + Alternatively the certificate's SHA-1 fingerprint CERTFPR may be +given in which case an OCSP request is done before consulting the CRL. +If the option '--only-ocsp' is given, no fallback to a CRL check will be +used. If the option '--force-default-responder' is given, only the +default OCSP responder will be used and any other methods of obtaining +an OCSP responder URL won't be used. + +Common return values are: + +'GPG_ERR_NO_ERROR (0)' + This is the positive answer: The certificate is not revoked and we + have an up-to-date revocation list for that certificate. If OCSP + was used the responder confirmed that the certificate has not been + revoked. + +'GPG_ERR_CERT_REVOKED' + This is the negative answer: The certificate has been revoked. + Either it is in a CRL and that list is up to date or an OCSP + responder informed us that it has been revoked. + +'GPG_ERR_NO_CRL_KNOWN' + No CRL is known for this certificate or the CRL is not valid or out + of date. + +'GPG_ERR_NO_DATA' + The OCSP responder returned an "unknown" status. This means that + it is not aware of the certificate's status. + +'GPG_ERR_NOT_SUPPORTED' + This is commonly seen if OCSP support has not been enabled in the + configuration. + + If DirMngr has not enough information about the given certificate +(which is the case for not yet cached certificates), it will inquire the +missing data: + + S: INQUIRE SENDCERT <CertID> + C: D <DER encoded certificate> + C: END + + A client should be aware that DirMngr may ask for more than one +certificate. + + If Dirmngr has a certificate but the signature of the certificate +could not been validated because the root certificate is not known to +dirmngr as trusted, it may ask back to see whether the client trusts +this the root certificate: + + S: INQUIRE ISTRUSTED <CertHexfpr> + C: D 1 + C: END + + Only this answer will let Dirmngr consider the certificate as valid. + + +File: gnupg.info, Node: Dirmngr CHECKCRL, Next: Dirmngr CHECKOCSP, Prev: Dirmngr ISVALID, Up: Dirmngr Protocol + +3.6.3 Validate a certificate using a CRL +---------------------------------------- + +Check whether the certificate with FINGERPRINT (SHA-1 hash of the entire +X.509 certificate blob) is valid or not by consulting the CRL +responsible for this certificate. If the fingerprint has not been given +or the certificate is not known, the function inquires the certificate +using: + + S: INQUIRE TARGETCERT + C: D <DER encoded certificate> + C: END + + Thus the caller is expected to return the certificate for the request +(which should match FINGERPRINT) as a binary blob. Processing then +takes place without further interaction; in particular dirmngr tries to +locate other required certificate by its own mechanism which includes a +local certificate store as well as a list of trusted root certificates. + +The return code is 0 for success; i.e. the certificate has not been +revoked or one of the usual error codes from libgpg-error. + + +File: gnupg.info, Node: Dirmngr CHECKOCSP, Next: Dirmngr CACHECERT, Prev: Dirmngr CHECKCRL, Up: Dirmngr Protocol + +3.6.4 Validate a certificate using OCSP +--------------------------------------- + + CHECKOCSP [--force-default-responder] [FINGERPRINT] + + Check whether the certificate with FINGERPRINT (the SHA-1 hash of the +entire X.509 certificate blob) is valid by consulting the appropriate +OCSP responder. If the fingerprint has not been given or the +certificate is not known by Dirmngr, the function inquires the +certificate using: + + S: INQUIRE TARGETCERT + C: D <DER encoded certificate> + C: END + + Thus the caller is expected to return the certificate for the request +(which should match FINGERPRINT) as a binary blob. Processing then +takes place without further interaction; in particular dirmngr tries to +locate other required certificates by its own mechanism which includes a +local certificate store as well as a list of trusted root certificates. + + If the option '--force-default-responder' is given, only the default +OCSP responder is used. This option is the per-command variant of the +global option '--ignore-ocsp-service-url'. + +The return code is 0 for success; i.e. the certificate has not been +revoked or one of the usual error codes from libgpg-error. + + +File: gnupg.info, Node: Dirmngr CACHECERT, Next: Dirmngr VALIDATE, Prev: Dirmngr CHECKOCSP, Up: Dirmngr Protocol + +3.6.5 Put a certificate into the internal cache +----------------------------------------------- + +Put a certificate into the internal cache. This command might be useful +if a client knows in advance certificates required for a test and wants +to make sure they get added to the internal cache. It is also helpful +for debugging. To get the actual certificate, this command immediately +inquires it using + + S: INQUIRE TARGETCERT + C: D <DER encoded certificate> + C: END + + Thus the caller is expected to return the certificate for the request +as a binary blob. + +The return code is 0 for success; i.e. the certificate has not been +successfully cached or one of the usual error codes from libgpg-error. + + +File: gnupg.info, Node: Dirmngr VALIDATE, Prev: Dirmngr CACHECERT, Up: Dirmngr Protocol + +3.6.6 Validate a certificate for debugging +------------------------------------------ + +Validate a certificate using the certificate validation function used +internally by dirmngr. This command is only useful for debugging. To +get the actual certificate, this command immediately inquires it using + + S: INQUIRE TARGETCERT + C: D <DER encoded certificate> + C: END + + Thus the caller is expected to return the certificate for the request +as a binary blob. + + +File: gnupg.info, Node: Invoking GPG, Next: Invoking GPGSM, Prev: Invoking DIRMNGR, Up: Top + +4 Invoking GPG +************** + +'gpg' is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool +to provide digital encryption and signing services using the OpenPGP +standard. 'gpg' features complete key management and all the bells and +whistles you would expect from a full OpenPGP implementation. + + There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG +2.x supports modern encryption algorithms and thus should be preferred +over GnuPG 1.x. You only need to use GnuPG 1.x if your platform doesn't +support GnuPG 2.x, or you need support for some features that GnuPG 2.x +has deprecated, e.g., decrypting data created with PGP-2 keys. + + If you are looking for version 1 of GnuPG, you may find that version +installed under the name 'gpg1'. + + *Note Option Index::, for an index to 'gpg''s commands and options. + +* Menu: + +* GPG Commands:: List of all commands. +* GPG Options:: List of all options. +* GPG Configuration:: Configuration files. +* GPG Examples:: Some usage examples. + +Developer information: +* Unattended Usage of GPG:: Using 'gpg' from other programs. + + +File: gnupg.info, Node: GPG Commands, Next: GPG Options, Up: Invoking GPG + +4.1 Commands +============ + +Commands are not distinguished from options except for the fact that +only one command is allowed. Generally speaking, irrelevant options are +silently ignored, and may not be checked for correctness. + + 'gpg' may be run with no commands. In this case it will print a +warning perform a reasonable action depending on the type of file it is +given as input (an encrypted message is decrypted, a signature is +verified, a file containing keys is listed, etc.). + + If you run into any problems, please add the option '--verbose' to +the invocation to see more diagnostics. + +* Menu: + +* General GPG Commands:: Commands not specific to the functionality. +* Operational GPG Commands:: Commands to select the type of operation. +* OpenPGP Key Management:: How to manage your keys. + + +File: gnupg.info, Node: General GPG Commands, Next: Operational GPG Commands, Up: GPG Commands + +4.1.1 Commands not specific to the function +------------------------------------------- + +'--version' + Print the program version and licensing information. Note that you + cannot abbreviate this command. + +'--help' +'-h' + Print a usage message summarizing the most useful command-line + options. Note that you cannot arbitrarily abbreviate this command + (though you can use its short form '-h'). + +'--warranty' + Print warranty information. + +'--dump-options' + Print a list of all available options and commands. Note that you + cannot abbreviate this command. + + +File: gnupg.info, Node: Operational GPG Commands, Next: OpenPGP Key Management, Prev: General GPG Commands, Up: GPG Commands + +4.1.2 Commands to select the type of operation +---------------------------------------------- + +'--sign' +'-s' + Sign a message. This command may be combined with '--encrypt' (to + sign and encrypt a message), '--symmetric' (to sign and + symmetrically encrypt a message), or both '--encrypt' and + '--symmetric' (to sign and encrypt a message that can be decrypted + using a secret key or a passphrase). The signing key is chosen by + default or can be set explicitly using the '--local-user' and + '--default-key' options. + +'--clear-sign' +'--clearsign' + Make a cleartext signature. The content in a cleartext signature + is readable without any special software. OpenPGP software is only + needed to verify the signature. cleartext signatures may modify + end-of-line whitespace for platform independence and are not + intended to be reversible. The signing key is chosen by default or + can be set explicitly using the '--local-user' and '--default-key' + options. + +'--detach-sign' +'-b' + Make a detached signature. + +'--encrypt' +'-e' + Encrypt data to one or more public keys. This command may be + combined with '--sign' (to sign and encrypt a message), + '--symmetric' (to encrypt a message that can be decrypted using a + secret key or a passphrase), or '--sign' and '--symmetric' together + (for a signed message that can be decrypted using a secret key or a + passphrase). '--recipient' and related options specify which + public keys to use for encryption. + +'--symmetric' +'-c' + Encrypt with a symmetric cipher using a passphrase. The default + symmetric cipher used is AES-128, but may be chosen with the + '--cipher-algo' option. This command may be combined with '--sign' + (for a signed and symmetrically encrypted message), '--encrypt' + (for a message that may be decrypted via a secret key or a + passphrase), or '--sign' and '--encrypt' together (for a signed + message that may be decrypted via a secret key or a passphrase). + 'gpg' caches the passphrase used for symmetric encryption so that a + decrypt operation may not require that the user needs to enter the + passphrase. The option '--no-symkey-cache' can be used to disable + this feature. + +'--store' + Store only (make a simple literal data packet). + +'--decrypt' +'-d' + Decrypt the file given on the command line (or STDIN if no file is + specified) and write it to STDOUT (or the file specified with + '--output'). If the decrypted file is signed, the signature is + also verified. This command differs from the default operation, as + it never writes to the filename which is included in the file and + it rejects files that don't begin with an encrypted message. + +'--verify' + Assume that the first argument is a signed file and verify it + without generating any output. With no arguments, the signature + packet is read from STDIN. If only one argument is given, the + specified file is expected to include a complete signature. + + With more than one argument, the first argument should specify a + file with a detached signature and the remaining files should + contain the signed data. To read the signed data from STDIN, use + '-' as the second filename. For security reasons, a detached + signature will not read the signed material from STDIN if not + explicitly specified. + + Note: If the option '--batch' is not used, 'gpg' may assume that a + single argument is a file with a detached signature, and it will + try to find a matching data file by stripping certain suffixes. + Using this historical feature to verify a detached signature is + strongly discouraged; you should always specify the data file + explicitly. + + Note: When verifying a cleartext signature, 'gpg' verifies only + what makes up the cleartext signed data and not any extra data + outside of the cleartext signature or the header lines directly + following the dash marker line. The option '--output' may be used + to write out the actual signed data, but there are other pitfalls + with this format as well. It is suggested to avoid cleartext + signatures in favor of detached signatures. + + Note: Sometimes the use of the 'gpgv' tool is easier than using the + full-fledged 'gpg' with this option. 'gpgv' is designed to compare + signed data against a list of trusted keys and returns with success + only for a good signature. It has its own manual page. + +'--multifile' + This modifies certain other commands to accept multiple files for + processing on the command line or read from STDIN with each + filename on a separate line. This allows for many files to be + processed at once. '--multifile' may currently be used along with + '--verify', '--encrypt', and '--decrypt'. Note that '--multifile + --verify' may not be used with detached signatures. + +'--verify-files' + Identical to '--multifile --verify'. + +'--encrypt-files' + Identical to '--multifile --encrypt'. + +'--decrypt-files' + Identical to '--multifile --decrypt'. + +'--list-keys' +'-k' +'--list-public-keys' + List the specified keys. If no keys are specified, then all keys + from the configured public keyrings are listed. + + Never use the output of this command in scripts or other programs. + The output is intended only for humans and its format is likely to + change. The '--with-colons' option emits the output in a stable, + machine-parseable format, which is intended for use by scripts and + other programs. + +'--list-secret-keys' +'-K' + List the specified secret keys. If no keys are specified, then all + known secret keys are listed. A '#' after the initial tags 'sec' + or 'ssb' means that the secret key or subkey is currently not + usable. We also say that this key has been taken offline (for + example, a primary key can be taken offline by exporting the key + using the command '--export-secret-subkeys'). A '>' after these + tags indicate that the key is stored on a smartcard. See also + '--list-keys'. + +'--check-signatures' +'--check-sigs' + Same as '--list-keys', but the key signatures are verified and + listed too. Note that for performance reasons the revocation + status of a signing key is not shown. This command has the same + effect as using '--list-keys' with '--with-sig-check'. + + The status of the verification is indicated by a flag directly + following the "sig" tag (and thus before the flags described below. + A "!" indicates that the signature has been successfully verified, + a "-" denotes a bad signature and a "%" is used if an error + occurred while checking the signature (e.g. a non supported + algorithm). Signatures where the public key is not available are + not listed; to see their keyids the command '--list-sigs' can be + used. + + For each signature listed, there are several flags in between the + signature status flag and keyid. These flags give additional + information about each key signature. From left to right, they are + the numbers 1-3 for certificate check level (see + '--ask-cert-level'), "L" for a local or non-exportable signature + (see '--lsign-key'), "R" for a nonRevocable signature (see the + '--edit-key' command "nrsign"), "P" for a signature that contains a + policy URL (see '--cert-policy-url'), "N" for a signature that + contains a notation (see '--cert-notation'), "X" for an eXpired + signature (see '--ask-cert-expire'), and the numbers 1-9 or "T" for + 10 and above to indicate trust signature levels (see the + '--edit-key' command "tsign"). + +'--locate-keys' +'--locate-external-keys' + Locate the keys given as arguments. This command basically uses + the same algorithm as used when locating keys for encryption and + may thus be used to see what keys 'gpg' might use. In particular + external methods as defined by '--auto-key-locate' are used to + locate a key if the arguments comain valid mail addresses. Only + public keys are listed. + + The variant '--locate-external-keys' does not consider a locally + existing key and can thus be used to force the refresh of a key via + the defined external methods. If a fingerprint is given and and + the methods defined by -auto-key-locate define LDAP servers, the + key is fetched from these resources; defined non-LDAP keyservers + are skipped. + +'--show-keys' + This commands takes OpenPGP keys as input and prints information + about them in the same way the command '--list-keys' does for + locally stored key. In addition the list options + 'show-unusable-uids', 'show-unusable-subkeys', 'show-notations' and + 'show-policy-urls' are also enabled. As usual for automated + processing, this command should be combined with the option + '--with-colons'. + +'--fingerprint' + List all keys (or the specified ones) along with their + fingerprints. This is the same output as '--list-keys' but with + the additional output of a line with the fingerprint. May also be + combined with '--check-signatures'. If this command is given + twice, the fingerprints of all secondary keys are listed too. This + command also forces pretty printing of fingerprints if the keyid + format has been set to "none". + +'--list-packets' + List only the sequence of packets. This command is only useful for + debugging. When used with option '--verbose' the actual MPI values + are dumped and not only their lengths. Note that the output of + this command may change with new releases. + +'--edit-card' +'--card-edit' + Present a menu to work with a smartcard. The subcommand "help" + provides an overview on available commands. For a detailed + description, please see the Card HOWTO at + https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO . + +'--card-status' + Show the content of the smart card. + +'--change-pin' + Present a menu to allow changing the PIN of a smartcard. This + functionality is also available as the subcommand "passwd" with the + '--edit-card' command. + +'--delete-keys NAME' + Remove key from the public keyring. In batch mode either '--yes' + is required or the key must be specified by fingerprint. This is a + safeguard against accidental deletion of multiple keys. If the + exclamation mark syntax is used with the fingerprint of a subkey + only that subkey is deleted; if the exclamation mark is used with + the fingerprint of the primary key the entire public key is + deleted. + +'--delete-secret-keys NAME' + Remove key from the secret keyring. In batch mode the key must be + specified by fingerprint. The option '--yes' can be used to advise + gpg-agent not to request a confirmation. This extra pre-caution is + done because 'gpg' can't be sure that the secret key (as controlled + by gpg-agent) is only used for the given OpenPGP public key. If + the exclamation mark syntax is used with the fingerprint of a + subkey only the secret part of that subkey is deleted; if the + exclamation mark is used with the fingerprint of the primary key + only the secret part of the primary key is deleted. + +'--delete-secret-and-public-key NAME' + Same as '--delete-key', but if a secret key exists, it will be + removed first. In batch mode the key must be specified by + fingerprint. The option '--yes' can be used to advise gpg-agent + not to request a confirmation. + +'--export' + Either export all keys from all keyrings (default keyring and those + registered via option '--keyring'), or if at least one name is + given, those of the given name. The exported keys are written to + STDOUT or to the file given with option '--output'. Use together + with '--armor' to mail those keys. + +'--send-keys KEYIDS' + Similar to '--export' but sends the keys to a keyserver. + Fingerprints may be used instead of key IDs. Don't send your + complete keyring to a keyserver -- select only those keys which are + new or changed by you. If no KEYIDS are given, 'gpg' does nothing. + + Take care: Keyservers are by design write only systems and thus it + is not possible to ever delete keys once they have been send to a + keyserver. + +'--export-secret-keys' +'--export-secret-subkeys' + Same as '--export', but exports the secret keys instead. The + exported keys are written to STDOUT or to the file given with + option '--output'. This command is often used along with the + option '--armor' to allow for easy printing of the key for paper + backup; however the external tool 'paperkey' does a better job of + creating backups on paper. Note that exporting a secret key can be + a security risk if the exported keys are sent over an insecure + channel. + + The second form of the command has the special property to render + the secret part of the primary key useless; this is a GNU extension + to OpenPGP and other implementations can not be expected to + successfully import such a key. Its intended use is in generating + a full key with an additional signing subkey on a dedicated + machine. This command then exports the key without the primary key + to the main machine. + + GnuPG may ask you to enter the passphrase for the key. This is + required, because the internal protection method of the secret key + is different from the one specified by the OpenPGP protocol. + +'--export-ssh-key' + This command is used to export a key in the OpenSSH public key + format. It requires the specification of one key by the usual + means and exports the latest valid subkey which has an + authentication capability to STDOUT or to the file given with + option '--output'. That output can directly be added to ssh's + 'authorized_key' file. + + By specifying the key to export using a key ID or a fingerprint + suffixed with an exclamation mark (!), a specific subkey or the + primary key can be exported. This does not even require that the + key has the authentication capability flag set. + +'--import' +'--fast-import' + Import/merge keys. This adds the given keys to the keyring. The + fast version is currently just a synonym. + + There are a few other options which control how this command works. + Most notable here is the '--import-options merge-only' option which + does not insert new keys but does only the merging of new + signatures, user-IDs and subkeys. + +'--receive-keys KEYIDS' +'--recv-keys KEYIDS' + Import the keys with the given KEYIDS from a keyserver. + +'--refresh-keys' + Request updates from a keyserver for keys that already exist on the + local keyring. This is useful for updating a key with the latest + signatures, user IDs, etc. Calling this with no arguments will + refresh the entire keyring. + +'--search-keys NAMES' + Search the keyserver for the given NAMES. Multiple names given + here will be joined together to create the search string for the + keyserver. Note that keyservers search for NAMES in a different + and simpler way than gpg does. The best choice is to use a mail + address. Due to data privacy reasons keyservers may even not even + allow searching by user id or mail address and thus may only return + results when being used with the '--recv-key' command to search by + key fingerprint or keyid. + +'--fetch-keys URIS' + Retrieve keys located at the specified URIS. Note that different + installations of GnuPG may support different protocols (HTTP, FTP, + LDAP, etc.). When using HTTPS the system provided root + certificates are used by this command. + +'--update-trustdb' + Do trust database maintenance. This command iterates over all keys + and builds the Web of Trust. This is an interactive command + because it may have to ask for the "ownertrust" values for keys. + The user has to give an estimation of how far she trusts the owner + of the displayed key to correctly certify (sign) other keys. GnuPG + only asks for the ownertrust value if it has not yet been assigned + to a key. Using the '--edit-key' menu, the assigned value can be + changed at any time. + +'--check-trustdb' + Do trust database maintenance without user interaction. From time + to time the trust database must be updated so that expired keys or + signatures and the resulting changes in the Web of Trust can be + tracked. Normally, GnuPG will calculate when this is required and + do it automatically unless '--no-auto-check-trustdb' is set. This + command can be used to force a trust database check at any time. + The processing is identical to that of '--update-trustdb' but it + skips keys with a not yet defined "ownertrust". + + For use with cron jobs, this command can be used together with + '--batch' in which case the trust database check is done only if a + check is needed. To force a run even in batch mode add the option + '--yes'. + +'--export-ownertrust' + Send the ownertrust values to STDOUT. This is useful for backup + purposes as these values are the only ones which can't be + re-created from a corrupted trustdb. Example: + gpg --export-ownertrust > otrust.txt + +'--import-ownertrust' + Update the trustdb with the ownertrust values stored in 'files' (or + STDIN if not given); existing values will be overwritten. In case + of a severely damaged trustdb and if you have a recent backup of + the ownertrust values (e.g. in the file 'otrust.txt'), you may + re-create the trustdb using these commands: + cd ~/.gnupg + rm trustdb.gpg + gpg --import-ownertrust < otrust.txt + +'--rebuild-keydb-caches' + When updating from version 1.0.6 to 1.0.7 this command should be + used to create signature caches in the keyring. It might be handy + in other situations too. + +'--print-md ALGO' +'--print-mds' + Print message digest of algorithm ALGO for all given files or + STDIN. With the second form (or a deprecated "*" for ALGO) digests + for all available algorithms are printed. + +'--gen-random 0|1|2 COUNT' + Emit COUNT random bytes of the given quality level 0, 1 or 2. If + COUNT is not given or zero, an endless sequence of random bytes + will be emitted. If used with '--armor' the output will be base64 + encoded. PLEASE, don't use this command unless you know what you + are doing; it may remove precious entropy from the system! + +'--gen-prime MODE BITS' + Use the source, Luke :-). The output format is subject to change + with ant release. + +'--enarmor' +'--dearmor' + Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor. + This is a GnuPG extension to OpenPGP and in general not very + useful. + +'--tofu-policy {auto|good|unknown|bad|ask} KEYS' + Set the TOFU policy for all the bindings associated with the + specified KEYS. For more information about the meaning of the + policies, *note trust-model-tofu::. The KEYS may be specified + either by their fingerprint (preferred) or their keyid. + + +File: gnupg.info, Node: OpenPGP Key Management, Prev: Operational GPG Commands, Up: GPG Commands + +4.1.3 How to manage your keys +----------------------------- + +This section explains the main commands for key management. + +'--quick-generate-key USER-ID [ALGO [USAGE [EXPIRE]]]' +'--quick-gen-key' + This is a simple command to generate a standard key with one user + id. In contrast to '--generate-key' the key is generated directly + without the need to answer a bunch of prompts. Unless the option + '--yes' is given, the key creation will be canceled if the given + user id already exists in the keyring. + + If invoked directly on the console without any special options an + answer to a "Continue?" style confirmation prompt is required. In + case the user id already exists in the keyring a second prompt to + force the creation of the key will show up. + + If ALGO or USAGE are given, only the primary key is created and no + prompts are shown. To specify an expiration date but still create + a primary and subkey use "default" or "future-default" for ALGO and + "default" for USAGE. For a description of these optional arguments + see the command '--quick-add-key'. The USAGE accepts also the + value "cert" which can be used to create a certification only + primary key; the default is to a create certification and signing + key. + + The EXPIRE argument can be used to specify an expiration date for + the key. Several formats are supported; commonly the ISO formats + "YYYY-MM-DD" or "YYYYMMDDThhmmss" are used. To make the key expire + in N seconds, N days, N weeks, N months, or N years use + "seconds=N", "Nd", "Nw", "Nm", or "Ny" respectively. Not + specifying a value, or using "-" results in a key expiring in a + reasonable default interval. The values "never", "none" can be + used for no expiration date. + + If this command is used with '--batch', '--pinentry-mode' has been + set to 'loopback', and one of the passphrase options + ('--passphrase', '--passphrase-fd', or '--passphrase-file') is + used, the supplied passphrase is used for the new key and the agent + does not ask for it. To create a key without any protection + '--passphrase ''' may be used. + + To create an OpenPGP key from the keys available on the currently + inserted smartcard, the special string "card" can be used for ALGO. + If the card features an encryption and a signing key, gpg will + figure them out and creates an OpenPGP key consisting of the usual + primary key and one subkey. This works only with certain + smartcards. Note that the interactive '--full-gen-key' command + allows to do the same but with greater flexibility in the selection + of the smartcard keys. + + Note that it is possible to create a primary key and a subkey using + non-default algorithms by using "default" and changing the default + parameters using the option '--default-new-key-algo'. + +'--quick-set-expire FPR EXPIRE [*|SUBFPRS]' + With two arguments given, directly set the expiration time of the + primary key identified by FPR to EXPIRE. To remove the expiration + time '0' can be used. With three arguments and the third given as + an asterisk, the expiration time of all non-revoked and not yet + expired subkeys are set to EXPIRE. With more than two arguments + and a list of fingerprints given for SUBFPRS, all non-revoked + subkeys matching these fingerprints are set to EXPIRE. + +'--quick-add-key FPR [ALGO [USAGE [EXPIRE]]]' + Directly add a subkey to the key identified by the fingerprint FPR. + Without the optional arguments an encryption subkey is added. If + any of the arguments are given a more specific subkey is added. + + ALGO may be any of the supported algorithms or curve names given in + the format as used by key listings. To use the default algorithm + the string "default" or "-" can be used. Supported algorithms are + "rsa", "dsa", "elg", "ed25519", "cv25519", and other ECC curves. + For example the string "rsa" adds an RSA key with the default key + length; a string "rsa4096" requests that the key length is 4096 + bits. The string "future-default" is an alias for the algorithm + which will likely be used as default algorithm in future versions + of gpg. To list the supported ECC curves the command 'gpg + --with-colons --list-config curve' can be used. + + Depending on the given ALGO the subkey may either be an encryption + subkey or a signing subkey. If an algorithm is capable of signing + and encryption and such a subkey is desired, a USAGE string must be + given. This string is either "default" or "-" to keep the default + or a comma delimited list (or space delimited list) of keywords: + "sign" for a signing subkey, "auth" for an authentication subkey, + and "encr" for an encryption subkey ("encrypt" can be used as alias + for "encr"). The valid combinations depend on the algorithm. + + The EXPIRE argument can be used to specify an expiration date for + the key. Several formats are supported; commonly the ISO formats + "YYYY-MM-DD" or "YYYYMMDDThhmmss" are used. To make the key expire + in N seconds, N days, N weeks, N months, or N years use + "seconds=N", "Nd", "Nw", "Nm", or "Ny" respectively. Not + specifying a value, or using "-" results in a key expiring in a + reasonable default interval. The values "never", "none" can be + used for no expiration date. + +'--generate-key' +'--gen-key' + Generate a new key pair using the current default parameters. This + is the standard command to create a new key. In addition to the + key a revocation certificate is created and stored in the + 'openpgp-revocs.d' directory below the GnuPG home directory. + +'--full-generate-key' +'--full-gen-key' + Generate a new key pair with dialogs for all options. This is an + extended version of '--generate-key'. + + There is also a feature which allows you to create keys in batch + mode. See the manual section "Unattended key generation" on how to + use this. + +'--generate-revocation NAME' +'--gen-revoke NAME' + Generate a revocation certificate for the complete key. To only + revoke a subkey or a key signature, use the '--edit' command. + + This command merely creates the revocation certificate so that it + can be used to revoke the key if that is ever needed. To actually + revoke a key the created revocation certificate needs to be merged + with the key to revoke. This is done by importing the revocation + certificate using the '--import' command. Then the revoked key + needs to be published, which is best done by sending the key to a + keyserver (command '--send-key') and by exporting ('--export') it + to a file which is then send to frequent communication partners. + +'--generate-designated-revocation NAME' +'--desig-revoke NAME' + Generate a designated revocation certificate for a key. This + allows a user (with the permission of the keyholder) to revoke + someone else's key. + +'--edit-key' + Present a menu which enables you to do most of the key management + related tasks. It expects the specification of a key on the + command line. + + uid N + Toggle selection of user ID or photographic user ID with index + N. Use '*' to select all and '0' to deselect all. + + key N + Toggle selection of subkey with index N or key ID N. Use '*' + to select all and '0' to deselect all. + + sign + Make a signature on key of user 'name'. If the key is not yet + signed by the default user (or the users given with '-u'), the + program displays the information of the key again, together + with its fingerprint and asks whether it should be signed. + This question is repeated for all users specified with '-u'. + + lsign + Same as "sign" but the signature is marked as non-exportable + and will therefore never be used by others. This may be used + to make keys valid only in the local environment. + + nrsign + Same as "sign" but the signature is marked as non-revocable + and can therefore never be revoked. + + tsign + Make a trust signature. This is a signature that combines the + notions of certification (like a regular signature), and trust + (like the "trust" command). It is generally only useful in + distinct communities or groups. For more information please + read the sections "Trust Signature" and "Regular Expression" + in RFC-4880. + + Note that "l" (for local / non-exportable), "nr" (for + non-revocable, and "t" (for trust) may be freely mixed and prefixed + to "sign" to create a signature of any type desired. + + If the option '--only-sign-text-ids' is specified, then any + non-text based user ids (e.g., photo IDs) will not be selected for + signing. + + delsig + Delete a signature. Note that it is not possible to retract a + signature, once it has been send to the public (i.e. to a + keyserver). In that case you better use 'revsig'. + + revsig + Revoke a signature. For every signature which has been + generated by one of the secret keys, GnuPG asks whether a + revocation certificate should be generated. + + check + Check the signatures on all selected user IDs. With the extra + option 'selfsig' only self-signatures are shown. + + adduid + Create an additional user ID. + + addphoto + Create a photographic user ID. This will prompt for a JPEG + file that will be embedded into the user ID. Note that a very + large JPEG will make for a very large key. Also note that + some programs will display your JPEG unchanged (GnuPG), and + some programs will scale it to fit in a dialog box (PGP). + + showphoto + Display the selected photographic user ID. + + deluid + Delete a user ID or photographic user ID. Note that it is not + possible to retract a user id, once it has been send to the + public (i.e. to a keyserver). In that case you better use + 'revuid'. + + revuid + Revoke a user ID or photographic user ID. + + primary + Flag the current user id as the primary one, removes the + primary user id flag from all other user ids and sets the + timestamp of all affected self-signatures one second ahead. + Note that setting a photo user ID as primary makes it primary + over other photo user IDs, and setting a regular user ID as + primary makes it primary over other regular user IDs. + + keyserver + Set a preferred keyserver for the specified user ID(s). This + allows other users to know where you prefer they get your key + from. See '--keyserver-options honor-keyserver-url' for more + on how this works. Setting a value of "none" removes an + existing preferred keyserver. + + notation + Set a name=value notation for the specified user ID(s). See + '--cert-notation' for more on how this works. Setting a value + of "none" removes all notations, setting a notation prefixed + with a minus sign (-) removes that notation, and setting a + notation name (without the =value) prefixed with a minus sign + removes all notations with that name. + + pref + List preferences from the selected user ID. This shows the + actual preferences, without including any implied preferences. + + showpref + More verbose preferences listing for the selected user ID. + This shows the preferences in effect by including the implied + preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed + (compression) if they are not already included in the + preference list. In addition, the preferred keyserver and + signature notations (if any) are shown. + + setpref STRING + Set the list of user ID preferences to STRING for all (or just + the selected) user IDs. Calling setpref with no arguments + sets the preference list to the default (either built-in or + set via '--default-preference-list'), and calling setpref with + "none" as the argument sets an empty preference list. Use + 'gpg --version' to get a list of available algorithms. Note + that while you can change the preferences on an attribute user + ID (aka "photo ID"), GnuPG does not select keys via attribute + user IDs so these preferences will not be used by GnuPG. + + When setting preferences, you should list the algorithms in + the order which you'd like to see them used by someone else + when encrypting a message to your key. If you don't include + 3DES, it will be automatically added at the end. Note that + there are many factors that go into choosing an algorithm (for + example, your key may not be the only recipient), and so the + remote OpenPGP application being used to send to you may or + may not follow your exact chosen order for a given message. + It will, however, only choose an algorithm that is present on + the preference list of every recipient key. See also the + INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below. + + addkey + Add a subkey to this key. + + addcardkey + Generate a subkey on a card and add it to this key. + + keytocard + Transfer the selected secret subkey (or the primary key if no + subkey has been selected) to a smartcard. The secret key in + the keyring will be replaced by a stub if the key could be + stored successfully on the card and you use the save command + later. Only certain key types may be transferred to the card. + A sub menu allows you to select on what card to store the key. + Note that it is not possible to get that key back from the + card - if the card gets broken your secret key will be lost + unless you have a backup somewhere. + + bkuptocard FILE + Restore the given FILE to a card. This command may be used to + restore a backup key (as generated during card initialization) + to a new card. In almost all cases this will be the + encryption key. You should use this command only with the + corresponding public key and make sure that the file given as + argument is indeed the backup to restore. You should then + select 2 to restore as encryption key. You will first be + asked to enter the passphrase of the backup key and then for + the Admin PIN of the card. + + delkey + Remove a subkey (secondary key). Note that it is not possible + to retract a subkey, once it has been send to the public (i.e. + to a keyserver). In that case you better use 'revkey'. Also + note that this only deletes the public part of a key. + + revkey + Revoke a subkey. + + expire + Change the key or subkey expiration time. If a subkey is + selected, the expiration time of this subkey will be changed. + With no selection, the key expiration of the primary key is + changed. + + trust + Change the owner trust value for the key. This updates the + trust-db immediately and no save is required. + + disable + enable + Disable or enable an entire key. A disabled key can not + normally be used for encryption. + + addrevoker + Add a designated revoker to the key. This takes one optional + argument: "sensitive". If a designated revoker is marked as + sensitive, it will not be exported by default (see + export-options). + + passwd + Change the passphrase of the secret key. + + toggle + This is dummy command which exists only for backward + compatibility. + + clean + Compact (by removing all signatures except the selfsig) any + user ID that is no longer usable (e.g. revoked, or expired). + Then, remove any signatures that are not usable by the trust + calculations. Specifically, this removes any signature that + does not validate, any signature that is superseded by a later + signature, revoked signatures, and signatures issued by keys + that are not present on the keyring. + + minimize + Make the key as small as possible. This removes all + signatures from each user ID except for the most recent + self-signature. + + change-usage + Change the usage flags (capabilities) of the primary key or of + subkeys. These usage flags (e.g. Certify, Sign, + Authenticate, Encrypt) are set during key creation. Sometimes + it is useful to have the opportunity to change them (for + example to add Authenticate) after they have been created. + Please take care when doing this; the allowed usage flags + depend on the key algorithm. + + cross-certify + Add cross-certification signatures to signing subkeys that may + not currently have them. Cross-certification signatures + protect against a subtle attack against signing subkeys. See + '--require-cross-certification'. All new keys generated have + this signature by default, so this command is only useful to + bring older keys up to date. + + save + Save all changes to the keyring and quit. + + quit + Quit the program without updating the keyring. + + The listing shows you the key with its secondary keys and all user + IDs. The primary user ID is indicated by a dot, and selected keys + or user IDs are indicated by an asterisk. The trust value is + displayed with the primary key: "trust" is the assigned owner trust + and "validity" is the calculated validity of the key. Validity + values are also displayed for all user IDs. For possible values of + trust, *note trust-values::. + +'--sign-key NAME' + Signs a public key with your secret key. This is a shortcut + version of the subcommand "sign" from '--edit'. + +'--lsign-key NAME' + Signs a public key with your secret key but marks it as + non-exportable. This is a shortcut version of the subcommand + "lsign" from '--edit-key'. + +'--quick-sign-key FPR [NAMES]' +'--quick-lsign-key FPR [NAMES]' + Directly sign a key from the passphrase without any further user + interaction. The FPR must be the verified primary fingerprint of a + key in the local keyring. If no NAMES are given, all useful user + ids are signed; with given [NAMES] only useful user ids matching + one of theses names are signed. By default, or if a name is + prefixed with a '*', a case insensitive substring match is used. + If a name is prefixed with a '=' a case sensitive exact match is + done. + + The command '--quick-lsign-key' marks the signatures as + non-exportable. If such a non-exportable signature already exists + the '--quick-sign-key' turns it into a exportable signature. If + you need to update an existing signature, for example to add or + change notation data, you need to use the option + '--force-sign-key'. + + This command uses reasonable defaults and thus does not provide the + full flexibility of the "sign" subcommand from '--edit-key'. Its + intended use is to help unattended key signing by utilizing a list + of verified fingerprints. + +'--quick-add-uid USER-ID NEW-USER-ID' + This command adds a new user id to an existing key. In contrast to + the interactive sub-command 'adduid' of '--edit-key' the + NEW-USER-ID is added verbatim with only leading and trailing white + space removed, it is expected to be UTF-8 encoded, and no checks on + its form are applied. + +'--quick-revoke-uid USER-ID USER-ID-TO-REVOKE' + This command revokes a user ID on an existing key. It cannot be + used to revoke the last user ID on key (some non-revoked user ID + must remain), with revocation reason "User ID is no longer valid". + If you want to specify a different revocation reason, or to supply + supplementary revocation text, you should use the interactive + sub-command 'revuid' of '--edit-key'. + +'--quick-revoke-sig FPR SIGNING-FPR [NAMES]' + This command revokes the key signatures made by SIGNING-FPR from + the key specified by the fingerprint FPR. With NAMES given only + the signatures on user ids of the key matching any of the given + names are affected (see '--quick-sign-key'). If a revocation + already exists a notice is printed instead of creating a new + revocation; no error is returned in this case. Note that key + signature revocations may be superseded by a newer key signature + and in turn again revoked. + +'--quick-set-primary-uid USER-ID PRIMARY-USER-ID' + This command sets or updates the primary user ID flag on an + existing key. USER-ID specifies the key and PRIMARY-USER-ID the + user ID which shall be flagged as the primary user ID. The primary + user ID flag is removed from all other user ids and the timestamp + of all affected self-signatures is set one second ahead. + +'--change-passphrase USER-ID' +'--passwd USER-ID' + Change the passphrase of the secret key belonging to the + certificate specified as USER-ID. This is a shortcut for the + sub-command 'passwd' of the edit key menu. When using together + with the option '--dry-run' this will not actually change the + passphrase but check that the current passphrase is correct. + + +File: gnupg.info, Node: GPG Options, Next: GPG Configuration, Prev: GPG Commands, Up: Invoking GPG + +4.2 Option Summary +================== + +'gpg' features a bunch of options to control the exact behaviour and to +change the default configuration. + +* Menu: + +* GPG Configuration Options:: How to change the configuration. +* GPG Key related Options:: Key related options. +* GPG Input and Output:: Input and Output. +* OpenPGP Options:: OpenPGP protocol specific options. +* Compliance Options:: Compliance options. +* GPG Esoteric Options:: Doing things one usually doesn't want to do. +* Deprecated Options:: Deprecated options. + + Long options can be put in an options file (default +"~/.gnupg/gpg.conf"). Short option names will not work - for example, +"armor" is a valid option for the options file, while "a" is not. Do +not write the 2 dashes, but simply the name of the option and any +required arguments. Lines with a hash ('#') as the first +non-white-space character are ignored. Commands may be put in this file +too, but that is not generally useful as the command will execute +automatically with every execution of gpg. + + Please remember that option parsing stops as soon as a non-option is +encountered, you can explicitly stop parsing by using the special option +'--'. + + +File: gnupg.info, Node: GPG Configuration Options, Next: GPG Key related Options, Up: GPG Options + +4.2.1 How to change the configuration +------------------------------------- + +These options are used to change the configuration and most of them are +usually found in the option file. + +'--default-key NAME' + Use NAME as the default key to sign with. If this option is not + used, the default key is the first key found in the secret keyring. + Note that '-u' or '--local-user' overrides this option. This + option may be given multiple times. In this case, the last key for + which a secret key is available is used. If there is no secret key + available for any of the specified values, GnuPG will not emit an + error message but continue as if this option wasn't given. + +'--default-recipient NAME' + Use NAME as default recipient if option '--recipient' is not used + and don't ask if this is a valid one. NAME must be non-empty. + +'--default-recipient-self' + Use the default key as default recipient if option '--recipient' is + not used and don't ask if this is a valid one. The default key is + the first one from the secret keyring or the one set with + '--default-key'. + +'--no-default-recipient' + Reset '--default-recipient' and '--default-recipient-self'. Should + not be used in an option file. + +'-v, --verbose' + Give more information during processing. If used twice, the input + data is listed in detail. + +'--no-verbose' + Reset verbose level to 0. Should not be used in an option file. + +'-q, --quiet' + Try to be as quiet as possible. Should not be used in an option + file. + +'--batch' +'--no-batch' + Use batch mode. Never ask, do not allow interactive commands. + '--no-batch' disables this option. Note that even with a filename + given on the command line, gpg might still need to read from STDIN + (in particular if gpg figures that the input is a detached + signature and no data file has been specified). Thus if you do not + want to feed data via STDIN, you should connect STDIN to + '/dev/null'. + + It is highly recommended to use this option along with the options + '--status-fd' and '--with-colons' for any unattended use of 'gpg'. + Should not be used in an option file. + +'--no-tty' + Make sure that the TTY (terminal) is never used for any output. + This option is needed in some cases because GnuPG sometimes prints + warnings to the TTY even if '--batch' is used. + +'--yes' + Assume "yes" on most questions. Should not be used in an option + file. + +'--no' + Assume "no" on most questions. Should not be used in an option + file. + +'--list-options PARAMETERS' + This is a space or comma delimited string that gives options used + when listing keys and signatures (that is, '--list-keys', + '--check-signatures', '--list-public-keys', '--list-secret-keys', + and the '--edit-key' functions). Options can be prepended with a + 'no-' (after the two dashes) to give the opposite meaning. The + options are: + + show-photos + Causes '--list-keys', '--check-signatures', + '--list-public-keys', and '--list-secret-keys' to display any + photo IDs attached to the key. Defaults to no. See also + '--photo-viewer'. Does not work with '--with-colons': see + '--attribute-fd' for the appropriate way to get photo data for + scripts and other frontends. + + show-usage + Show usage information for keys and subkeys in the standard + key listing. This is a list of letters indicating the allowed + usage for a key ('E'=encryption, 'S'=signing, + 'C'=certification, 'A'=authentication). Defaults to yes. + + show-policy-urls + Show policy URLs in the '--check-signatures' listings. + Defaults to no. + + show-notations + show-std-notations + show-user-notations + Show all, IETF standard, or user-defined signature notations + in the '--check-signatures' listings. Defaults to no. + + show-keyserver-urls + Show any preferred keyserver URL in the '--check-signatures' + listings. Defaults to no. + + show-uid-validity + Display the calculated validity of user IDs during key + listings. Defaults to yes. + + show-unusable-uids + Show revoked and expired user IDs in key listings. Defaults + to no. + + show-unusable-subkeys + Show revoked and expired subkeys in key listings. Defaults to + no. + + show-keyring + Display the keyring name at the head of key listings to show + which keyring a given key resides on. Defaults to no. + + show-sig-expire + Show signature expiration dates (if any) during + '--check-signatures' listings. Defaults to no. + + show-sig-subpackets + Include signature subpackets in the key listing. This option + can take an optional argument list of the subpackets to list. + If no argument is passed, list all subpackets. Defaults to + no. This option is only meaningful when using '--with-colons' + along with '--check-signatures'. + + show-only-fpr-mbox + For each user-id which has a valid mail address print only the + fingerprint followed by the mail address. + +'--verify-options PARAMETERS' + This is a space or comma delimited string that gives options used + when verifying signatures. Options can be prepended with a 'no-' + to give the opposite meaning. The options are: + + show-photos + Display any photo IDs present on the key that issued the + signature. Defaults to no. See also '--photo-viewer'. + + show-policy-urls + Show policy URLs in the signature being verified. Defaults to + yes. + + show-notations + show-std-notations + show-user-notations + Show all, IETF standard, or user-defined signature notations + in the signature being verified. Defaults to IETF standard. + + show-keyserver-urls + Show any preferred keyserver URL in the signature being + verified. Defaults to yes. + + show-uid-validity + Display the calculated validity of the user IDs on the key + that issued the signature. Defaults to yes. + + show-unusable-uids + Show revoked and expired user IDs during signature + verification. Defaults to no. + + show-primary-uid-only + Show only the primary user ID during signature verification. + That is all the AKA lines as well as photo Ids are not shown + with the signature verification status. + + pka-lookups + Enable PKA lookups to verify sender addresses. Note that PKA + is based on DNS, and so enabling this option may disclose + information on when and what signatures are verified or to + whom data is encrypted. This is similar to the "web bug" + described for the '--auto-key-retrieve' option. + + pka-trust-increase + Raise the trust in a signature to full if the signature passes + PKA validation. This option is only meaningful if pka-lookups + is set. + +'--enable-large-rsa' +'--disable-large-rsa' + With -generate-key and -batch, enable the creation of RSA secret + keys as large as 8192 bit. Note: 8192 bit is more than is + generally recommended. These large keys don't significantly + improve security, but they are more expensive to use, and their + signatures and certifications are larger. This option is only + available if the binary was build with large-secmem support. + +'--enable-dsa2' +'--disable-dsa2' + Enable hash truncation for all DSA keys even for old DSA Keys up to + 1024 bit. This is also the default with '--openpgp'. Note that + older versions of GnuPG also required this flag to allow the + generation of DSA larger than 1024 bit. + +'--photo-viewer STRING' + This is the command line that should be run to view a photo ID. + "%i" will be expanded to a filename containing the photo. "%I" + does the same, except the file will not be deleted once the viewer + exits. Other flags are "%k" for the key ID, "%K" for the long key + ID, "%f" for the key fingerprint, "%t" for the extension of the + image type (e.g. "jpg"), "%T" for the MIME type of the image (e.g. + "image/jpeg"), "%v" for the single-character calculated validity of + the image being viewed (e.g. "f"), "%V" for the calculated + validity as a string (e.g. "full"), "%U" for a base32 encoded hash + of the user ID, and "%%" for an actual percent sign. If neither %i + or %I are present, then the photo will be supplied to the viewer on + standard input. + + On Unix the default viewer is 'xloadimage -fork -quiet -title + 'KeyID 0x%k' STDIN' with a fallback to 'display -title 'KeyID 0x%k' + %i' and finally to 'xdg-open %i'. On Windows '!ShellExecute 400 + %i' is used; here the command is a meta command to use that API + call followed by a wait time in milliseconds which is used to give + the viewer time to read the temporary image file before gpg deletes + it again. Note that if your image viewer program is not secure, + then executing it from gpg does not make it secure. + +'--exec-path STRING' + Sets a list of directories to search for photo viewers If not + provided photo viewers use the 'PATH' environment variable. + +'--keyring FILE' + Add FILE to the current list of keyrings. If FILE begins with a + tilde and a slash, these are replaced by the $HOME directory. If + the filename does not contain a slash, it is assumed to be in the + GnuPG home directory ("~/.gnupg" unless '--homedir' or $GNUPGHOME + is used). + + Note that this adds a keyring to the current list. If the intent + is to use the specified keyring alone, use '--keyring' along with + '--no-default-keyring'. + + If the option '--no-keyring' has been used no keyrings will be used + at all. + +'--primary-keyring FILE' + This is a varian of '--keyring' and designates FILE as the primary + public keyring. This means that newly imported keys (via + '--import' or keyserver '--recv-from') will go to this keyring. + +'--secret-keyring FILE' + This is an obsolete option and ignored. All secret keys are stored + in the 'private-keys-v1.d' directory below the GnuPG home + directory. + +'--trustdb-name FILE' + Use FILE instead of the default trustdb. If FILE begins with a + tilde and a slash, these are replaced by the $HOME directory. If + the filename does not contain a slash, it is assumed to be in the + GnuPG home directory ('~/.gnupg' if '--homedir' or $GNUPGHOME is + not used). + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'--display-charset NAME' + Set the name of the native character set. This is used to convert + some informational strings like user IDs to the proper UTF-8 + encoding. Note that this has nothing to do with the character set + of data to be encrypted or signed; GnuPG does not recode + user-supplied data. If this option is not used, the default + character set is determined from the current locale. A verbosity + level of 3 shows the chosen set. This option should not be used on + Windows. Valid values for NAME are: + + iso-8859-1 + This is the Latin 1 set. + + iso-8859-2 + The Latin 2 set. + + iso-8859-15 + This is currently an alias for the Latin 1 set. + + koi8-r + The usual Russian set (RFC-1489). + + utf-8 + Bypass all translations and assume that the OS uses native + UTF-8 encoding. + +'--utf8-strings' +'--no-utf8-strings' + Assume that command line arguments are given as UTF-8 strings. The + default ('--no-utf8-strings') is to assume that arguments are + encoded in the character set as specified by '--display-charset'. + These options affect all following arguments. Both options may be + used multiple times. This option should not be used in an option + file. + + This option has no effect on Windows. There the internal used + UTF-8 encoding is translated for console input and output. The + command line arguments are expected as Unicode and translated to + UTF-8. Thus when calling this program from another, make sure to + use the Unicode version of CreateProcess. + +'--options FILE' + Read options from FILE and do not try to read them from the default + options file in the homedir (see '--homedir'). This option is + ignored if used in an options file. + +'--no-options' + Shortcut for '--options /dev/null'. This option is detected before + an attempt to open an option file. Using this option will also + prevent the creation of a '~/.gnupg' homedir. + +'-z N' +'--compress-level N' +'--bzip2-compress-level N' + Set compression level to N for the ZIP and ZLIB compression + algorithms. The default is to use the default compression level of + zlib (normally 6). '--bzip2-compress-level' sets the compression + level for the BZIP2 compression algorithm (defaulting to 6 as + well). This is a different option from '--compress-level' since + BZIP2 uses a significant amount of memory for each additional + compression level. '-z' sets both. A value of 0 for N disables + compression. + +'--bzip2-decompress-lowmem' + Use a different decompression method for BZIP2 compressed files. + This alternate method uses a bit more than half the memory, but + also runs at half the speed. This is useful under extreme low + memory circumstances when the file was originally compressed at a + high '--bzip2-compress-level'. + +'--mangle-dos-filenames' +'--no-mangle-dos-filenames' + Older version of Windows cannot handle filenames with more than one + dot. '--mangle-dos-filenames' causes GnuPG to replace (rather than + add to) the extension of an output filename to avoid this problem. + This option is off by default and has no effect on non-Windows + platforms. + +'--ask-cert-level' +'--no-ask-cert-level' + When making a key signature, prompt for a certification level. If + this option is not specified, the certification level used is set + via '--default-cert-level'. See '--default-cert-level' for + information on the specific levels and how they are used. + '--no-ask-cert-level' disables this option. This option defaults + to no. + +'--default-cert-level N' + The default to use for the check level when signing a key. + + 0 means you make no particular claim as to how carefully you + verified the key. + + 1 means you believe the key is owned by the person who claims to + own it but you could not, or did not verify the key at all. This + is useful for a "persona" verification, where you sign the key of a + pseudonymous user. + + 2 means you did casual verification of the key. For example, this + could mean that you verified the key fingerprint and checked the + user ID on the key against a photo ID. + + 3 means you did extensive verification of the key. For example, + this could mean that you verified the key fingerprint with the + owner of the key in person, and that you checked, by means of a + hard to forge document with a photo ID (such as a passport) that + the name of the key owner matches the name in the user ID on the + key, and finally that you verified (by exchange of email) that the + email address on the key belongs to the key owner. + + Note that the examples given above for levels 2 and 3 are just + that: examples. In the end, it is up to you to decide just what + "casual" and "extensive" mean to you. + + This option defaults to 0 (no particular claim). + +'--min-cert-level' + When building the trust database, treat any signatures with a + certification level below this as invalid. Defaults to 2, which + disregards level 1 signatures. Note that level 0 "no particular + claim" signatures are always accepted. + +'--trusted-key LONG KEY ID OR FINGERPRINT' + Assume that the specified key (which should be given as + fingerprint) is as trustworthy as one of your own secret keys. + This option is useful if you don't want to keep your secret keys + (or one of them) online but still want to be able to check the + validity of a given recipient's or signator's key. If the given + key is not locally available but an LDAP keyserver is configured + the missing key is imported from that server. + +'--trust-model {pgp|classic|tofu|tofu+pgp|direct|always|auto}' + Set what trust model GnuPG should follow. The models are: + + pgp + This is the Web of Trust combined with trust signatures as + used in PGP 5.x and later. This is the default trust model + when creating a new trust database. + + classic + This is the standard Web of Trust as introduced by PGP 2. + + tofu + TOFU stands for Trust On First Use. In this trust model, the + first time a key is seen, it is memorized. If later another + key with a user id with the same email address is seen, both + keys are marked as suspect. In that case, the next time + either is used, a warning is displayed describing the + conflict, why it might have occurred (either the user + generated a new key and failed to cross sign the old and new + keys, the key is forgery, or a man-in-the-middle attack is + being attempted), and the user is prompted to manually confirm + the validity of the key in question. + + Because a potential attacker is able to control the email + address and thereby circumvent the conflict detection + algorithm by using an email address that is similar in + appearance to a trusted email address, whenever a message is + verified, statistics about the number of messages signed with + the key are shown. In this way, a user can easily identify + attacks using fake keys for regular correspondents. + + When compared with the Web of Trust, TOFU offers significantly + weaker security guarantees. In particular, TOFU only helps + ensure consistency (that is, that the binding between a key + and email address doesn't change). A major advantage of TOFU + is that it requires little maintenance to use correctly. To + use the web of trust properly, you need to actively sign keys + and mark users as trusted introducers. This is a + time-consuming process and anecdotal evidence suggests that + even security-conscious users rarely take the time to do this + thoroughly and instead rely on an ad-hoc TOFU process. + + In the TOFU model, policies are associated with bindings + between keys and email addresses (which are extracted from + user ids and normalized). There are five policies, which can + be set manually using the '--tofu-policy' option. The default + policy can be set using the '--tofu-default-policy' option. + + The TOFU policies are: 'auto', 'good', 'unknown', 'bad' and + 'ask'. The 'auto' policy is used by default (unless + overridden by '--tofu-default-policy') and marks a binding as + marginally trusted. The 'good', 'unknown' and 'bad' policies + mark a binding as fully trusted, as having unknown trust or as + having trust never, respectively. The 'unknown' policy is + useful for just using TOFU to detect conflicts, but to never + assign positive trust to a binding. The final policy, 'ask' + prompts the user to indicate the binding's trust. If batch + mode is enabled (or input is inappropriate in the context), + then the user is not prompted and the 'undefined' trust level + is returned. + + tofu+pgp + This trust model combines TOFU with the Web of Trust. This is + done by computing the trust level for each model and then + taking the maximum trust level where the trust levels are + ordered as follows: 'unknown < undefined < marginal < fully < + ultimate < expired < never'. + + By setting '--tofu-default-policy=unknown', this model can be + used to implement the web of trust with TOFU's conflict + detection algorithm, but without its assignment of positive + trust values, which some security-conscious users don't like. + + direct + Key validity is set directly by the user and not calculated + via the Web of Trust. This model is solely based on the key + and does not distinguish user IDs. Note that when changing to + another trust model the trust values assigned to a key are + transformed into ownertrust values, which also indicate how + you trust the owner of the key to sign other keys. + + always + Skip key validation and assume that used keys are always fully + valid. You generally won't use this unless you are using some + external validation scheme. This option also suppresses the + "[uncertain]" tag printed with signature checks when there is + no evidence that the user ID is bound to the key. Note that + this trust model still does not allow the use of expired, + revoked, or disabled keys. + + auto + Select the trust model depending on whatever the internal + trust database says. This is the default model if such a + database already exists. Note that a tofu trust model is not + considered here and must be enabled explicitly. + +'--auto-key-locate MECHANISMS' +'--no-auto-key-locate' + GnuPG can automatically locate and retrieve keys as needed using + this option. This happens when encrypting to an email address (in + the "user@example.com" form), and there are no "user@example.com" + keys on the local keyring. This option takes any number of the + mechanisms listed below, in the order they are to be tried. + Instead of listing the mechanisms as comma delimited arguments, the + option may also be given several times to add more mechanism. The + option '--no-auto-key-locate' or the mechanism "clear" resets the + list. The default is "local,wkd". + + cert + Locate a key using DNS CERT, as specified in RFC-4398. + + pka + Locate a key using DNS PKA. + + dane + Locate a key using DANE, as specified in + draft-ietf-dane-openpgpkey-05.txt. + + wkd + Locate a key using the Web Key Directory protocol. + + ldap + Using DNS Service Discovery, check the domain in question for + any LDAP keyservers to use. If this fails, attempt to locate + the key using the PGP Universal method of checking + 'ldap://keys.(thedomain)'. + + ntds + Locate the key using the Active Directory (Windows only). + This method also allows to search by fingerprint using the + command '--locate-external-key'. Note that this mechanism is + actually a shortcut for the mechanism 'keyserver' but using + "ldap:///" as the keyserver. + + keyserver + Locate a key using a keyserver. This method also allows to + search by fingerprint using the command + '--locate-external-key' if any of the configured keyservers is + an LDAP server. + + keyserver-URL + In addition, a keyserver URL as used in the 'dirmngr' + configuration may be used here to query that particular + keyserver. This method also allows to search by fingerprint + using the command '--locate-external-key' if the URL specifies + an LDAP server. + + local + Locate the key using the local keyrings. This mechanism + allows the user to select the order a local key lookup is + done. Thus using '--auto-key-locate local' is identical to + '--no-auto-key-locate'. + + nodefault + This flag disables the standard local key lookup, done before + any of the mechanisms defined by the '--auto-key-locate' are + tried. The position of this mechanism in the list does not + matter. It is not required if 'local' is also used. + + clear + Clear all defined mechanisms. This is useful to override + mechanisms given in a config file. Note that a 'nodefault' in + MECHANISMS will also be cleared unless it is given after the + 'clear'. + +'--auto-key-import' +'--no-auto-key-import' + This is an offline mechanism to get a missing key for signature + verification and for later encryption to this key. If this option + is enabled and a signature includes an embedded key, that key is + used to verify the signature and on verification success that key + is imported. The default is '--no-auto-key-import'. + + On the sender (signing) site the option '--include-key-block' needs + to be used to put the public part of the signing key as “Key Block + subpacket†into the signature. + +'--auto-key-retrieve' +'--no-auto-key-retrieve' + These options enable or disable the automatic retrieving of keys + from a keyserver when verifying signatures made by keys that are + not on the local keyring. The default is '--no-auto-key-retrieve'. + + The order of methods tried to lookup the key is: + + 1. If the option '--auto-key-import' is set and the signatures + includes an embedded key, that key is used to verify the signature + and on verification success that key is imported. + + 2. If a preferred keyserver is specified in the signature and the + option 'honor-keyserver-url' is active (which is not the default), + that keyserver is tried. Note that the creator of the signature + uses the option '--sig-keyserver-url' to specify the preferred + keyserver for data signatures. + + 3. If the signature has the Signer's UID set (e.g. using + '--sender' while creating the signature) a Web Key Directory (WKD) + lookup is done. This is the default configuration but can be + disabled by removing WKD from the auto-key-locate list or by using + the option '--disable-signer-uid'. + + 4. If the option 'honor-pka-record' is active, the legacy PKA + method is used. + + 5. If any keyserver is configured and the Issuer Fingerprint is + part of the signature (since GnuPG 2.1.16), the configured + keyservers are tried. + + Note that this option makes a "web bug" like behavior possible. + Keyserver or Web Key Directory operators can see which keys you + request, so by sending you a message signed by a brand new key + (which you naturally will not have on your local keyring), the + operator can tell both your IP address and the time when you + verified the signature. + +'--keyid-format {none|short|0xshort|long|0xlong}' + Select how to display key IDs. "none" does not show the key ID at + all but shows the fingerprint in a separate line. "short" is the + traditional 8-character key ID. "long" is the more accurate (but + less convenient) 16-character key ID. Add an "0x" to either to + include an "0x" at the beginning of the key ID, as in 0x99242560. + Note that this option is ignored if the option '--with-colons' is + used. + +'--keyserver NAME' + This option is deprecated - please use the '--keyserver' in + 'dirmngr.conf' instead. + + Use NAME as your keyserver. This is the server that + '--receive-keys', '--send-keys', and '--search-keys' will + communicate with to receive keys from, send keys to, and search for + keys on. The format of the NAME is a URI: + 'scheme:[//]keyservername[:port]' The scheme is the type of + keyserver: "hkp"/"hkps" for the HTTP (or compatible) keyservers or + "ldap"/"ldaps" for the LDAP keyservers. Note that your particular + installation of GnuPG may have other keyserver types available as + well. Keyserver schemes are case-insensitive. + + Most keyservers synchronize with each other, so there is generally + no need to send keys to more than one server. The keyserver + 'hkp://keys.gnupg.net' uses round robin DNS to give a different + keyserver each time you use it. + +'--keyserver-options {NAME=VALUE}' + This is a space or comma delimited string that gives options for + the keyserver. Options can be prefixed with a 'no-' to give the + opposite meaning. Valid import-options or export-options may be + used here as well to apply to importing ('--recv-key') or exporting + ('--send-key') a key from a keyserver. While not all options are + available for all keyserver types, some common options are: + + include-revoked + When searching for a key with '--search-keys', include keys + that are marked on the keyserver as revoked. Note that not + all keyservers differentiate between revoked and unrevoked + keys, and for such keyservers this option is meaningless. + Note also that most keyservers do not have cryptographic + verification of key revocations, and so turning this option + off may result in skipping keys that are incorrectly marked as + revoked. + + include-disabled + When searching for a key with '--search-keys', include keys + that are marked on the keyserver as disabled. Note that this + option is not used with HKP keyservers. + + auto-key-retrieve + This is an obsolete alias for the option 'auto-key-retrieve'. + Please do not use it; it will be removed in future versions.. + + honor-keyserver-url + When using '--refresh-keys', if the key in question has a + preferred keyserver URL, then use that preferred keyserver to + refresh the key from. In addition, if auto-key-retrieve is + set, and the signature being verified has a preferred + keyserver URL, then use that preferred keyserver to fetch the + key from. Note that this option introduces a "web bug": The + creator of the key can see when the keys is refreshed. Thus + this option is not enabled by default. + + honor-pka-record + If '--auto-key-retrieve' is used, and the signature being + verified has a PKA record, then use the PKA information to + fetch the key. Defaults to "yes". + + include-subkeys + When receiving a key, include subkeys as potential targets. + Note that this option is not used with HKP keyservers, as they + do not support retrieving keys by subkey id. + + timeout + http-proxy=VALUE + verbose + debug + check-cert + ca-cert-file + These options have no more function since GnuPG 2.1. Use the + 'dirmngr' configuration options instead. + + The default list of options is: "self-sigs-only, import-clean, + repair-keys, repair-pks-subkey-bug, export-attributes, + honor-pka-record". However, if the actual used source is an LDAP + server "no-self-sigs-only" is assumed unless "self-sigs-only" has + been explictly configured. + +'--completes-needed N' + Number of completely trusted users to introduce a new key signer + (defaults to 1). + +'--marginals-needed N' + Number of marginally trusted users to introduce a new key signer + (defaults to 3) + +'--tofu-default-policy {auto|good|unknown|bad|ask}' + The default TOFU policy (defaults to 'auto'). For more information + about the meaning of this option, *note trust-model-tofu::. + +'--max-cert-depth N' + Maximum depth of a certification chain (default is 5). + +'--no-sig-cache' + Do not cache the verification status of key signatures. Caching + gives a much better performance in key listings. However, if you + suspect that your public keyring is not safe against write + modifications, you can use this option to disable the caching. It + probably does not make sense to disable it because all kind of + damage can be done if someone else has write access to your public + keyring. + +'--auto-check-trustdb' +'--no-auto-check-trustdb' + If GnuPG feels that its information about the Web of Trust has to + be updated, it automatically runs the '--check-trustdb' command + internally. This may be a time consuming process. + '--no-auto-check-trustdb' disables this option. + +'--use-agent' +'--no-use-agent' + This is dummy option. 'gpg' always requires the agent. + +'--gpg-agent-info' + This is dummy option. It has no effect when used with 'gpg'. + +'--agent-program FILE' + Specify an agent program to be used for secret key operations. The + default value is determined by running 'gpgconf' with the option + '--list-dirs'. Note that the pipe symbol ('|') is used for a + regression test suite hack and may thus not be used in the file + name. + +'--dirmngr-program FILE' + Specify a dirmngr program to be used for keyserver access. The + default value is '/usr/local/bin/dirmngr'. + +'--disable-dirmngr' + Entirely disable the use of the Dirmngr. + +'--no-autostart' + Do not start the gpg-agent or the dirmngr if it has not yet been + started and its service is required. This option is mostly useful + on machines where the connection to gpg-agent has been redirected + to another machines. If dirmngr is required on the remote machine, + it may be started manually using 'gpgconf --launch dirmngr'. + +'--lock-once' + Lock the databases the first time a lock is requested and do not + release the lock until the process terminates. + +'--lock-multiple' + Release the locks every time a lock is no longer needed. Use this + to override a previous '--lock-once' from a config file. + +'--lock-never' + Disable locking entirely. This option should be used only in very + special environments, where it can be assured that only one process + is accessing those files. A bootable floppy with a stand-alone + encryption system will probably use this. Improper usage of this + option may lead to data and key corruption. + +'--exit-on-status-write-error' + This option will cause write errors on the status FD to immediately + terminate the process. That should in fact be the default but it + never worked this way and thus we need an option to enable this, so + that the change won't break applications which close their end of a + status fd connected pipe too early. Using this option along with + '--enable-progress-filter' may be used to cleanly cancel long + running gpg operations. + +'--limit-card-insert-tries N' + With N greater than 0 the number of prompts asking to insert a + smartcard gets limited to N-1. Thus with a value of 1 gpg won't at + all ask to insert a card if none has been inserted at startup. + This option is useful in the configuration file in case an + application does not know about the smartcard support and waits ad + infinitum for an inserted card. + +'--no-random-seed-file' + GnuPG uses a file to store its internal random pool over + invocations. This makes random generation faster; however + sometimes write operations are not desired. This option can be + used to achieve that with the cost of slower random generation. + +'--no-greeting' + Suppress the initial copyright message. + +'--no-secmem-warning' + Suppress the warning about "using insecure memory". + +'--no-permission-warning' + Suppress the warning about unsafe file and home directory + ('--homedir') permissions. Note that the permission checks that + GnuPG performs are not intended to be authoritative, but rather + they simply warn about certain common permission problems. Do not + assume that the lack of a warning means that your system is secure. + + Note that the warning for unsafe '--homedir' permissions cannot be + suppressed in the gpg.conf file, as this would allow an attacker to + place an unsafe gpg.conf file in place, and use this file to + suppress warnings about itself. The '--homedir' permissions + warning may only be suppressed on the command line. + +'--require-secmem' +'--no-require-secmem' + Refuse to run if GnuPG cannot get secure memory. Defaults to no + (i.e. run, but give a warning). + +'--require-cross-certification' +'--no-require-cross-certification' + When verifying a signature made from a subkey, ensure that the + cross certification "back signature" on the subkey is present and + valid. This protects against a subtle attack against subkeys that + can sign. Defaults to '--require-cross-certification' for 'gpg'. + +'--expert' +'--no-expert' + Allow the user to do certain nonsensical or "silly" things like + signing an expired or revoked key, or certain potentially + incompatible things like generating unusual key types. This also + disables certain warning messages about potentially incompatible + actions. As the name implies, this option is for experts only. If + you don't fully understand the implications of what it allows you + to do, leave this off. '--no-expert' disables this option. + + +File: gnupg.info, Node: GPG Key related Options, Next: GPG Input and Output, Prev: GPG Configuration Options, Up: GPG Options + +4.2.2 Key related options +------------------------- + +'--recipient NAME' +'-r' + Encrypt for user id NAME. If this option or '--hidden-recipient' + is not specified, GnuPG asks for the user-id unless + '--default-recipient' is given. + +'--hidden-recipient NAME' +'-R' + Encrypt for user ID NAME, but hide the key ID of this user's key. + This option helps to hide the receiver of the message and is a + limited countermeasure against traffic analysis. If this option or + '--recipient' is not specified, GnuPG asks for the user ID unless + '--default-recipient' is given. + +'--recipient-file FILE' +'-f' + This option is similar to '--recipient' except that it encrypts to + a key stored in the given file. FILE must be the name of a file + containing exactly one key. 'gpg' assumes that the key in this + file is fully valid. + +'--hidden-recipient-file FILE' +'-F' + This option is similar to '--hidden-recipient' except that it + encrypts to a key stored in the given file. FILE must be the name + of a file containing exactly one key. 'gpg' assumes that the key + in this file is fully valid. + +'--encrypt-to NAME' + Same as '--recipient' but this one is intended for use in the + options file and may be used with your own user-id as an + "encrypt-to-self". These keys are only used when there are other + recipients given either by use of '--recipient' or by the asked + user id. No trust checking is performed for these user ids and + even disabled keys can be used. + +'--hidden-encrypt-to NAME' + Same as '--hidden-recipient' but this one is intended for use in + the options file and may be used with your own user-id as a hidden + "encrypt-to-self". These keys are only used when there are other + recipients given either by use of '--recipient' or by the asked + user id. No trust checking is performed for these user ids and + even disabled keys can be used. + +'--no-encrypt-to' + Disable the use of all '--encrypt-to' and '--hidden-encrypt-to' + keys. + +'--group {NAME=VALUE}' + Sets up a named group, which is similar to aliases in email + programs. Any time the group name is a recipient ('-r' or + '--recipient'), it will be expanded to the values specified. + Multiple groups with the same name are automatically merged into a + single group. + + The values are 'key IDs' or fingerprints, but any key description + is accepted. Note that a value with spaces in it will be treated + as two different values. Note also there is only one level of + expansion -- you cannot make an group that points to another group. + When used from the command line, it may be necessary to quote the + argument to this option to prevent the shell from treating it as + multiple arguments. + +'--ungroup NAME' + Remove a given entry from the '--group' list. + +'--no-groups' + Remove all entries from the '--group' list. + +'--local-user NAME' +'-u' + Use NAME as the key to sign with. Note that this option overrides + '--default-key'. + +'--sender MBOX' + This option has two purposes. MBOX must either be a complete user + id with a proper mail address or just a mail address. When + creating a signature this option tells gpg the user id of a key + used to make a signature if the key was not directly specified by a + user id. When verifying a signature the MBOX is used to restrict + the information printed by the TOFU code to matching user ids. + +'--try-secret-key NAME' + For hidden recipients GPG needs to know the keys to use for trial + decryption. The key set with '--default-key' is always tried + first, but this is often not sufficient. This option allows + setting more keys to be used for trial decryption. Although any + valid user-id specification may be used for NAME it makes sense to + use at least the long keyid to avoid ambiguities. Note that + gpg-agent might pop up a pinentry for a lot keys to do the trial + decryption. If you want to stop all further trial decryption you + may use close-window button instead of the cancel button. + +'--try-all-secrets' + Don't look at the key ID as stored in the message but try all + secret keys in turn to find the right decryption key. This option + forces the behaviour as used by anonymous recipients (created by + using '--throw-keyids' or '--hidden-recipient') and might come + handy in case where an encrypted message contains a bogus key ID. + +'--skip-hidden-recipients' +'--no-skip-hidden-recipients' + During decryption skip all anonymous recipients. This option helps + in the case that people use the hidden recipients feature to hide + their own encrypt-to key from others. If one has many secret keys + this may lead to a major annoyance because all keys are tried in + turn to decrypt something which was not really intended for it. + The drawback of this option is that it is currently not possible to + decrypt a message which includes real anonymous recipients. + + +File: gnupg.info, Node: GPG Input and Output, Next: OpenPGP Options, Prev: GPG Key related Options, Up: GPG Options + +4.2.3 Input and Output +---------------------- + +'--armor' +'-a' + Create ASCII armored output. The default is to create the binary + OpenPGP format. + +'--no-armor' + Assume the input data is not in ASCII armored format. + +'--output FILE' +'-o FILE' + Write output to FILE. To write to stdout use '-' as the filename. + +'--max-output N' + This option sets a limit on the number of bytes that will be + generated when processing a file. Since OpenPGP supports various + levels of compression, it is possible that the plaintext of a given + message may be significantly larger than the original OpenPGP + message. While GnuPG works properly with such messages, there is + often a desire to set a maximum file size that will be generated + before processing is forced to stop by the OS limits. Defaults to + 0, which means "no limit". + +'--input-size-hint N' + This option can be used to tell GPG the size of the input data in + bytes. N must be a positive base-10 number. This option is only + useful if the input is not taken from a file. GPG may use this + hint to optimize its buffer allocation strategy. It is also used + by the '--status-fd' line "PROGRESS" to provide a value for "total" + if that is not available by other means. + +'--key-origin STRING[,URL]' + gpg can track the origin of a key. Certain origins are implicitly + known (e.g. keyserver, web key directory) and set. For a standard + import the origin of the keys imported can be set with this option. + To list the possible values use "help" for STRING. Some origins + can store an optional URL argument. That URL can appended to + STRING after a comma. + +'--import-options PARAMETERS' + This is a space or comma delimited string that gives options for + importing keys. Options can be prepended with a 'no-' to give the + opposite meaning. The options are: + + import-local-sigs + Allow importing key signatures marked as "local". This is not + generally useful unless a shared keyring scheme is being used. + Defaults to no. + + keep-ownertrust + Normally possible still existing ownertrust values of a key + are cleared if a key is imported. This is in general + desirable so that a formerly deleted key does not + automatically gain an ownertrust values merely due to import. + On the other hand it is sometimes necessary to re-import a + trusted set of keys again but keeping already assigned + ownertrust values. This can be achieved by using this option. + + repair-pks-subkey-bug + During import, attempt to repair the damage caused by the PKS + keyserver bug (pre version 0.9.6) that mangles keys with + multiple subkeys. Note that this cannot completely repair the + damaged key as some crucial data is removed by the keyserver, + but it does at least give you back one subkey. Defaults to no + for regular '--import' and to yes for keyserver + '--receive-keys'. + + import-show + show-only + Show a listing of the key as imported right before it is + stored. This can be combined with the option '--dry-run' to + only look at keys; the option 'show-only' is a shortcut for + this combination. The command '--show-keys' is another + shortcut for this. Note that suffixes like '#' for "sec" and + "sbb" lines may or may not be printed. + + import-export + Run the entire import code but instead of storing the key to + the local keyring write it to the output. The export options + 'export-pka' and 'export-dane' affect the output. This option + can be used to remove all invalid parts from a key without the + need to store it. + + merge-only + During import, allow key updates to existing keys, but do not + allow any new keys to be imported. Defaults to no. + + import-clean + After import, compact (remove all signatures except the + self-signature) any user IDs from the new key that are not + usable. Then, remove any signatures from the new key that are + not usable. This includes signatures that were issued by keys + that are not present on the keyring. This option is the same + as running the '--edit-key' command "clean" after import. + Defaults to no. + + self-sigs-only + Accept only self-signatures while importing a key. All other + key signatures are skipped at an early import stage. This + option can be used with 'keyserver-options' to mitigate + attempts to flood a key with bogus signatures from a + keyserver. The drawback is that all other valid key + signatures, as required by the Web of Trust are also not + imported. Note that when using this option along with + import-clean it suppresses the final clean step after merging + the imported key into the existing key. + + repair-keys + After import, fix various problems with the keys. For + example, this reorders signatures, and strips duplicate + signatures. Defaults to yes. + + import-minimal + Import the smallest key possible. This removes all signatures + except the most recent self-signature on each user ID. This + option is the same as running the '--edit-key' command + "minimize" after import. Defaults to no. + + restore + import-restore + Import in key restore mode. This imports all data which is + usually skipped during import; including all GnuPG specific + data. All other contradicting options are overridden. + +'--import-filter {NAME=EXPR}' +'--export-filter {NAME=EXPR}' + These options define an import/export filter which are applied to + the imported/exported keyblock right before it will be + stored/written. NAME defines the type of filter to use, EXPR the + expression to evaluate. The option can be used several times which + then appends more expression to the same NAME. + + The available filter types are: + + keep-uid + This filter will keep a user id packet and its dependent + packets in the keyblock if the expression evaluates to true. + + drop-subkey + This filter drops the selected subkeys. Currently only + implemented for -export-filter. + + drop-sig + This filter drops the selected key signatures on user ids. + Self-signatures are not considered. Currently only + implemented for -import-filter. + + For the syntax of the expression see the chapter "FILTER + EXPRESSIONS". The property names for the expressions depend on the + actual filter type and are indicated in the following table. + + The available properties are: + + uid + A string with the user id. (keep-uid) + + mbox + The addr-spec part of a user id with mailbox or the empty + string. (keep-uid) + + key_algo + A number with the public key algorithm of a key or subkey + packet. (drop-subkey) + + key_created + key_created_d + The first is the timestamp a public key or subkey packet was + created. The second is the same but given as an ISO string, + e.g. "2016-08-17". (drop-subkey) + + fpr + The hexified fingerprint of the current subkey or primary key. + (drop-subkey) + + primary + Boolean indicating whether the user id is the primary one. + (keep-uid) + + expired + Boolean indicating whether a user id (keep-uid), a key + (drop-subkey), or a signature (drop-sig) expired. + + revoked + Boolean indicating whether a user id (keep-uid) or a key + (drop-subkey) has been revoked. + + disabled + Boolean indicating whether a primary key is disabled. (not + used) + + secret + Boolean indicating whether a key or subkey is a secret one. + (drop-subkey) + + usage + A string indicating the usage flags for the subkey, from the + sequence "ecsa?". For example, a subkey capable of just + signing and authentication would be an exact match for "sa". + (drop-subkey) + + sig_created + sig_created_d + The first is the timestamp a signature packet was created. + The second is the same but given as an ISO date string, e.g. + "2016-08-17". (drop-sig) + + sig_algo + A number with the public key algorithm of a signature packet. + (drop-sig) + + sig_digest_algo + A number with the digest algorithm of a signature packet. + (drop-sig) + +'--export-options PARAMETERS' + This is a space or comma delimited string that gives options for + exporting keys. Options can be prepended with a 'no-' to give the + opposite meaning. The options are: + + export-local-sigs + Allow exporting key signatures marked as "local". This is not + generally useful unless a shared keyring scheme is being used. + Defaults to no. + + export-attributes + Include attribute user IDs (photo IDs) while exporting. Not + including attribute user IDs is useful to export keys that are + going to be used by an OpenPGP program that does not accept + attribute user IDs. Defaults to yes. + + export-sensitive-revkeys + Include designated revoker information that was marked as + "sensitive". Defaults to no. + + backup + export-backup + Export for use as a backup. The exported data includes all + data which is needed to restore the key or keys later with + GnuPG. The format is basically the OpenPGP format but enhanced + with GnuPG specific data. All other contradicting options are + overridden. + + export-clean + Compact (remove all signatures from) user IDs on the key being + exported if the user IDs are not usable. Also, do not export + any signatures that are not usable. This includes signatures + that were issued by keys that are not present on the keyring. + This option is the same as running the '--edit-key' command + "clean" before export except that the local copy of the key is + not modified. Defaults to no. + + export-minimal + Export the smallest key possible. This removes all signatures + except the most recent self-signature on each user ID. This + option is the same as running the '--edit-key' command + "minimize" before export except that the local copy of the key + is not modified. Defaults to no. + + export-pka + Instead of outputting the key material output PKA records + suitable to put into DNS zone files. An ORIGIN line is + printed before each record to allow diverting the records to + the corresponding zone file. + + export-dane + Instead of outputting the key material output OpenPGP DANE + records suitable to put into DNS zone files. An ORIGIN line + is printed before each record to allow diverting the records + to the corresponding zone file. + +'--with-colons' + Print key listings delimited by colons. Note that the output will + be encoded in UTF-8 regardless of any '--display-charset' setting. + This format is useful when GnuPG is called from scripts and other + programs as it is easily machine parsed. The details of this + format are documented in the file 'doc/DETAILS', which is included + in the GnuPG source distribution. + +'--fixed-list-mode' + Do not merge primary user ID and primary key in '--with-colon' + listing mode and print all timestamps as seconds since 1970-01-01. + Since GnuPG 2.0.10, this mode is always used and thus this option + is obsolete; it does not harm to use it though. + +'--legacy-list-mode' + Revert to the pre-2.1 public key list mode. This only affects the + human readable output and not the machine interface (i.e. + '--with-colons'). Note that the legacy format does not convey + suitable information for elliptic curves. + +'--with-fingerprint' + Same as the command '--fingerprint' but changes only the format of + the output and may be used together with another command. + +'--with-subkey-fingerprint' + If a fingerprint is printed for the primary key, this option forces + printing of the fingerprint for all subkeys. This could also be + achieved by using the '--with-fingerprint' twice but by using this + option along with keyid-format "none" a compact fingerprint is + printed. + +'--with-icao-spelling' + Print the ICAO spelling of the fingerprint in addition to the hex + digits. + +'--with-keygrip' + Include the keygrip in the key listings. In '--with-colons' mode + this is implicitly enable for secret keys. + +'--with-key-origin' + Include the locally held information on the origin and last update + of a key in a key listing. In '--with-colons' mode this is always + printed. This data is currently experimental and shall not be + considered part of the stable API. + +'--with-wkd-hash' + Print a Web Key Directory identifier along with each user ID in key + listings. This is an experimental feature and semantics may + change. + +'--with-secret' + Include info about the presence of a secret key in public key + listings done with '--with-colons'. + + +File: gnupg.info, Node: OpenPGP Options, Next: Compliance Options, Prev: GPG Input and Output, Up: GPG Options + +4.2.4 OpenPGP protocol specific options +--------------------------------------- + +'-t, --textmode' +'--no-textmode' + Treat input files as text and store them in the OpenPGP canonical + text form with standard "CRLF" line endings. This also sets the + necessary flags to inform the recipient that the encrypted or + signed data is text and may need its line endings converted back to + whatever the local system uses. This option is useful when + communicating between two platforms that have different line ending + conventions (UNIX-like to Mac, Mac to Windows, etc). + '--no-textmode' disables this option, and is the default. + +'--force-v3-sigs' +'--no-force-v3-sigs' +'--force-v4-certs' +'--no-force-v4-certs' + These options are obsolete and have no effect since GnuPG 2.1. + +'--force-mdc' +'--disable-mdc' + These options are obsolete and have no effect since GnuPG 2.2.8. + The MDC is always used. But note: If the creation of a legacy + non-MDC message is exceptionally required, the option '--rfc2440' + allows for this. + +'--disable-signer-uid' + By default the user ID of the signing key is embedded in the data + signature. As of now this is only done if the signing key has been + specified with 'local-user' using a mail address, or with 'sender'. + This information can be helpful for verifier to locate the key; see + option '--auto-key-retrieve'. + +'--include-key-block' + This option is used to embed the actual signing key into a data + signature. The embedded key is stripped down to a single user id + and includes only the signing subkey used to create the signature + as well as as valid encryption subkeys. All other info is removed + from the key to keep it and thus the signature small. This option + is the OpenPGP counterpart to the 'gpgsm' option '--include-certs'. + +'--personal-cipher-preferences STRING' + Set the list of personal cipher preferences to STRING. Use 'gpg + --version' to get a list of available algorithms, and use 'none' to + set no preference at all. This allows the user to safely override + the algorithm chosen by the recipient key preferences, as GPG will + only select an algorithm that is usable by all recipients. The + most highly ranked cipher in this list is also used for the + '--symmetric' encryption command. + +'--personal-digest-preferences STRING' + Set the list of personal digest preferences to STRING. Use 'gpg + --version' to get a list of available algorithms, and use 'none' to + set no preference at all. This allows the user to safely override + the algorithm chosen by the recipient key preferences, as GPG will + only select an algorithm that is usable by all recipients. The + most highly ranked digest algorithm in this list is also used when + signing without encryption (e.g. '--clear-sign' or '--sign'). + +'--personal-compress-preferences STRING' + Set the list of personal compression preferences to STRING. Use + 'gpg --version' to get a list of available algorithms, and use + 'none' to set no preference at all. This allows the user to safely + override the algorithm chosen by the recipient key preferences, as + GPG will only select an algorithm that is usable by all recipients. + The most highly ranked compression algorithm in this list is also + used when there are no recipient keys to consider (e.g. + '--symmetric'). + +'--s2k-cipher-algo NAME' + Use NAME as the cipher algorithm for symmetric encryption with a + passphrase if '--personal-cipher-preferences' and '--cipher-algo' + are not given. The default is AES-128. + +'--s2k-digest-algo NAME' + Use NAME as the digest algorithm used to mangle the passphrases for + symmetric encryption. The default is SHA-1. + +'--s2k-mode N' + Selects how passphrases for symmetric encryption are mangled. If N + is 0 a plain passphrase (which is in general not recommended) will + be used, a 1 adds a salt (which should not be used) to the + passphrase and a 3 (the default) iterates the whole process a + number of times (see '--s2k-count'). + +'--s2k-count N' + Specify how many times the passphrases mangling for symmetric + encryption is repeated. This value may range between 1024 and + 65011712 inclusive. The default is inquired from gpg-agent. Note + that not all values in the 1024-65011712 range are legal and if an + illegal value is selected, GnuPG will round up to the nearest legal + value. This option is only meaningful if '--s2k-mode' is set to + the default of 3. + + +File: gnupg.info, Node: Compliance Options, Next: GPG Esoteric Options, Prev: OpenPGP Options, Up: GPG Options + +4.2.5 Compliance options +------------------------ + +These options control what GnuPG is compliant to. Only one of these +options may be active at a time. Note that the default setting of this +is nearly always the correct one. See the INTEROPERABILITY WITH OTHER +OPENPGP PROGRAMS section below before using one of these options. + +'--gnupg' + Use standard GnuPG behavior. This is essentially OpenPGP behavior + (see '--openpgp'), but with some additional workarounds for common + compatibility problems in different versions of PGP. This is the + default option, so it is not generally needed, but it may be useful + to override a different compliance option in the gpg.conf file. + +'--openpgp' + Reset all packet, cipher and digest options to strict OpenPGP + behavior. Use this option to reset all previous options like + '--s2k-*', '--cipher-algo', '--digest-algo' and '--compress-algo' + to OpenPGP compliant values. All PGP workarounds are disabled. + +'--rfc4880' + Reset all packet, cipher and digest options to strict RFC-4880 + behavior. Note that this is currently the same thing as + '--openpgp'. + +'--rfc4880bis' + Enable experimental features from proposed updates to RFC-4880. + This option can be used in addition to the other compliance + options. Warning: The behavior may change with any GnuPG release + and created keys or data may not be usable with future GnuPG + versions. + +'--rfc2440' + Reset all packet, cipher and digest options to strict RFC-2440 + behavior. Note that by using this option encryption packets are + created in a legacy mode without MDC protection. This is dangerous + and should thus only be used for experiments. See also option + '--ignore-mdc-error'. + +'--pgp6' + Set up all options to be as PGP 6 compliant as possible. This + restricts you to the ciphers IDEA (if the IDEA plugin is + installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, + and the compression algorithms none and ZIP. This also disables + '--throw-keyids', and making signatures with signing subkeys as PGP + 6 does not understand signatures made by signing subkeys. + + This option implies '--escape-from-lines'. + +'--pgp7' + Set up all options to be as PGP 7 compliant as possible. This is + identical to '--pgp6' except that MDCs are not disabled, and the + list of allowable ciphers is expanded to add AES128, AES192, + AES256, and TWOFISH. + +'--pgp8' + Set up all options to be as PGP 8 compliant as possible. PGP 8 is + a lot closer to the OpenPGP standard than previous versions of PGP, + so all this does is disable '--throw-keyids' and set + '--escape-from-lines'. All algorithms are allowed except for the + SHA224, SHA384, and SHA512 digests. + +'--compliance STRING' + This option can be used instead of one of the options above. Valid + values for STRING are the above option names (without the double + dash) and possibly others as shown when using "help" for STRING. + +'--min-rsa-length N' + This option adjusts the compliance mode "de-vs" for stricter key + size requirements. For example, a value of 3000 turns rsa2048 and + dsa2048 keys into non-VS-NfD compliant keys. + +'--require-compliance' + To check that data has been encrypted according to the rules of the + current compliance mode, a gpg user needs to evaluate the status + lines. This is allows frontends to handle compliance check in a + more flexible way. However, for scripted use the required + evaluation of the status-line requires quite some effort; this + option can be used instead to make sure that the gpg process exits + with a failure if the compliance rules are not fulfilled. Note + that this option has currently an effect only in "de-vs" mode. + + +File: gnupg.info, Node: GPG Esoteric Options, Next: Deprecated Options, Prev: Compliance Options, Up: GPG Options + +4.2.6 Doing things one usually doesn't want to do +------------------------------------------------- + +'-n' +'--dry-run' + Don't make any changes (this is not completely implemented). + +'--list-only' + Changes the behaviour of some commands. This is like '--dry-run' + but different in some cases. The semantic of this option may be + extended in the future. Currently it only skips the actual + decryption pass and therefore enables a fast listing of the + encryption keys. + +'-i' +'--interactive' + Prompt before overwriting any files. + +'--debug-level LEVEL' + Select the debug level for investigating problems. LEVEL may be a + numeric value or by a keyword: + + 'none' + No debugging at all. A value of less than 1 may be used + instead of the keyword. + 'basic' + Some basic debug messages. A value between 1 and 2 may be + used instead of the keyword. + 'advanced' + More verbose debug messages. A value between 3 and 5 may be + used instead of the keyword. + 'expert' + Even more detailed messages. A value between 6 and 8 may be + used instead of the keyword. + 'guru' + All of the debug messages you can get. A value greater than 8 + may be used instead of the keyword. The creation of hash + tracing files is only enabled if the keyword is used. + + How these messages are mapped to the actual debugging flags is not + specified and may change with newer releases of this program. They + are however carefully selected to best aid in debugging. + +'--debug FLAGS' + Set debugging flags. All flags are or-ed and FLAGS may be given in + C syntax (e.g. 0x0042) or as a comma separated list of flag names. + To get a list of all supported flags the single word "help" can be + used. + +'--debug-all' + Set all useful debugging flags. + +'--debug-iolbf' + Set stdout into line buffered mode. This option is only honored + when given on the command line. + +'--faked-system-time EPOCH' + This option is only useful for testing; it sets the system time + back or forth to EPOCH which is the number of seconds elapsed since + the year 1970. Alternatively EPOCH may be given as a full ISO time + string (e.g. "20070924T154812"). + + If you suffix EPOCH with an exclamation mark (!), the system time + will appear to be frozen at the specified time. + +'--enable-progress-filter' + Enable certain PROGRESS status outputs. This option allows + frontends to display a progress indicator while gpg is processing + larger files. There is a slight performance overhead using it. + +'--status-fd N' + Write special status strings to the file descriptor N. See the + file DETAILS in the documentation for a listing of them. + +'--status-file FILE' + Same as '--status-fd', except the status data is written to file + FILE. + +'--logger-fd N' + Write log output to file descriptor N and not to STDERR. + +'--log-file FILE' +'--logger-file FILE' + Same as '--logger-fd', except the logger data is written to file + FILE. Use 'socket://' to log to a socket. Note that in this + version of gpg the option has only an effect if '--batch' is also + used. + +'--attribute-fd N' + Write attribute subpackets to the file descriptor N. This is most + useful for use with '--status-fd', since the status messages are + needed to separate out the various subpackets from the stream + delivered to the file descriptor. + +'--attribute-file FILE' + Same as '--attribute-fd', except the attribute data is written to + file FILE. + +'--comment STRING' +'--no-comments' + Use STRING as a comment string in cleartext signatures and ASCII + armored messages or keys (see '--armor'). The default behavior is + not to use a comment string. '--comment' may be repeated multiple + times to get multiple comment strings. '--no-comments' removes all + comments. It is a good idea to keep the length of a single comment + below 60 characters to avoid problems with mail programs wrapping + such lines. Note that comment lines, like all other header lines, + are not protected by the signature. + +'--emit-version' +'--no-emit-version' + Force inclusion of the version string in ASCII armored output. If + given once only the name of the program and the major number is + emitted, given twice the minor is also emitted, given thrice the + micro is added, and given four times an operating system + identification is also emitted. '--no-emit-version' (default) + disables the version line. + +'--sig-notation {NAME=VALUE}' +'--cert-notation {NAME=VALUE}' +'-N, --set-notation {NAME=VALUE}' + Put the name value pair into the signature as notation data. NAME + must consist only of printable characters or spaces, and must + contain a '@' character in the form keyname@domain.example.com + (substituting the appropriate keyname and domain name, of course). + This is to help prevent pollution of the IETF reserved notation + namespace. The '--expert' flag overrides the '@' check. VALUE may + be any printable string; it will be encoded in UTF-8, so you should + check that your '--display-charset' is set correctly. If you + prefix NAME with an exclamation mark (!), the notation data will be + flagged as critical (rfc4880:5.2.3.16). '--sig-notation' sets a + notation for data signatures. '--cert-notation' sets a notation + for key signatures (certifications). '--set-notation' sets both. + + There are special codes that may be used in notation names. "%k" + will be expanded into the key ID of the key being signed, "%K" into + the long key ID of the key being signed, "%f" into the fingerprint + of the key being signed, "%s" into the key ID of the key making the + signature, "%S" into the long key ID of the key making the + signature, "%g" into the fingerprint of the key making the + signature (which might be a subkey), "%p" into the fingerprint of + the primary key of the key making the signature, "%c" into the + signature count from the OpenPGP smartcard, and "%%" results in a + single "%". %k, %K, and %f are only meaningful when making a key + signature (certification), and %c is only meaningful when using the + OpenPGP smartcard. + +'--known-notation NAME' + Adds NAME to a list of known critical signature notations. The + effect of this is that gpg will not mark a signature with a + critical signature notation of that name as bad. Note that gpg + already knows by default about a few critical signatures notation + names. + +'--sig-policy-url STRING' +'--cert-policy-url STRING' +'--set-policy-url STRING' + Use STRING as a Policy URL for signatures (rfc4880:5.2.3.20). If + you prefix it with an exclamation mark (!), the policy URL packet + will be flagged as critical. '--sig-policy-url' sets a policy url + for data signatures. '--cert-policy-url' sets a policy url for key + signatures (certifications). '--set-policy-url' sets both. + + The same %-expandos used for notation data are available here as + well. + +'--sig-keyserver-url STRING' + Use STRING as a preferred keyserver URL for data signatures. If + you prefix it with an exclamation mark (!), the keyserver URL + packet will be flagged as critical. + + The same %-expandos used for notation data are available here as + well. + +'--set-filename STRING' + Use STRING as the filename which is stored inside messages. This + overrides the default, which is to use the actual filename of the + file being encrypted. Using the empty string for STRING + effectively removes the filename from the output. + +'--for-your-eyes-only' +'--no-for-your-eyes-only' + Set the 'for your eyes only' flag in the message. This causes + GnuPG to refuse to save the file unless the '--output' option is + given, and PGP to use a "secure viewer" with a claimed + Tempest-resistant font to display the message. This option + overrides '--set-filename'. '--no-for-your-eyes-only' disables + this option. + +'--use-embedded-filename' +'--no-use-embedded-filename' + Try to create a file with a name as embedded in the data. This can + be a dangerous option as it enables overwriting files. Defaults to + no. Note that the option '--output' overrides this option. + +'--cipher-algo NAME' + Use NAME as cipher algorithm. Running the program with the command + '--version' yields a list of supported algorithms. If this is not + used the cipher algorithm is selected from the preferences stored + with the key. In general, you do not want to use this option as it + allows you to violate the OpenPGP standard. + '--personal-cipher-preferences' is the safe way to accomplish the + same thing. + +'--digest-algo NAME' + Use NAME as the message digest algorithm. Running the program with + the command '--version' yields a list of supported algorithms. In + general, you do not want to use this option as it allows you to + violate the OpenPGP standard. '--personal-digest-preferences' is + the safe way to accomplish the same thing. + +'--compress-algo NAME' + Use compression algorithm NAME. "zlib" is RFC-1950 ZLIB + compression. "zip" is RFC-1951 ZIP compression which is used by + PGP. "bzip2" is a more modern compression scheme that can compress + some things better than zip or zlib, but at the cost of more memory + used during compression and decompression. "uncompressed" or + "none" disables compression. If this option is not used, the + default behavior is to examine the recipient key preferences to see + which algorithms the recipient supports. If all else fails, ZIP is + used for maximum compatibility. + + ZLIB may give better compression results than ZIP, as the + compression window size is not limited to 8k. BZIP2 may give even + better compression results than that, but will use a significantly + larger amount of memory while compressing and decompressing. This + may be significant in low memory situations. Note, however, that + PGP (all versions) only supports ZIP compression. Using any + algorithm other than ZIP or "none" will make the message unreadable + with PGP. In general, you do not want to use this option as it + allows you to violate the OpenPGP standard. + '--personal-compress-preferences' is the safe way to accomplish the + same thing. + +'--cert-digest-algo NAME' + Use NAME as the message digest algorithm used when signing a key. + Running the program with the command '--version' yields a list of + supported algorithms. Be aware that if you choose an algorithm + that GnuPG supports but other OpenPGP implementations do not, then + some users will not be able to use the key signatures you make, or + quite possibly your entire key. + +'--disable-cipher-algo NAME' + Never allow the use of NAME as cipher algorithm. The given name + will not be checked so that a later loaded algorithm will still get + disabled. + +'--disable-pubkey-algo NAME' + Never allow the use of NAME as public key algorithm. The given + name will not be checked so that a later loaded algorithm will + still get disabled. + +'--throw-keyids' +'--no-throw-keyids' + Do not put the recipient key IDs into encrypted messages. This + helps to hide the receivers of the message and is a limited + countermeasure against traffic analysis.(1) On the receiving side, + it may slow down the decryption process because all available + secret keys must be tried. '--no-throw-keyids' disables this + option. This option is essentially the same as using + '--hidden-recipient' for all recipients. + +'--not-dash-escaped' + This option changes the behavior of cleartext signatures so that + they can be used for patch files. You should not send such an + armored file via email because all spaces and line endings are + hashed too. You can not use this option for data which has 5 + dashes at the beginning of a line, patch files don't have this. A + special armor header line tells GnuPG about this cleartext + signature option. + +'--escape-from-lines' +'--no-escape-from-lines' + Because some mailers change lines starting with "From " to ">From " + it is good to handle such lines in a special way when creating + cleartext signatures to prevent the mail system from breaking the + signature. Note that all other PGP versions do it this way too. + Enabled by default. '--no-escape-from-lines' disables this option. + +'--passphrase-repeat N' + Specify how many times 'gpg' will request a new passphrase be + repeated. This is useful for helping memorize a passphrase. + Defaults to 1 repetition; can be set to 0 to disable any passphrase + repetition. Note that a N greater than 1 will pop up the pinentry + window N+1 times even if a modern pinentry with two entry fields is + used. + +'--passphrase-fd N' + Read the passphrase from file descriptor N. Only the first line + will be read from file descriptor N. If you use 0 for N, the + passphrase will be read from STDIN. This can only be used if only + one passphrase is supplied. + + Note that since Version 2.0 this passphrase is only used if the + option '--batch' has also been given. Since Version 2.1 the + '--pinentry-mode' also needs to be set to 'loopback'. + +'--passphrase-file FILE' + Read the passphrase from file FILE. Only the first line will be + read from file FILE. This can only be used if only one passphrase + is supplied. Obviously, a passphrase stored in a file is of + questionable security if other users can read this file. Don't use + this option if you can avoid it. + + Note that since Version 2.0 this passphrase is only used if the + option '--batch' has also been given. Since Version 2.1 the + '--pinentry-mode' also needs to be set to 'loopback'. + +'--passphrase STRING' + Use STRING as the passphrase. This can only be used if only one + passphrase is supplied. Obviously, this is of very questionable + security on a multi-user system. Don't use this option if you can + avoid it. + + Note that since Version 2.0 this passphrase is only used if the + option '--batch' has also been given. Since Version 2.1 the + '--pinentry-mode' also needs to be set to 'loopback'. + +'--pinentry-mode MODE' + Set the pinentry mode to MODE. Allowed values for MODE are: + default + Use the default of the agent, which is 'ask'. + ask + Force the use of the Pinentry. + cancel + Emulate use of Pinentry's cancel button. + error + Return a Pinentry error ("No Pinentry"). + loopback + Redirect Pinentry queries to the caller. Note that in + contrast to Pinentry the user is not prompted again if he + enters a bad password. + +'--no-symkey-cache' + Disable the passphrase cache used for symmetrical en- and + decryption. This cache is based on the message specific salt value + (cf. '--s2k-mode'). + +'--request-origin ORIGIN' + Tell gpg to assume that the operation ultimately originated at + ORIGIN. Depending on the origin certain restrictions are applied + and the Pinentry may include an extra note on the origin. + Supported values for ORIGIN are: 'local' which is the default, + 'remote' to indicate a remote origin or 'browser' for an operation + requested by a web browser. + +'--command-fd N' + This is a replacement for the deprecated shared-memory IPC mode. + If this option is enabled, user input on questions is not expected + from the TTY but from the given file descriptor. It should be used + together with '--status-fd'. See the file doc/DETAILS in the + source distribution for details on how to use it. + +'--command-file FILE' + Same as '--command-fd', except the commands are read out of file + FILE + +'--allow-non-selfsigned-uid' +'--no-allow-non-selfsigned-uid' + Allow the import and use of keys with user IDs which are not + self-signed. This is not recommended, as a non self-signed user ID + is trivial to forge. '--no-allow-non-selfsigned-uid' disables. + +'--allow-freeform-uid' + Disable all checks on the form of the user ID while generating a + new one. This option should only be used in very special + environments as it does not ensure the de-facto standard format of + user IDs. + +'--ignore-time-conflict' + GnuPG normally checks that the timestamps associated with keys and + signatures have plausible values. However, sometimes a signature + seems to be older than the key due to clock problems. This option + makes these checks just a warning. See also '--ignore-valid-from' + for timestamp issues on subkeys. + +'--ignore-valid-from' + GnuPG normally does not select and use subkeys created in the + future. This option allows the use of such keys and thus exhibits + the pre-1.0.7 behaviour. You should not use this option unless + there is some clock problem. See also '--ignore-time-conflict' for + timestamp issues with signatures. + +'--ignore-crc-error' + The ASCII armor used by OpenPGP is protected by a CRC checksum + against transmission errors. Occasionally the CRC gets mangled + somewhere on the transmission channel but the actual content (which + is protected by the OpenPGP protocol anyway) is still okay. This + option allows GnuPG to ignore CRC errors. + +'--ignore-mdc-error' + This option changes a MDC integrity protection failure into a + warning. It is required to decrypt old messages which did not use + an MDC. It may also be useful if a message is partially garbled, + but it is necessary to get as much data as possible out of that + garbled message. Be aware that a missing or failed MDC can be an + indication of an attack. Use with great caution; see also option + '--rfc2440'. + +'--allow-weak-digest-algos' + Signatures made with known-weak digest algorithms are normally + rejected with an "invalid digest algorithm" message. This option + allows the verification of signatures made with such weak + algorithms. MD5 is the only digest algorithm considered weak by + default. See also '--weak-digest' to reject other digest + algorithms. + +'--weak-digest NAME' + Treat the specified digest algorithm as weak. Signatures made over + weak digests algorithms are normally rejected. This option can be + supplied multiple times if multiple algorithms should be considered + weak. See also '--allow-weak-digest-algos' to disable rejection of + weak digests. MD5 is always considered weak, and does not need to + be listed explicitly. + +'--allow-weak-key-signatures' + To avoid a minor risk of collision attacks on third-party key + signatures made using SHA-1, those key signatures are considered + invalid. This options allows to override this restriction. + +'--override-compliance-check' + The signature verification only allows the use of keys suitable in + the current compliance mode. If the compliance mode has been + forced by a global option, there might be no way to check certain + signature. This option allows to override this and prints an extra + warning in such a case. This option is ignored in -batch mode so + that no accidental unattended verification may happen. + +'--no-default-keyring' + Do not add the default keyring to the list of keyrings. Note that + GnuPG needs for almost all operations a keyring. Thus if you use + this option and do not provide alternate keyrings via '--keyring', + then GnuPG will still use the default keyring. + +'--no-keyring' + Do not use any keyring at all. This overrides the default and all + options which specify keyrings. + +'--skip-verify' + Skip the signature verification step. This may be used to make the + decryption faster if the signature verification is not needed. + +'--with-key-data' + Print key listings delimited by colons (like '--with-colons') and + print the public key data. + +'--list-signatures' +'--list-sigs' + Same as '--list-keys', but the signatures are listed too. This + command has the same effect as using '--list-keys' with + '--with-sig-list'. Note that in contrast to '--check-signatures' + the key signatures are not verified. This command can be used to + create a list of signing keys missing in the local keyring; for + example: + + gpg --list-sigs --with-colons USERID | \ + awk -F: '$1=="sig" && $2=="?" {if($13){print $13}else{print $5}}' + +'--fast-list-mode' + Changes the output of the list commands to work faster; this is + achieved by leaving some parts empty. Some applications don't need + the user ID and the trust information given in the listings. By + using this options they can get a faster listing. The exact + behaviour of this option may change in future versions. If you are + missing some information, don't use this option. + +'--no-literal' + This is not for normal use. Use the source to see for what it + might be useful. + +'--set-filesize' + This is not for normal use. Use the source to see for what it + might be useful. + +'--show-session-key' + Display the session key used for one message. See + '--override-session-key' for the counterpart of this option. + + We think that Key Escrow is a Bad Thing; however the user should + have the freedom to decide whether to go to prison or to reveal the + content of one specific message without compromising all messages + ever encrypted for one secret key. + + You can also use this option if you receive an encrypted message + which is abusive or offensive, to prove to the administrators of + the messaging system that the ciphertext transmitted corresponds to + an inappropriate plaintext so they can take action against the + offending user. + +'--override-session-key STRING' +'--override-session-key-fd FD' + Don't use the public key but the session key STRING respective the + session key taken from the first line read from file descriptor FD. + The format of this string is the same as the one printed by + '--show-session-key'. This option is normally not used but comes + handy in case someone forces you to reveal the content of an + encrypted message; using this option you can do this without + handing out the secret key. Note that using + '--override-session-key' may reveal the session key to all local + users via the global process table. Often it is useful to combine + this option with '--no-keyring'. + +'--ask-sig-expire' +'--no-ask-sig-expire' + When making a data signature, prompt for an expiration time. If + this option is not specified, the expiration time set via + '--default-sig-expire' is used. '--no-ask-sig-expire' disables + this option. + +'--default-sig-expire' + The default expiration time to use for signature expiration. Valid + values are "0" for no expiration, a number followed by the letter d + (for days), w (for weeks), m (for months), or y (for years) (for + example "2m" for two months, or "5y" for five years), or an + absolute date in the form YYYY-MM-DD. Defaults to "0". + +'--ask-cert-expire' +'--no-ask-cert-expire' + When making a key signature, prompt for an expiration time. If + this option is not specified, the expiration time set via + '--default-cert-expire' is used. '--no-ask-cert-expire' disables + this option. + +'--default-cert-expire' + The default expiration time to use for key signature expiration. + Valid values are "0" for no expiration, a number followed by the + letter d (for days), w (for weeks), m (for months), or y (for + years) (for example "2m" for two months, or "5y" for five years), + or an absolute date in the form YYYY-MM-DD. Defaults to "0". + +'--default-new-key-algo STRING' + This option can be used to change the default algorithms for key + generation. The STRING is similar to the arguments required for + the command '--quick-add-key' but slightly different. For example + the current default of '"rsa2048/cert,sign+rsa2048/encr"' (or + '"rsa3072"') can be changed to the value of what we currently call + future default, which is '"ed25519/cert,sign+cv25519/encr"'. You + need to consult the source code to learn the details. Note that + the advanced key generation commands can always be used to specify + a key algorithm directly. + +'--force-sign-key' + This option modifies the behaviour of the commands + '--quick-sign-key', '--quick-lsign-key', and the "sign" + sub-commands of '--edit-key' by forcing the creation of a key + signature, even if one already exists. + +'--forbid-gen-key' + This option is intended for use in the global config file to + disallow the use of generate key commands. Those commands will + then fail with the error code for Not Enabled. + +'--allow-secret-key-import' + This is an obsolete option and is not used anywhere. + +'--allow-multiple-messages' +'--no-allow-multiple-messages' + Allow processing of multiple OpenPGP messages contained in a single + file or stream. Some programs that call GPG are not prepared to + deal with multiple messages being processed together, so this + option defaults to no. Note that versions of GPG prior to 1.4.7 + always allowed multiple messages. Future versions of GnUPG will + remove this option. + + Warning: Do not use this option unless you need it as a temporary + workaround! + +'--enable-special-filenames' + This option enables a mode in which filenames of the form '-&n', + where n is a non-negative decimal number, refer to the file + descriptor n and not to a file with that name. + +'--no-expensive-trust-checks' + Experimental use only. + +'--preserve-permissions' + Don't change the permissions of a secret keyring back to user + read/write only. Use this option only if you really know what you + are doing. + +'--default-preference-list STRING' + Set the list of default preferences to STRING. This preference + list is used for new keys and becomes the default for "setpref" in + the edit menu. + +'--default-keyserver-url NAME' + Set the default keyserver URL to NAME. This keyserver will be used + as the keyserver URL when writing a new self-signature on a key, + which includes key generation and changing preferences. + +'--list-config' + Display various internal configuration parameters of GnuPG. This + option is intended for external programs that call GnuPG to perform + tasks, and is thus not generally useful. See the file + 'doc/DETAILS' in the source distribution for the details of which + configuration items may be listed. '--list-config' is only usable + with '--with-colons' set. + +'--list-gcrypt-config' + Display various internal configuration parameters of Libgcrypt. + +'--gpgconf-list' + This command is similar to '--list-config' but in general only + internally used by the 'gpgconf' tool. + +'--gpgconf-test' + This is more or less dummy action. However it parses the + configuration file and returns with failure if the configuration + file would prevent 'gpg' from startup. Thus it may be used to run + a syntax check on the configuration file. + + ---------- Footnotes ---------- + + (1) Using a little social engineering anyone who is able to decrypt +the message can check whether one of the other recipients is the one he +suspects. + + +File: gnupg.info, Node: Deprecated Options, Prev: GPG Esoteric Options, Up: GPG Options + +4.2.7 Deprecated options +------------------------ + +'--show-photos' +'--no-show-photos' + Causes '--list-keys', '--list-signatures', '--list-public-keys', + '--list-secret-keys', and verifying a signature to also display the + photo ID attached to the key, if any. See also '--photo-viewer'. + These options are deprecated. Use '--list-options + [no-]show-photos' and/or '--verify-options [no-]show-photos' + instead. + +'--show-keyring' + Display the keyring name at the head of key listings to show which + keyring a given key resides on. This option is deprecated: use + '--list-options [no-]show-keyring' instead. + +'--always-trust' + Identical to '--trust-model always'. This option is deprecated. + +'--show-notation' +'--no-show-notation' + Show signature notations in the '--list-signatures' or + '--check-signatures' listings as well as when verifying a signature + with a notation in it. These options are deprecated. Use + '--list-options [no-]show-notation' and/or '--verify-options + [no-]show-notation' instead. + +'--show-policy-url' +'--no-show-policy-url' + Show policy URLs in the '--list-signatures' or '--check-signatures' + listings as well as when verifying a signature with a policy URL in + it. These options are deprecated. Use '--list-options + [no-]show-policy-url' and/or '--verify-options + [no-]show-policy-url' instead. + + +File: gnupg.info, Node: GPG Configuration, Next: GPG Examples, Prev: GPG Options, Up: Invoking GPG + +4.3 Configuration files +======================= + +There are a few configuration files to control certain aspects of +'gpg''s operation. Unless noted, they are expected in the current home +directory (*note option --homedir::). + +'gpg.conf' + This is the standard configuration file read by 'gpg' on startup. + It may contain any valid long option; the leading two dashes may + not be entered and the option may not be abbreviated. This default + name may be changed on the command line (*note gpg-option + --options::). You should backup this file. + + Note that on larger installations, it is useful to put predefined +files into the directory '/etc/skel/.gnupg' so that newly created users +start up with a working configuration. For existing users a small +helper script is provided to create these files (*note addgnupghome::). + + For internal purposes 'gpg' creates and maintains a few other files; +They all live in the current home directory (*note option --homedir::). +Only the 'gpg' program may modify these files. + +'~/.gnupg' + This is the default home directory which is used if neither the + environment variable 'GNUPGHOME' nor the option '--homedir' is + given. + +'~/.gnupg/pubring.gpg' + The public keyring using a legacy format. You should backup this + file. + + If this file is not available, 'gpg' defaults to the new keybox + format and creates a file 'pubring.kbx' unless that file already + exists in which case that file will also be used for OpenPGP keys. + + Note that in the case that both files, 'pubring.gpg' and + 'pubring.kbx' exists but the latter has no OpenPGP keys, the legacy + file 'pubring.gpg' will be used. Take care: GnuPG versions before + 2.1 will always use the file 'pubring.gpg' because they do not know + about the new keybox format. In the case that you have to use + GnuPG 1.4 to decrypt archived data you should keep this file. + +'~/.gnupg/pubring.gpg.lock' + The lock file for the public keyring. + +'~/.gnupg/pubring.kbx' + The public keyring using the new keybox format. This file is + shared with 'gpgsm'. You should backup this file. See above for + the relation between this file and it predecessor. + + To convert an existing 'pubring.gpg' file to the keybox format, you + first backup the ownertrust values, then rename 'pubring.gpg' to + 'publickeys.backup', so it won’t be recognized by any GnuPG + version, run import, and finally restore the ownertrust values: + + $ cd ~/.gnupg + $ gpg --export-ownertrust >otrust.lst + $ mv pubring.gpg publickeys.backup + $ gpg --import-options restore --import publickeys.backups + $ gpg --import-ownertrust otrust.lst + +'~/.gnupg/pubring.kbx.lock' + The lock file for 'pubring.kbx'. + +'~/.gnupg/secring.gpg' + The legacy secret keyring as used by GnuPG versions before 2.1. It + is not used by GnuPG 2.1 and later. You may want to keep it in + case you have to use GnuPG 1.4 to decrypt archived data. + +'~/.gnupg/secring.gpg.lock' + The lock file for the legacy secret keyring. + +'~/.gnupg/.gpg-v21-migrated' + File indicating that a migration to GnuPG 2.1 has been done. + +'~/.gnupg/trustdb.gpg' + The trust database. There is no need to backup this file; it is + better to backup the ownertrust values (*note option + --export-ownertrust::). + +'~/.gnupg/trustdb.gpg.lock' + The lock file for the trust database. + +'~/.gnupg/random_seed' + A file used to preserve the state of the internal random pool. + +'~/.gnupg/openpgp-revocs.d/' + This is the directory where gpg stores pre-generated revocation + certificates. The file name corresponds to the OpenPGP fingerprint + of the respective key. It is suggested to backup those + certificates and if the primary private key is not stored on the + disk to move them to an external storage device. Anyone who can + access theses files is able to revoke the corresponding key. You + may want to print them out. You should backup all files in this + directory and take care to keep this backup closed away. + + Operation is further controlled by a few environment variables: + +HOME + Used to locate the default home directory. + +GNUPGHOME + If set directory used instead of "~/.gnupg". + +GPG_AGENT_INFO + This variable is obsolete; it was used by GnuPG versions before + 2.1. + +PINENTRY_USER_DATA + This value is passed via gpg-agent to pinentry. It is useful to + convey extra information to a custom pinentry. + +COLUMNS +LINES + Used to size some displays to the full size of the screen. + +LANGUAGE + Apart from its use by GNU, it is used in the W32 version to + override the language selection done through the Registry. If used + and set to a valid and available language name (LANGID), the file + with the translation is loaded from 'GPGDIR/gnupg.nls/LANGID.mo'. + Here GPGDIR is the directory out of which the gpg binary has been + loaded. If it can't be loaded the Registry is tried and as last + resort the native Windows locale system is used. + +GNUPG_BUILD_ROOT + This variable is only used by the regression test suite as a helper + under operating systems without proper support to figure out the + name of a process' text file. + +GNUPG_EXEC_DEBUG_FLAGS + This variable allows to enable diagnostics for process management. + A numeric decimal value is expected. Bit 0 enables general + diagnostics, bit 1 enables certain warnings on Windows. + + When calling the gpg-agent component 'gpg' sends a set of environment +variables to gpg-agent. The names of these variables can be listed +using the command: + + gpg-connect-agent 'getinfo std_env_names' /bye | awk '$1=="D" {print $2}' + + +File: gnupg.info, Node: GPG Examples, Next: Unattended Usage of GPG, Prev: GPG Configuration, Up: Invoking GPG + +4.4 Examples +============ + +gpg -se -r 'Bob' 'file' + sign and encrypt for user Bob + +gpg -clear-sign 'file' + make a cleartext signature + +gpg -sb 'file' + make a detached signature + +gpg -u 0x12345678 -sb 'file' + make a detached signature with the key 0x12345678 + +gpg -list-keys 'user_ID' + show keys + +gpg -fingerprint 'user_ID' + show fingerprint + +gpg -verify 'pgpfile' +gpg -verify 'sigfile' ['datafile'] + Verify the signature of the file but do not output the data unless + requested. The second form is used for detached signatures, where + 'sigfile' is the detached signature (either ASCII armored or + binary) and 'datafile' are the signed data; if this is not given, + the name of the file holding the signed data is constructed by + cutting off the extension (".asc" or ".sig") of 'sigfile' or by + asking the user for the filename. If the option '--output' is also + used the signed data is written to the file specified by that + option; use '-' to write the signed data to stdout. + +FILTER EXPRESSIONS +****************** + +The options '--import-filter' and '--export-filter' use expressions with +this syntax (square brackets indicate an optional part and curly braces +a repetition, white space between the elements are allowed): + + [lc] {[{flag}] PROPNAME op VALUE [lc]} + + The name of a property (PROPNAME) may only consist of letters, digits +and underscores. The description for the filter type describes which +properties are defined. If an undefined property is used it evaluates +to the empty string. Unless otherwise noted, the VALUE must always be +given and may not be the empty string. No quoting is defined for the +value, thus the value may not contain the strings '&&' or '||', which +are used as logical connection operators. The flag '--' can be used to +remove this restriction. + + Numerical values are computed as long int; standard C notation +applies. LC is the logical connection operator; either '&&' for a +conjunction or '||' for a disjunction. A conjunction is assumed at the +begin of an expression. Conjunctions have higher precedence than +disjunctions. If VALUE starts with one of the characters used in any OP +a space after the OP is required. + +The supported operators (OP) are: + +=~ + Substring must match. + +!~ + Substring must not match. + += + The full string must match. + +<> + The full string must not match. + +== + The numerical value must match. + +!= + The numerical value must not match. + +<= + The numerical value of the field must be LE than the value. + +< + The numerical value of the field must be LT than the value. + +> + The numerical value of the field must be GT than the value. + +>= + The numerical value of the field must be GE than the value. + +-le + The string value of the field must be less or equal than the value. + +-lt + The string value of the field must be less than the value. + +-gt + The string value of the field must be greater than the value. + +-ge + The string value of the field must be greater or equal than the + value. + +-n + True if value is not empty (no value allowed). + +-z + True if value is empty (no value allowed). + +-t + Alias for "PROPNAME != 0" (no value allowed). + +-f + Alias for "PROPNAME == 0" (no value allowed). + +Values for FLAG must be space separated. The supported flags are: + +- + VALUE spans to the end of the expression. +-c + The string match in this part is done case-sensitive. +-t + Leading and trailing spaces are not removed from VALUE. The + optional single space after OP is here required. + + The filter options concatenate several specifications for a filter of +the same type. For example the four options in this example: + + --import-filter keep-uid="uid =~ Alfa" + --import-filter keep-uid="&& uid !~ Test" + --import-filter keep-uid="|| uid =~ Alpha" + --import-filter keep-uid="uid !~ Test" + +which is equivalent to + + --import-filter \ + keep-uid="uid =~ Alfa" && uid !~ Test" || uid =~ Alpha" && "uid !~ Test" + + imports only the user ids of a key containing the strings "Alfa" or +"Alpha" but not the string "test". + +RETURN VALUE +************ + +The program returns 0 if there are no severe errors, 1 if at least a +signature was bad, and other error codes for fatal errors. + + Note that signature verification requires exact knowledge of what has +been signed and by whom it has beensigned. Using only the return code +is thus not an appropriate way to verify a signature by a script. +Either make proper use or the status codes or use the 'gpgv' tool which +has been designed to make signature verification easy for scripts. + +WARNINGS +******** + +Use a good password for your user account and make sure that all +security issues are always fixed on your machine. Also employ diligent +physical protection to your machine. Consider to use a good passphrase +as a last resort protection to your secret key in the case your machine +gets stolen. It is important that your secret key is never leaked. +Using an easy to carry around token or smartcard with the secret key is +often a advisable. + + If you are going to verify detached signatures, make sure that the +program knows about it; either give both filenames on the command line +or use '-' to specify STDIN. + + For scripted or other unattended use of 'gpg' make sure to use the +machine-parseable interface and not the default interface which is +intended for direct use by humans. The machine-parseable interface +provides a stable and well documented API independent of the locale or +future changes of 'gpg'. To enable this interface use the options +'--with-colons' and '--status-fd'. For certain operations the option +'--command-fd' may come handy too. See this man page and the file +'DETAILS' for the specification of the interface. Note that the GnuPG +"info" pages as well as the PDF version of the GnuPG manual features a +chapter on unattended use of GnuPG. As an alternative the library +'GPGME' can be used as a high-level abstraction on top of that +interface. + +INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS +******************************************** + +GnuPG tries to be a very flexible implementation of the OpenPGP +standard. In particular, GnuPG implements many of the optional parts of +the standard, such as the SHA-512 hash, and the ZLIB and BZIP2 +compression algorithms. It is important to be aware that not all +OpenPGP programs implement these optional algorithms and that by forcing +their use via the '--cipher-algo', '--digest-algo', +'--cert-digest-algo', or '--compress-algo' options in GnuPG, it is +possible to create a perfectly valid OpenPGP message, but one that +cannot be read by the intended recipient. + + There are dozens of variations of OpenPGP programs available, and +each supports a slightly different subset of these optional algorithms. +For example, until recently, no (unhacked) version of PGP supported the +BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be +read by a PGP user. By default, GnuPG uses the standard OpenPGP +preferences system that will always do the right thing and create +messages that are usable by all recipients, regardless of which OpenPGP +program they use. Only override this safe default if you really know +what you are doing. + + If you absolutely must override the safe default, or if the +preferences on a given key are invalid for some reason, you are far +better off using the '--pgp6', '--pgp7', or '--pgp8' options. These +options are safe as they do not force any particular algorithms in +violation of OpenPGP, but rather reduce the available algorithms to a +"PGP-safe" list. + +BUGS +**** + +On older systems this program should be installed as setuid(root). This +is necessary to lock memory pages. Locking memory pages prevents the +operating system from writing memory pages (which may contain +passphrases or other sensitive material) to disk. If you get no warning +message about insecure memory your operating system supports locking +without being root. The program drops root privileges as soon as locked +memory is allocated. + + Note also that some systems (especially laptops) have the ability to +"suspend to disk" (also known as "safe sleep" or "hibernate"). This +writes all memory to disk before going into a low power or even powered +off mode. Unless measures are taken in the operating system to protect +the saved memory, passphrases or other sensitive material may be +recoverable from it later. + + Before you report a bug you should first search the mailing list +archives for similar problems and second check whether such a bug has +already been reported to our bug tracker at <https://bugs.gnupg.org>. + + +File: gnupg.info, Node: Unattended Usage of GPG, Prev: GPG Examples, Up: Invoking GPG + +4.5 Unattended Usage +==================== + +'gpg' is often used as a backend engine by other software. To help with +this a machine interface has been defined to have an unambiguous way to +do this. The options '--status-fd' and '--batch' are almost always +required for this. + +* Menu: + +* Programmatic use of GnuPG:: Programmatic use of GnuPG +* Ephemeral home directories:: Ephemeral home directories +* The quick key manipulation interface:: The quick key manipulation interface +* Unattended GPG key generation:: Unattended key generation + + +File: gnupg.info, Node: Programmatic use of GnuPG, Next: Ephemeral home directories, Up: Unattended Usage of GPG + +4.5.1 Programmatic use of GnuPG +------------------------------- + +Please consider using GPGME instead of calling 'gpg' directly. GPGME +offers a stable, backend-independent interface for many cryptographic +operations. It supports OpenPGP and S/MIME, and also allows interaction +with various GnuPG components. + + GPGME provides a C-API, and comes with bindings for C++, Qt, and +Python. Bindings for other languages are available. + + +File: gnupg.info, Node: Ephemeral home directories, Next: The quick key manipulation interface, Prev: Programmatic use of GnuPG, Up: Unattended Usage of GPG + +4.5.2 Ephemeral home directories +-------------------------------- + +Sometimes you want to contain effects of some operation, for example you +want to import a key to inspect it, but you do not want this key to be +added to your keyring. In earlier versions of GnuPG, it was possible to +specify alternate keyring files for both public and secret keys. In +modern GnuPG versions, however, we changed how secret keys are stored in +order to better protect secret key material, and it was not possible to +preserve this interface. + + The preferred way to do this is to use ephemeral home directories. +This technique works across all versions of GnuPG. + + Create a temporary directory, create (or copy) a configuration that +meets your needs, make 'gpg' use this directory either using the +environment variable GNUPGHOME, or the option '--homedir'. GPGME +supports this too on a per-context basis, by modifying the engine info +of contexts. Now execute whatever operation you like, import and export +key material as necessary. Once finished, you can delete the directory. +All GnuPG backend services that were started will detect this and shut +down. + + +File: gnupg.info, Node: The quick key manipulation interface, Next: Unattended GPG key generation, Prev: Ephemeral home directories, Up: Unattended Usage of GPG + +4.5.3 The quick key manipulation interface +------------------------------------------ + +Recent versions of GnuPG have an interface to manipulate keys without +using the interactive command '--edit-key'. This interface was added +mainly for the benefit of GPGME (please consider using GPGME, see the +manual subsection "Programmatic use of GnuPG"). This interface is +described in the subsection "How to manage your keys". + + +File: gnupg.info, Node: Unattended GPG key generation, Prev: The quick key manipulation interface, Up: Unattended Usage of GPG + +4.5.4 Unattended key generation +------------------------------- + +The command '--generate-key' may be used along with the option '--batch' +for unattended key generation. This is the most flexible way of +generating keys, but it is also the most complex one. Consider using +the quick key manipulation interface described in the previous +subsection "The quick key manipulation interface". + + The parameters for the key are either read from stdin or given as a +file on the command line. The format of the parameter file is as +follows: + + * Text only, line length is limited to about 1000 characters. + * UTF-8 encoding must be used to specify non-ASCII characters. + * Empty lines are ignored. + * Leading and trailing white space is ignored. + * A hash sign as the first non white space character indicates a + comment line. + * Control statements are indicated by a leading percent sign, the + arguments are separated by white space from the keyword. + * Parameters are specified by a keyword, followed by a colon. + Arguments are separated by white space. + * The first parameter must be 'Key-Type'; control statements may be + placed anywhere. + * The order of the parameters does not matter except for 'Key-Type' + which must be the first parameter. The parameters are only used + for the generated keyblock (primary and subkeys); parameters from + previous sets are not used. Some syntactically checks may be + performed. + * Key generation takes place when either the end of the parameter + file is reached, the next 'Key-Type' parameter is encountered or at + the control statement '%commit' is encountered. + +Control statements: + +%echo TEXT + Print TEXT as diagnostic. + +%dry-run + Suppress actual key generation (useful for syntax checking). + +%commit + Perform the key generation. Note that an implicit commit is done + at the next Key-Type parameter. + +%pubring FILENAME + Do not write the key to the default or commandline given keyring + but to FILENAME. This must be given before the first commit to + take place, duplicate specification of the same filename is + ignored, the last filename before a commit is used. The filename + is used until a new filename is used (at commit points) and all + keys are written to that file. If a new filename is given, this + file is created (and overwrites an existing one). + + See the previous subsection "Ephemeral home directories" for a more + robust way to contain side-effects. + +%secring FILENAME + This option is a no-op for GnuPG 2.1 and later. + + See the previous subsection "Ephemeral home directories". + +%ask-passphrase +%no-ask-passphrase + This option is a no-op for GnuPG 2.1 and later. + +%no-protection + Using this option allows the creation of keys without any + passphrase protection. This option is mainly intended for + regression tests. + +%transient-key + If given the keys are created using a faster and a somewhat less + secure random number generator. This option may be used for keys + which are only used for a short time and do not require full + cryptographic strength. It takes only effect if used together with + the control statement '%no-protection'. + +General Parameters: + +Key-Type: ALGO + Starts a new parameter block by giving the type of the primary key. + The algorithm must be capable of signing. This is a required + parameter. ALGO may either be an OpenPGP algorithm number or a + string with the algorithm name. The special value 'default' may be + used for ALGO to create the default key type; in this case a + 'Key-Usage' shall not be given and 'default' also be used for + 'Subkey-Type'. + +Key-Length: NBITS + The requested length of the generated key in bits. The default is + returned by running the command 'gpg --gpgconf-list'. For ECC keys + this parameter is ignored. + +Key-Curve: CURVE + The requested elliptic curve of the generated key. This is a + required parameter for ECC keys. It is ignored for non-ECC keys. + +Key-Grip: HEXSTRING + This is optional and used to generate a CSR or certificate for an + already existing key. Key-Length will be ignored when given. + +Key-Usage: USAGE-LIST + Space or comma delimited list of key usages. Allowed values are + 'encrypt', 'sign', and 'auth'. This is used to generate the key + flags. Please make sure that the algorithm is capable of this + usage. Note that OpenPGP requires that all primary keys are + capable of certification, so no matter what usage is given here, + the 'cert' flag will be on. If no 'Key-Usage' is specified and the + 'Key-Type' is not 'default', all allowed usages for that particular + algorithm are used; if it is not given but 'default' is used the + usage will be 'sign'. + +Subkey-Type: ALGO + This generates a secondary key (subkey). Currently only one subkey + can be handled. See also 'Key-Type' above. + +Subkey-Length: NBITS + Length of the secondary key (subkey) in bits. The default is + returned by running the command 'gpg --gpgconf-list'. + +Subkey-Curve: CURVE + Key curve for a subkey; similar to 'Key-Curve'. + +Subkey-Usage: USAGE-LIST + Key usage lists for a subkey; similar to 'Key-Usage'. + +Passphrase: STRING + If you want to specify a passphrase for the secret key, enter it + here. Default is to use the Pinentry dialog to ask for a + passphrase. + +Name-Real: NAME +Name-Comment: COMMENT +Name-Email: EMAIL + The three parts of a user name. Remember to use UTF-8 encoding + here. If you don't give any of them, no user ID is created. + +Expire-Date: ISO-DATE|(NUMBER[d|w|m|y]) + Set the expiration date for the key (and the subkey). It may + either be entered in ISO date format (e.g. "20000815T145012") or + as number of days, weeks, month or years after the creation date. + The special notation "seconds=N" is also allowed to specify a + number of seconds since creation. Without a letter days are + assumed. Note that there is no check done on the overflow of the + type used by OpenPGP for timestamps. Thus you better make sure + that the given value make sense. Although OpenPGP works with time + intervals, GnuPG uses an absolute value internally and thus the + last year we can represent is 2105. + +Creation-Date: ISO-DATE + Set the creation date of the key as stored in the key information + and which is also part of the fingerprint calculation. Either a + date like "1986-04-26" or a full timestamp like "19860426T042640" + may be used. The time is considered to be UTC. The special + notation "seconds=N" may be used to directly specify a the number + of seconds since Epoch (Unix time). If it is not given the current + time is used. + +Preferences: STRING + Set the cipher, hash, and compression preference values for this + key. This expects the same type of string as the sub-command + 'setpref' in the '--edit-key' menu. + +Revoker: ALGO:FPR [sensitive] + Add a designated revoker to the generated key. Algo is the public + key algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.) + FPR is the fingerprint of the designated revoker. The optional + 'sensitive' flag marks the designated revoker as sensitive + information. Only v4 keys may be designated revokers. + +Keyserver: STRING + This is an optional parameter that specifies the preferred + keyserver URL for the key. + +Handle: STRING + This is an optional parameter only used with the status lines + KEY_CREATED and KEY_NOT_CREATED. STRING may be up to 100 characters + and should not contain spaces. It is useful for batch key + generation to associate a key parameter block with a status line. + +Here is an example on how to create a key in an ephemeral home +directory: + $ export GNUPGHOME="$(mktemp -d)" + $ cat >foo <<EOF + %echo Generating a basic OpenPGP key + Key-Type: DSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 1024 + Name-Real: Joe Tester + Name-Comment: with stupid passphrase + Name-Email: joe@foo.bar + Expire-Date: 0 + Passphrase: abc + # Do a commit here, so that we can later print "done" :-) + %commit + %echo done + EOF + $ gpg --batch --generate-key foo + [...] + $ gpg --list-secret-keys + /tmp/tmp.0NQxB74PEf/pubring.kbx + ------------------------------- + sec dsa1024 2016-12-16 [SCA] + 768E895903FC1C44045C8CB95EEBDB71E9E849D0 + uid [ultimate] Joe Tester (with stupid passphrase) <joe@foo.bar> + ssb elg1024 2016-12-16 [E] + +If you want to create a key with the default algorithms you would use +these parameters: + %echo Generating a default key + Key-Type: default + Subkey-Type: default + Name-Real: Joe Tester + Name-Comment: with stupid passphrase + Name-Email: joe@foo.bar + Expire-Date: 0 + Passphrase: abc + # Do a commit here, so that we can later print "done" :-) + %commit + %echo done + + +File: gnupg.info, Node: Invoking GPGSM, Next: Invoking SCDAEMON, Prev: Invoking GPG, Up: Top + +5 Invoking GPGSM +**************** + +'gpgsm' is a tool similar to 'gpg' to provide digital encryption and +signing services on X.509 certificates and the CMS protocol. It is +mainly used as a backend for S/MIME mail processing. 'gpgsm' includes a +full featured certificate management and complies with all rules defined +for the German Sphinx project. + + *Note Option Index::, for an index to 'GPGSM''s commands and options. + +* Menu: + +* GPGSM Commands:: List of all commands. +* GPGSM Options:: List of all options. +* GPGSM Configuration:: Configuration files. +* GPGSM Examples:: Some usage examples. + +Developer information: +* Unattended Usage:: Using 'gpgsm' from other programs. +* GPGSM Protocol:: The protocol the server mode uses. + + +File: gnupg.info, Node: GPGSM Commands, Next: GPGSM Options, Up: Invoking GPGSM + +5.1 Commands +============ + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +* Menu: + +* General GPGSM Commands:: Commands not specific to the functionality. +* Operational GPGSM Commands:: Commands to select the type of operation. +* Certificate Management:: How to manage certificates. + + +File: gnupg.info, Node: General GPGSM Commands, Next: Operational GPGSM Commands, Up: GPGSM Commands + +5.1.1 Commands not specific to the function +------------------------------------------- + +'--version' + Print the program version and licensing information. Note that you + cannot abbreviate this command. + +'--help, -h' + Print a usage message summarizing the most useful command-line + options. Note that you cannot abbreviate this command. + +'--warranty' + Print warranty information. Note that you cannot abbreviate this + command. + +'--dump-options' + Print a list of all available options and commands. Note that you + cannot abbreviate this command. + + +File: gnupg.info, Node: Operational GPGSM Commands, Next: Certificate Management, Prev: General GPGSM Commands, Up: GPGSM Commands + +5.1.2 Commands to select the type of operation +---------------------------------------------- + +'--encrypt' + Perform an encryption. The keys the data is encrypted to must be + set using the option '--recipient'. + +'--decrypt' + Perform a decryption; the type of input is automatically + determined. It may either be in binary form or PEM encoded; + automatic determination of base-64 encoding is not done. + +'--sign' + Create a digital signature. The key used is either the fist one + found in the keybox or those set with the '--local-user' option. + +'--verify' + Check a signature file for validity. Depending on the arguments a + detached signature may also be checked. + +'--server' + Run in server mode and wait for commands on the 'stdin'. + +'--call-dirmngr COMMAND [ARGS]' + Behave as a Dirmngr client issuing the request COMMAND with the + optional list of ARGS. The output of the Dirmngr is printed + stdout. Please note that file names given as arguments should have + an absolute file name (i.e. commencing with '/') because they are + passed verbatim to the Dirmngr and the working directory of the + Dirmngr might not be the same as the one of this client. Currently + it is not possible to pass data via stdin to the Dirmngr. COMMAND + should not contain spaces. + + This is command is required for certain maintaining tasks of the + dirmngr where a dirmngr must be able to call back to 'gpgsm'. See + the Dirmngr manual for details. + +'--call-protect-tool ARGUMENTS' + Certain maintenance operations are done by an external program call + 'gpg-protect-tool'; this is usually not installed in a directory + listed in the PATH variable. This command provides a simple + wrapper to access this tool. ARGUMENTS are passed verbatim to this + command; use '--help' to get a list of supported operations. + + +File: gnupg.info, Node: Certificate Management, Prev: Operational GPGSM Commands, Up: GPGSM Commands + +5.1.3 How to manage the certificates and keys +--------------------------------------------- + +'--generate-key' +'--gen-key' + This command allows the creation of a certificate signing request + or a self-signed certificate. It is commonly used along with the + '--output' option to save the created CSR or certificate into a + file. If used with the '--batch' a parameter file is used to + create the CSR or certificate and it is further possible to create + non-self-signed certificates. + +'--list-keys' +'-k' + List all available certificates stored in the local key database. + Note that the displayed data might be reformatted for better human + readability and illegal characters are replaced by safe + substitutes. + +'--list-secret-keys' +'-K' + List all available certificates for which a corresponding a secret + key is available. + +'--list-external-keys PATTERN' + List certificates matching PATTERN using an external server. This + utilizes the 'dirmngr' service. + +'--list-chain' + Same as '--list-keys' but also prints all keys making up the chain. + +'--dump-cert' +'--dump-keys' + List all available certificates stored in the local key database + using a format useful mainly for debugging. + +'--dump-chain' + Same as '--dump-keys' but also prints all keys making up the chain. + +'--dump-secret-keys' + List all available certificates for which a corresponding a secret + key is available using a format useful mainly for debugging. + +'--dump-external-keys PATTERN' + List certificates matching PATTERN using an external server. This + utilizes the 'dirmngr' service. It uses a format useful mainly for + debugging. + +'--keydb-clear-some-cert-flags' + This is a debugging aid to reset certain flags in the key database + which are used to cache certain certificate stati. It is + especially useful if a bad CRL or a weird running OCSP responder + did accidentally revoke certificate. There is no security issue + with this command because 'gpgsm' always make sure that the + validity of a certificate is checked right before it is used. + +'--delete-keys PATTERN' + Delete the keys matching PATTERN. Note that there is no command to + delete the secret part of the key directly. In case you need to do + this, you should run the command 'gpgsm --dump-secret-keys KEYID' + before you delete the key, copy the string of hex-digits in the + "keygrip" line and delete the file consisting of these hex-digits + and the suffix '.key' from the 'private-keys-v1.d' directory below + our GnuPG home directory (usually '~/.gnupg'). + +'--export [PATTERN]' + Export all certificates stored in the Keybox or those specified by + the optional PATTERN. Those pattern consist of a list of user ids + (*note how-to-specify-a-user-id::). When used along with the + '--armor' option a few informational lines are prepended before + each block. There is one limitation: As there is no commonly + agreed upon way to pack more than one certificate into an ASN.1 + structure, the binary export (i.e. without using 'armor') works + only for the export of one certificate. Thus it is required to + specify a PATTERN which yields exactly one certificate. Ephemeral + certificate are only exported if all PATTERN are given as + fingerprints or keygrips. + +'--export-secret-key-p12 KEY-ID' + Export the private key and the certificate identified by KEY-ID + using the PKCS#12 format. When used with the '--armor' option a + few informational lines are prepended to the output. Note, that + the PKCS#12 format is not very secure and proper transport security + should be used to convey the exported key. (*Note option + --p12-charset::.) + +'--export-secret-key-p8 KEY-ID' +'--export-secret-key-raw KEY-ID' + Export the private key of the certificate identified by KEY-ID with + any encryption stripped. The '...-raw' command exports in PKCS#1 + format; the '...-p8' command exports in PKCS#8 format. When used + with the '--armor' option a few informational lines are prepended + to the output. These commands are useful to prepare a key for use + on a TLS server. + +'--import [FILES]' + Import the certificates from the PEM or binary encoded files as + well as from signed-only messages. This command may also be used + to import a secret key from a PKCS#12 file. + +'--learn-card' + Read information about the private keys from the smartcard and + import the certificates from there. This command utilizes the + 'gpg-agent' and in turn the 'scdaemon'. + +'--change-passphrase USER_ID' +'--passwd USER_ID' + Change the passphrase of the private key belonging to the + certificate specified as USER_ID. Note, that changing the + passphrase/PIN of a smartcard is not yet supported. + + +File: gnupg.info, Node: GPGSM Options, Next: GPGSM Configuration, Prev: GPGSM Commands, Up: Invoking GPGSM + +5.2 Option Summary +================== + +'GPGSM' features a bunch of options to control the exact behaviour and +to change the default configuration. + +* Menu: + +* Configuration Options:: How to change the configuration. +* Certificate Options:: Certificate related options. +* Input and Output:: Input and Output. +* CMS Options:: How to change how the CMS is created. +* Esoteric Options:: Doing things one usually do not want to do. + + +File: gnupg.info, Node: Configuration Options, Next: Certificate Options, Up: GPGSM Options + +5.2.1 How to change the configuration +------------------------------------- + +These options are used to change the configuration and are usually found +in the option file. + +'--options FILE' + Reads configuration from FILE instead of from the default per-user + configuration file. The default configuration file is named + 'gpgsm.conf' and expected in the '.gnupg' directory directly below + the home directory of the user. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'-v' +'--verbose' + Outputs additional information while running. You can increase the + verbosity by giving several verbose commands to 'gpgsm', such as + '-vv'. + +'--keyserver STRING' + This is a deprecated option. It was used to add an LDAP server to + use for X.509 certificate and CRL lookup. The alias '--ldapserver' + existed from version 2.2.28 to 2.2.33 but is now entirely ignored. + + LDAP servers must be given in the configuration for 'dirmngr'. + +'--policy-file FILENAME' + Change the default name of the policy file to FILENAME. + +'--agent-program FILE' + Specify an agent program to be used for secret key operations. The + default value is determined by running the command 'gpgconf'. Note + that the pipe symbol ('|') is used for a regression test suite hack + and may thus not be used in the file name. + +'--dirmngr-program FILE' + Specify a dirmngr program to be used for CRL checks. The default + value is '/usr/local/bin/dirmngr'. + +'--prefer-system-dirmngr' + This option is obsolete and ignored. + +'--disable-dirmngr' + Entirely disable the use of the Dirmngr. + +'--no-autostart' + Do not start the gpg-agent or the dirmngr if it has not yet been + started and its service is required. This option is mostly useful + on machines where the connection to gpg-agent has been redirected + to another machines. If dirmngr is required on the remote machine, + it may be started manually using 'gpgconf --launch dirmngr'. + +'--no-secmem-warning' + Do not print a warning when the so called "secure memory" cannot be + used. + +'--log-file FILE' + When running in server mode, append all logging output to FILE. + Use 'socket://' to log to socket. + + +File: gnupg.info, Node: Certificate Options, Next: Input and Output, Prev: Configuration Options, Up: GPGSM Options + +5.2.2 Certificate related options +--------------------------------- + +'--enable-policy-checks' +'--disable-policy-checks' + By default policy checks are enabled. These options may be used to + change it. + +'--enable-crl-checks' +'--disable-crl-checks' + By default the CRL checks are enabled and the DirMngr is used to + check for revoked certificates. The disable option is most useful + with an off-line network connection to suppress this check and also + to avoid that new certificates introduce a web bug by including a + certificate specific CRL DP. The disable option also disables an + issuer certificate lookup via the authorityInfoAccess property of + the certificate; the '--enable-issuer-key-retrieve' can be used to + make use of that property anyway. + +'--enable-trusted-cert-crl-check' +'--disable-trusted-cert-crl-check' + By default the CRL for trusted root certificates are checked like + for any other certificates. This allows a CA to revoke its own + certificates voluntary without the need of putting all ever issued + certificates into a CRL. The disable option may be used to switch + this extra check off. Due to the caching done by the Dirmngr, + there will not be any noticeable performance gain. Note, that this + also disables possible OCSP checks for trusted root certificates. + A more specific way of disabling this check is by adding the + "relax" keyword to the root CA line of the 'trustlist.txt' + +'--force-crl-refresh' + Tell the dirmngr to reload the CRL for each request. For better + performance, the dirmngr will actually optimize this by suppressing + the loading for short time intervals (e.g. 30 minutes). This + option is useful to make sure that a fresh CRL is available for + certificates hold in the keybox. The suggested way of doing this + is by using it along with the option '--with-validation' for a key + listing command. This option should not be used in a configuration + file. + +'--enable-issuer-based-crl-check' + Run a CRL check even for certificates which do not have any CRL + distribution point. This requires that a suitable LDAP server has + been configured in Dirmngr and that the CRL can be found using the + issuer. This option reverts to what GnuPG did up to version + 2.2.20. This option is in general not useful. + +'--enable-ocsp' +'--disable-ocsp' + By default OCSP checks are disabled. The enable option may be used + to enable OCSP checks via Dirmngr. If CRL checks are also enabled, + CRLs will be used as a fallback if for some reason an OCSP request + will not succeed. Note, that you have to allow OCSP requests in + Dirmngr's configuration too (option '--allow-ocsp') and configure + Dirmngr properly. If you do not do so you will get the error code + 'Not supported'. + +'--auto-issuer-key-retrieve' + If a required certificate is missing while validating the chain of + certificates, try to load that certificate from an external + location. This usually means that Dirmngr is employed to search + for the certificate. Note that this option makes a "web bug" like + behavior possible. LDAP server operators can see which keys you + request, so by sending you a message signed by a brand new key + (which you naturally will not have on your local keybox), the + operator can tell both your IP address and the time when you + verified the signature. + +'--validation-model NAME' + This option changes the default validation model. The only + possible values are "shell" (which is the default), "chain" which + forces the use of the chain model and "steed" for a new simplified + model. The chain model is also used if an option in the + 'trustlist.txt' or an attribute of the certificate requests it. + However the standard model (shell) is in that case always tried + first. + +'--ignore-cert-extension OID' + Add OID to the list of ignored certificate extensions. The OID is + expected to be in dotted decimal form, like '2.5.29.3'. This + option may be used more than once. Critical flagged certificate + extensions matching one of the OIDs in the list are treated as if + they are actually handled and thus the certificate will not be + rejected due to an unknown critical extension. Use this option + with care because extensions are usually flagged as critical for a + reason. + + +File: gnupg.info, Node: Input and Output, Next: CMS Options, Prev: Certificate Options, Up: GPGSM Options + +5.2.3 Input and Output +---------------------- + +'--armor' +'-a' + Create PEM encoded output. Default is binary output. + +'--base64' + Create Base-64 encoded output; i.e. PEM without the header lines. + +'--assume-armor' + Assume the input data is PEM encoded. Default is to autodetect the + encoding but this is may fail. + +'--assume-base64' + Assume the input data is plain base-64 encoded. + +'--assume-binary' + Assume the input data is binary encoded. + +'--p12-charset NAME' + 'gpgsm' uses the UTF-8 encoding when encoding passphrases for + PKCS#12 files. This option may be used to force the passphrase to + be encoded in the specified encoding NAME. This is useful if the + application used to import the key uses a different encoding and + thus will not be able to import a file generated by 'gpgsm'. + Commonly used values for NAME are 'Latin1' and 'CP850'. Note that + 'gpgsm' itself automagically imports any file with a passphrase + encoded to the most commonly used encodings. + +'--default-key USER_ID' + Use USER_ID as the standard key for signing. This key is used if + no other key has been defined as a signing key. Note, that the + first '--local-users' option also sets this key if it has not yet + been set; however '--default-key' always overrides this. + +'--local-user USER_ID' +'-u USER_ID' + Set the user(s) to be used for signing. The default is the first + secret key found in the database. + +'--recipient NAME' +'-r' + Encrypt to the user id NAME. There are several ways a user id may + be given (*note how-to-specify-a-user-id::). + +'--output FILE' +'-o FILE' + Write output to FILE. The default is to write it to stdout. + +'--with-key-data' + Displays extra information with the '--list-keys' commands. + Especially a line tagged 'grp' is printed which tells you the + keygrip of a key. This string is for example used as the file name + of the secret key. Implies '--with-colons'. + +'--with-validation' + When doing a key listing, do a full validation check for each key + and print the result. This is usually a slow operation because it + requires a CRL lookup and other operations. + + When used along with '--import', a validation of the certificate to + import is done and only imported if it succeeds the test. Note + that this does not affect an already available certificate in the + DB. This option is therefore useful to simply verify a certificate. + +'--with-md5-fingerprint' + For standard key listings, also print the MD5 fingerprint of the + certificate. + +'--with-keygrip' + Include the keygrip in standard key listings. Note that the + keygrip is always listed in '--with-colons' mode. + +'--with-secret' + Include info about the presence of a secret key in public key + listings done with '--with-colons'. + + +File: gnupg.info, Node: CMS Options, Next: Esoteric Options, Prev: Input and Output, Up: GPGSM Options + +5.2.4 How to change how the CMS is created +------------------------------------------ + +'--include-certs N' + Using N of -2 includes all certificate except for the root cert, -1 + includes all certs, 0 does not include any certs, 1 includes only + the signers cert and all other positive values include up to N + certificates starting with the signer cert. The default is -2. + +'--cipher-algo OID' + Use the cipher algorithm with the ASN.1 object identifier OID for + encryption. For convenience the strings '3DES', 'AES' and 'AES256' + may be used instead of their OIDs. The default is 'AES' + (2.16.840.1.101.3.4.1.2). + +'--digest-algo name' + Use 'name' as the message digest algorithm. Usually this algorithm + is deduced from the respective signing certificate. This option + forces the use of the given algorithm and may lead to severe + interoperability problems. + + +File: gnupg.info, Node: Esoteric Options, Prev: CMS Options, Up: GPGSM Options + +5.2.5 Doing things one usually do not want to do +------------------------------------------------ + +'--extra-digest-algo NAME' + Sometimes signatures are broken in that they announce a different + digest algorithm than actually used. 'gpgsm' uses a one-pass data + processing model and thus needs to rely on the announced digest + algorithms to properly hash the data. As a workaround this option + may be used to tell 'gpgsm' to also hash the data using the + algorithm NAME; this slows processing down a little bit but allows + verification of such broken signatures. If 'gpgsm' prints an error + like "digest algo 8 has not been enabled" you may want to try this + option, with 'SHA256' for NAME. + +'--compliance STRING' + Set the compliance mode. Valid values are shown when using "help" + for STRING. + +'--min-rsa-length N' + This option adjusts the compliance mode "de-vs" for stricter key + size requirements. For example, a value of 3000 turns rsa2048 and + dsa2048 keys into non-VS-NfD compliant keys. + +'--require-compliance' + To check that data has been encrypted according to the rules of the + current compliance mode, a gpgsm user needs to evaluate the status + lines. This is allows frontends to handle compliance check in a + more flexible way. However, for scripted use the required + evaluation of the status-line requires quite some effort; this + option can be used instead to make sure that the gpgsm process + exits with a failure if the compliance rules are not fulfilled. + Note that this option has currently an effect only in "de-vs" mode. + +'--ignore-cert-with-oid OID' + Add OID to the list of OIDs to be checked while reading + certificates from smartcards. The OID is expected to be in dotted + decimal form, like '2.5.29.3'. This option may be used more than + once. As of now certificates with an extended key usage matching + one of those OIDs are ignored during a '--learn-card' operation and + not imported. This option can help to keep the local key database + clear of unneeded certificates stored on smartcards. + +'--faked-system-time EPOCH' + This option is only useful for testing; it sets the system time + back or forth to EPOCH which is the number of seconds elapsed since + the year 1970. Alternatively EPOCH may be given as a full ISO time + string (e.g. "20070924T154812"). + +'--with-ephemeral-keys' + Include ephemeral flagged keys in the output of key listings. Note + that they are included anyway if the key specification for a + listing is given as fingerprint or keygrip. + +'--compatibility-flags FLAGS' + Set compatibility flags to work around problems due to + non-compliant certificates or data. The FLAGS are given as a comma + separated list of flag names and are OR-ed together. The special + flag "none" clears the list and allows to start over with an empty + list. To get a list of available flags the sole word "help" can be + used. + +'--debug-level LEVEL' + Select the debug level for investigating problems. LEVEL may be a + numeric value or by a keyword: + + 'none' + No debugging at all. A value of less than 1 may be used + instead of the keyword. + 'basic' + Some basic debug messages. A value between 1 and 2 may be + used instead of the keyword. + 'advanced' + More verbose debug messages. A value between 3 and 5 may be + used instead of the keyword. + 'expert' + Even more detailed messages. A value between 6 and 8 may be + used instead of the keyword. + 'guru' + All of the debug messages you can get. A value greater than 8 + may be used instead of the keyword. The creation of hash + tracing files is only enabled if the keyword is used. + + How these messages are mapped to the actual debugging flags is not + specified and may change with newer releases of this program. They + are however carefully selected to best aid in debugging. + +'--debug FLAGS' + This option is only useful for debugging and the behaviour may + change at any time without notice; using '--debug-levels' is the + preferred method to select the debug verbosity. FLAGS are bit + encoded and may be given in usual C-Syntax. The currently defined + bits are: + + '0 (1)' + X.509 or OpenPGP protocol related data + '1 (2)' + values of big number integers + '2 (4)' + low level crypto operations + '5 (32)' + memory allocation + '6 (64)' + caching + '7 (128)' + show memory statistics + '9 (512)' + write hashed data to files named 'dbgmd-000*' + '10 (1024)' + trace Assuan protocol + + Note, that all flags set using this option may get overridden by + '--debug-level'. + +'--debug-all' + Same as '--debug=0xffffffff' + +'--debug-allow-core-dump' + Usually 'gpgsm' tries to avoid dumping core by well written code + and by disabling core dumps for security reasons. However, bugs + are pretty durable beasts and to squash them it is sometimes useful + to have a core dump. This option enables core dumps unless the Bad + Thing happened before the option parsing. + +'--debug-no-chain-validation' + This is actually not a debugging option but only useful as such. + It lets 'gpgsm' bypass all certificate chain validation checks. + +'--debug-ignore-expiration' + This is actually not a debugging option but only useful as such. + It lets 'gpgsm' ignore all notAfter dates, this is used by the + regression tests. + +'--passphrase-fd n' + Read the passphrase from file descriptor 'n'. Only the first line + will be read from file descriptor 'n'. If you use 0 for 'n', the + passphrase will be read from STDIN. This can only be used if only + one passphrase is supplied. + + Note that this passphrase is only used if the option '--batch' has + also been given. + +'--pinentry-mode mode' + Set the pinentry mode to 'mode'. Allowed values for 'mode' are: + default + Use the default of the agent, which is 'ask'. + ask + Force the use of the Pinentry. + cancel + Emulate use of Pinentry's cancel button. + error + Return a Pinentry error ("No Pinentry"). + loopback + Redirect Pinentry queries to the caller. Note that in + contrast to Pinentry the user is not prompted again if he + enters a bad password. + +'--request-origin ORIGIN' + Tell gpgsm to assume that the operation ultimately originated at + ORIGIN. Depending on the origin certain restrictions are applied + and the Pinentry may include an extra note on the origin. + Supported values for ORIGIN are: 'local' which is the default, + 'remote' to indicate a remote origin or 'browser' for an operation + requested by a web browser. + +'--no-common-certs-import' + Suppress the import of common certificates on keybox creation. + + All the long options may also be given in the configuration file +after stripping off the two leading dashes. + + +File: gnupg.info, Node: GPGSM Configuration, Next: GPGSM Examples, Prev: GPGSM Options, Up: Invoking GPGSM + +5.3 Configuration files +======================= + +There are a few configuration files to control certain aspects of +'gpgsm''s operation. Unless noted, they are expected in the current +home directory (*note option --homedir::). + +'gpgsm.conf' + This is the standard configuration file read by 'gpgsm' on startup. + It may contain any valid long option; the leading two dashes may + not be entered and the option may not be abbreviated. This default + name may be changed on the command line (*note gpgsm-option + --options::). You should backup this file. + +'policies.txt' + This is a list of allowed CA policies. This file should list the + object identifiers of the policies line by line. Empty lines and + lines starting with a hash mark are ignored. Policies missing in + this file and not marked as critical in the certificate will print + only a warning; certificates with policies marked as critical and + not listed in this file will fail the signature verification. You + should backup this file. + + For example, to allow only the policy 2.289.9.9, the file should + look like this: + + # Allowed policies + 2.289.9.9 + +'qualified.txt' + This is the list of root certificates used for qualified + certificates. They are defined as certificates capable of creating + legally binding signatures in the same way as handwritten + signatures are. Comments start with a hash mark and empty lines + are ignored. Lines do have a length limit but this is not a + serious limitation as the format of the entries is fixed and + checked by 'gpgsm': A non-comment line starts with optional + whitespace, followed by exactly 40 hex characters, white space and + a lowercased 2 letter country code. Additional data delimited with + by a white space is current ignored but might late be used for + other purposes. + + Note that even if a certificate is listed in this file, this does + not mean that the certificate is trusted; in general the + certificates listed in this file need to be listed also in + 'trustlist.txt'. + + This is a global file an installed in the data directory (e.g. + '/usr/local/share/gnupg/qualified.txt'). GnuPG installs a suitable + file with root certificates as used in Germany. As new Root-CA + certificates may be issued over time, these entries may need to be + updated; new distributions of this software should come with an + updated list but it is still the responsibility of the + Administrator to check that this list is correct. + + Every time 'gpgsm' uses a certificate for signing or verification + this file will be consulted to check whether the certificate under + question has ultimately been issued by one of these CAs. If this + is the case the user will be informed that the verified signature + represents a legally binding ("qualified") signature. When + creating a signature using such a certificate an extra prompt will + be issued to let the user confirm that such a legally binding + signature shall really be created. + + Because this software has not yet been approved for use with such + certificates, appropriate notices will be shown to indicate this + fact. + +'help.txt' + This is plain text file with a few help entries used with + 'pinentry' as well as a large list of help items for 'gpg' and + 'gpgsm'. The standard file has English help texts; to install + localized versions use filenames like 'help.LL.txt' with LL + denoting the locale. GnuPG comes with a set of predefined help + files in the data directory (e.g. + '/usr/local/share/gnupg/gnupg/help.de.txt') and allows overriding + of any help item by help files stored in the system configuration + directory (e.g. '/etc/gnupg/help.de.txt'). For a reference of the + help file's syntax, please see the installed 'help.txt' file. + +'com-certs.pem' + This file is a collection of common certificates used to populated + a newly created 'pubring.kbx'. An administrator may replace this + file with a custom one. The format is a concatenation of PEM + encoded X.509 certificates. This global file is installed in the + data directory (e.g. '/usr/local/share/gnupg/com-certs.pem'). + + Note that on larger installations, it is useful to put predefined +files into the directory '/etc/skel/.gnupg/' so that newly created users +start up with a working configuration. For existing users a small +helper script is provided to create these files (*note addgnupghome::). + + For internal purposes 'gpgsm' creates and maintains a few other +files; they all live in the current home directory (*note option +--homedir::). Only 'gpgsm' may modify these files. + +'pubring.kbx' + This a database file storing the certificates as well as meta + information. For debugging purposes the tool 'kbxutil' may be used + to show the internal structure of this file. You should backup + this file. + +'random_seed' + This content of this file is used to maintain the internal state of + the random number generator across invocations. The same file is + used by other programs of this software too. + +'S.gpg-agent' + If this file exists 'gpgsm' will first try to connect to this + socket for accessing 'gpg-agent' before starting a new 'gpg-agent' + instance. Under Windows this socket (which in reality be a plain + file describing a regular TCP listening port) is the standard way + of connecting the 'gpg-agent'. + + +File: gnupg.info, Node: GPGSM Examples, Next: Unattended Usage, Prev: GPGSM Configuration, Up: Invoking GPGSM + +5.4 Examples +============ + + $ gpgsm -er goo@bar.net <plaintext >ciphertext + + +File: gnupg.info, Node: Unattended Usage, Next: GPGSM Protocol, Prev: GPGSM Examples, Up: Invoking GPGSM + +5.5 Unattended Usage +==================== + +'gpgsm' is often used as a backend engine by other software. To help +with this a machine interface has been defined to have an unambiguous +way to do this. This is most likely used with the '--server' command +but may also be used in the standard operation mode by using the +'--status-fd' option. + +* Menu: + +* Automated signature checking:: Automated signature checking. +* CSR and certificate creation:: CSR and certificate creation. + + +File: gnupg.info, Node: Automated signature checking, Next: CSR and certificate creation, Up: Unattended Usage + +5.5.1 Automated signature checking +---------------------------------- + +It is very important to understand the semantics used with signature +verification. Checking a signature is not as simple as it may sound and +so the operation is a bit complicated. In most cases it is required to +look at several status lines. Here is a table of all cases a signed +message may have: + +The signature is valid + This does mean that the signature has been successfully verified, + the certificates are all sane. However there are two subcases with + important information: One of the certificates may have expired or + a signature of a message itself as expired. It is a sound practise + to consider such a signature still as valid but additional + information should be displayed. Depending on the subcase 'gpgsm' + will issue these status codes: + signature valid and nothing did expire + 'GOODSIG', 'VALIDSIG', 'TRUST_FULLY' + signature valid but at least one certificate has expired + 'EXPKEYSIG', 'VALIDSIG', 'TRUST_FULLY' + signature valid but expired + 'EXPSIG', 'VALIDSIG', 'TRUST_FULLY' Note, that this case is + currently not implemented. + +The signature is invalid + This means that the signature verification failed (this is an + indication of a transfer error, a program error or tampering with + the message). 'gpgsm' issues one of these status codes sequences: + 'BADSIG' + 'GOODSIG, VALIDSIG TRUST_NEVER' + +Error verifying a signature + For some reason the signature could not be verified, i.e. it + cannot be decided whether the signature is valid or invalid. A + common reason for this is a missing certificate. + + +File: gnupg.info, Node: CSR and certificate creation, Prev: Automated signature checking, Up: Unattended Usage + +5.5.2 CSR and certificate creation +---------------------------------- + +The command '--generate-key' may be used along with the option '--batch' +to either create a certificate signing request (CSR) or an X.509 +certificate. This is controlled by a parameter file; the format of this +file is as follows: + + * Text only, line length is limited to about 1000 characters. + * UTF-8 encoding must be used to specify non-ASCII characters. + * Empty lines are ignored. + * Leading and trailing while space is ignored. + * A hash sign as the first non white space character indicates a + comment line. + * Control statements are indicated by a leading percent sign, the + arguments are separated by white space from the keyword. + * Parameters are specified by a keyword, followed by a colon. + Arguments are separated by white space. + * The first parameter must be 'Key-Type', control statements may be + placed anywhere. + * The order of the parameters does not matter except for 'Key-Type' + which must be the first parameter. The parameters are only used + for the generated CSR/certificate; parameters from previous sets + are not used. Some syntactically checks may be performed. + * Key generation takes place when either the end of the parameter + file is reached, the next 'Key-Type' parameter is encountered or at + the control statement '%commit' is encountered. + +Control statements: + +%echo TEXT + Print TEXT as diagnostic. + +%dry-run + Suppress actual key generation (useful for syntax checking). + +%commit + Perform the key generation. Note that an implicit commit is done + at the next Key-Type parameter. + +General Parameters: + +Key-Type: ALGO + Starts a new parameter block by giving the type of the primary key. + The algorithm must be capable of signing. This is a required + parameter. The only supported value for ALGO is 'rsa'. + +Key-Length: NBITS + The requested length of a generated key in bits. Defaults to 3072. + +Key-Grip: HEXSTRING + This is optional and used to generate a CSR or certificate for an + already existing key. Key-Length will be ignored when given. + +Key-Usage: USAGE-LIST + Space or comma delimited list of key usage, allowed values are + 'encrypt', 'sign' and 'cert'. This is used to generate the + keyUsage extension. Please make sure that the algorithm is capable + of this usage. Default is to allow encrypt and sign. + +Name-DN: SUBJECT-NAME + This is the Distinguished Name (DN) of the subject in RFC-2253 + format. + +Name-Email: STRING + This is an email address for the altSubjectName. This parameter is + optional but may occur several times to add several email addresses + to a certificate. + +Name-DNS: STRING + The is an DNS name for the altSubjectName. This parameter is + optional but may occur several times to add several DNS names to a + certificate. + +Name-URI: STRING + This is an URI for the altSubjectName. This parameter is optional + but may occur several times to add several URIs to a certificate. + +Additional parameters used to create a certificate (in contrast to a +certificate signing request): + +Serial: SN + If this parameter is given an X.509 certificate will be generated. + SN is expected to be a hex string representing an unsigned integer + of arbitrary length. The special value 'random' can be used to + create a 64 bit random serial number. + +Issuer-DN: ISSUER-NAME + This is the DN name of the issuer in RFC-2253 format. If it is not + set it will default to the subject DN and a special GnuPG extension + will be included in the certificate to mark it as a standalone + certificate. + +Creation-Date: ISO-DATE +Not-Before: ISO-DATE + Set the notBefore date of the certificate. Either a date like + '1986-04-26' or '1986-04-26 12:00' or a standard ISO timestamp like + '19860426T042640' may be used. The time is considered to be UTC. + If it is not given the current date is used. + +Expire-Date: ISO-DATE +Not-After: ISO-DATE + Set the notAfter date of the certificate. Either a date like + '2063-04-05' or '2063-04-05 17:00' or a standard ISO timestamp like + '20630405T170000' may be used. The time is considered to be UTC. + If it is not given a default value in the not too far future is + used. + +Signing-Key: KEYGRIP + This gives the keygrip of the key used to sign the certificate. If + it is not given a self-signed certificate will be created. For + compatibility with future versions, it is suggested to prefix the + keygrip with a '&'. + +Hash-Algo: HASH-ALGO + Use HASH-ALGO for this CSR or certificate. The supported hash + algorithms are: 'sha1', 'sha256', 'sha384' and 'sha512'; they may + also be specified with uppercase letters. The default is 'sha256'. + diff --git a/doc/gnupg.info-2 b/doc/gnupg.info-2 new file mode 100644 index 0000000..7895f56 --- /dev/null +++ b/doc/gnupg.info-2 @@ -0,0 +1,6144 @@ +This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi. + +This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3, +October 2022). + + (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc. +(C) 2013, 2014, 2015 Werner Koch. +(C) 2015, 2016, 2017 g10 Code GmbH. + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU General Public License as + published by the Free Software Foundation; either version 3 of the + License, or (at your option) any later version. The text of the + license can be found in the section entitled "Copying". +INFO-DIR-SECTION GNU Utilities +START-INFO-DIR-ENTRY +* gpg2: (gnupg). OpenPGP encryption and signing tool. +* gpgsm: (gnupg). S/MIME encryption and signing tool. +* gpg-agent: (gnupg). The secret key daemon. +* dirmngr: (gnupg). X.509 CRL and OCSP server. +* dirmngr-client: (gnupg). X.509 CRL and OCSP client. +END-INFO-DIR-ENTRY + + +File: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM + +5.6 The Protocol the Server Mode Uses +===================================== + +Description of the protocol used to access 'GPGSM'. 'GPGSM' does +implement the Assuan protocol and in addition provides a regular command +line interface which exhibits a full client to this protocol (but uses +internal linking). To start 'gpgsm' as a server the command line the +option '--server' must be used. Additional options are provided to +select the communication method (i.e. the name of the socket). + + We assume that the connection has already been established; see the +Assuan manual for details. + +* Menu: + +* GPGSM ENCRYPT:: Encrypting a message. +* GPGSM DECRYPT:: Decrypting a message. +* GPGSM SIGN:: Signing a message. +* GPGSM VERIFY:: Verifying a message. +* GPGSM GENKEY:: Generating a key. +* GPGSM LISTKEYS:: List available keys. +* GPGSM EXPORT:: Export certificates. +* GPGSM IMPORT:: Import certificates. +* GPGSM DELETE:: Delete certificates. +* GPGSM GETAUDITLOG:: Retrieve an audit log. +* GPGSM GETINFO:: Information about the process +* GPGSM OPTION:: Session options. + + +File: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol + +5.6.1 Encrypting a Message +-------------------------- + +Before encryption can be done the recipient must be set using the +command: + + RECIPIENT USERID + + Set the recipient for the encryption. USERID should be the internal +representation of the key; the server may accept any other way of +specification. If this is a valid and trusted recipient the server does +respond with OK, otherwise the return is an ERR with the reason why the +recipient cannot be used, the encryption will then not be done for this +recipient. If the policy is not to encrypt at all if not all recipients +are valid, the client has to take care of this. All 'RECIPIENT' +commands are cumulative until a 'RESET' or an successful 'ENCRYPT' +command. + + INPUT FD[=N] [--armor|--base64|--binary] + + Set the file descriptor for the message to be encrypted to N. +Obviously the pipe must be open at that point, the server establishes +its own end. If the server returns an error the client should consider +this session failed. If N is not given, this commands uses the last +file descriptor passed to the application. *Note the assuan_sendfd +function: (assuan)fun-assuan_sendfd, on how to do descriptor passing. + + The '--armor' option may be used to advise the server that the input +data is in PEM format, '--base64' advises that a raw base-64 encoding is +used, '--binary' advises of raw binary input (BER). If none of these +options is used, the server tries to figure out the used encoding, but +this may not always be correct. + + OUTPUT FD[=N] [--armor|--base64] + + Set the file descriptor to be used for the output (i.e. the +encrypted message). Obviously the pipe must be open at that point, the +server establishes its own end. If the server returns an error the +client should consider this session failed. + + The option '--armor' encodes the output in PEM format, the '--base64' +option applies just a base-64 encoding. No option creates binary output +(BER). + + The actual encryption is done using the command + + ENCRYPT + + It takes the plaintext from the 'INPUT' command, writes to the +ciphertext to the file descriptor set with the 'OUTPUT' command, take +the recipients from all the recipients set so far. If this command +fails the clients should try to delete all output currently done or +otherwise mark it as invalid. 'GPGSM' does ensure that there will not +be any security problem with leftover data on the output in this case. + + This command should in general not fail, as all necessary checks have +been done while setting the recipients. The input and output pipes are +closed. + + +File: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol + +5.6.2 Decrypting a message +-------------------------- + +Input and output FDs are set the same way as in encryption, but 'INPUT' +refers to the ciphertext and 'OUTPUT' to the plaintext. There is no +need to set recipients. 'GPGSM' automatically strips any S/MIME headers +from the input, so it is valid to pass an entire MIME part to the INPUT +pipe. + + The decryption is done by using the command + + DECRYPT + + It performs the decrypt operation after doing some check on the +internal state (e.g. that all needed data has been set). Because it +utilizes the GPG-Agent for the session key decryption, there is no need +to ask the client for a protecting passphrase - GpgAgent takes care of +this by requesting this from the user. + + +File: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol + +5.6.3 Signing a Message +----------------------- + +Signing is usually done with these commands: + + INPUT FD[=N] [--armor|--base64|--binary] + + This tells 'GPGSM' to read the data to sign from file descriptor N. + + OUTPUT FD[=M] [--armor|--base64] + + Write the output to file descriptor M. If a detached signature is +requested, only the signature is written. + + SIGN [--detached] + + Sign the data set with the 'INPUT' command and write it to the sink +set by 'OUTPUT'. With '--detached', a detached signature is created +(surprise). + + The key used for signing is the default one or the one specified in +the configuration file. To get finer control over the keys, it is +possible to use the command + + SIGNER USERID + + to set the signer's key. USERID should be the internal +representation of the key; the server may accept any other way of +specification. If this is a valid and trusted recipient the server does +respond with OK, otherwise the return is an ERR with the reason why the +key cannot be used, the signature will then not be created using this +key. If the policy is not to sign at all if not all keys are valid, the +client has to take care of this. All 'SIGNER' commands are cumulative +until a 'RESET' is done. Note that a 'SIGN' does not reset this list of +signers which is in contrast to the 'RECIPIENT' command. + + +File: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol + +5.6.4 Verifying a Message +------------------------- + +To verify a message the command: + + VERIFY + + is used. It does a verify operation on the message send to the input +FD. The result is written out using status lines. If an output FD was +given, the signed text will be written to that. If the signature is a +detached one, the server will inquire about the signed material and the +client must provide it. + + +File: gnupg.info, Node: GPGSM GENKEY, Next: GPGSM LISTKEYS, Prev: GPGSM VERIFY, Up: GPGSM Protocol + +5.6.5 Generating a Key +---------------------- + +This is used to generate a new keypair, store the secret part in the PSE +and the public key in the key database. We will probably add optional +commands to allow the client to select whether a hardware token is used +to store the key. Configuration options to 'GPGSM' can be used to +restrict the use of this command. + + GENKEY + + 'GPGSM' checks whether this command is allowed and then does an +INQUIRY to get the key parameters, the client should then send the key +parameters in the native format: + + S: INQUIRE KEY_PARAM native + C: D foo:fgfgfg + C: D bar + C: END + + Please note that the server may send Status info lines while reading +the data lines from the client. After this the key generation takes +place and the server eventually does send an ERR or OK response. Status +lines may be issued as a progress indicator. + + +File: gnupg.info, Node: GPGSM LISTKEYS, Next: GPGSM EXPORT, Prev: GPGSM GENKEY, Up: GPGSM Protocol + +5.6.6 List available keys +------------------------- + +To list the keys in the internal database or using an external key +provider, the command: + + LISTKEYS PATTERN + + is used. To allow multiple patterns (which are ORed during the +search) quoting is required: Spaces are to be translated into "+" or +into "%20"; in turn this requires that the usual escape quoting rules +are done. + + LISTSECRETKEYS PATTERN + + Lists only the keys where a secret key is available. + + The list commands are affected by the option + + OPTION list-mode=MODE + + where mode may be: +'0' + Use default (which is usually the same as 1). +'1' + List only the internal keys. +'2' + List only the external keys. +'3' + List internal and external keys. + + Note that options are valid for the entire session. + + +File: gnupg.info, Node: GPGSM EXPORT, Next: GPGSM IMPORT, Prev: GPGSM LISTKEYS, Up: GPGSM Protocol + +5.6.7 Export certificates +------------------------- + +To export certificate from the internal key database the command: + + EXPORT [--data [--armor] [--base64]] [--] PATTERN + + is used. To allow multiple patterns (which are ORed) quoting is +required: Spaces are to be translated into "+" or into "%20"; in turn +this requires that the usual escape quoting rules are done. + + If the '--data' option has not been given, the format of the output +depends on what was set with the 'OUTPUT' command. When using PEM +encoding a few informational lines are prepended. + + If the '--data' has been given, a target set via 'OUTPUT' is ignored +and the data is returned inline using standard 'D'-lines. This avoids +the need for an extra file descriptor. In this case the options +'--armor' and '--base64' may be used in the same way as with the +'OUTPUT' command. + + +File: gnupg.info, Node: GPGSM IMPORT, Next: GPGSM DELETE, Prev: GPGSM EXPORT, Up: GPGSM Protocol + +5.6.8 Import certificates +------------------------- + +To import certificates into the internal key database, the command + + IMPORT [--re-import] + + is used. The data is expected on the file descriptor set with the +'INPUT' command. Certain checks are performed on the certificate. Note +that the code will also handle PKCS#12 files and import private keys; a +helper program is used for that. + + With the option '--re-import' the input data is expected to a be a +linefeed separated list of fingerprints. The command will re-import the +corresponding certificates; that is they are made permanent by removing +their ephemeral flag. + + +File: gnupg.info, Node: GPGSM DELETE, Next: GPGSM GETAUDITLOG, Prev: GPGSM IMPORT, Up: GPGSM Protocol + +5.6.9 Delete certificates +------------------------- + +To delete a certificate the command + + DELKEYS PATTERN + + is used. To allow multiple patterns (which are ORed) quoting is +required: Spaces are to be translated into "+" or into "%20"; in turn +this requires that the usual escape quoting rules are done. + + The certificates must be specified unambiguously otherwise an error +is returned. + + +File: gnupg.info, Node: GPGSM GETAUDITLOG, Next: GPGSM GETINFO, Prev: GPGSM DELETE, Up: GPGSM Protocol + +5.6.10 Retrieve an audit log +---------------------------- + +This command is used to retrieve an audit log. + + GETAUDITLOG [--data] [--html] + + If '--data' is used, the audit log is send using D-lines instead of +being sent to the file descriptor given by an 'OUTPUT' command. If +'--html' is used, the output is formatted as an XHTML block. This is +designed to be incorporated into a HTML document. + + +File: gnupg.info, Node: GPGSM GETINFO, Next: GPGSM OPTION, Prev: GPGSM GETAUDITLOG, Up: GPGSM Protocol + +5.6.11 Return information about the process +------------------------------------------- + +This is a multipurpose function to return a variety of information. + + GETINFO WHAT + + The value of WHAT specifies the kind of information returned: +'version' + Return the version of the program. +'pid' + Return the process id of the process. +'agent-check' + Return OK if the agent is running. +'cmd_has_option CMD OPT' + Return OK if the command CMD implements the option OPT. The + leading two dashes usually used with OPT shall not be given. +'offline' + Return OK if the connection is in offline mode. This may be either + due to a 'OPTION offline=1' or due to 'gpgsm' being started with + option '--disable-dirmngr'. + + +File: gnupg.info, Node: GPGSM OPTION, Prev: GPGSM GETINFO, Up: GPGSM Protocol + +5.6.12 Session options +---------------------- + +The standard Assuan option handler supports these options. + + OPTION NAME[=VALUE] + + These NAMEs are recognized: + +'putenv' + Change the session's environment to be passed via gpg-agent to + Pinentry. VALUE is a string of the form '<KEY>[=[<STRING>]]'. If + only '<KEY>' is given the environment variable '<KEY>' is removed + from the session environment, if '<KEY>=' is given that environment + variable is set to the empty string, and if '<STRING>' is given it + is set to that string. + +'display' + Set the session environment variable 'DISPLAY' is set to VALUE. +'ttyname' + Set the session environment variable 'GPG_TTY' is set to VALUE. +'ttytype' + Set the session environment variable 'TERM' is set to VALUE. +'lc-ctype' + Set the session environment variable 'LC_CTYPE' is set to VALUE. +'lc-messages' + Set the session environment variable 'LC_MESSAGES' is set to VALUE. +'xauthority' + Set the session environment variable 'XAUTHORITY' is set to VALUE. +'pinentry-user-data' + Set the session environment variable 'PINENTRY_USER_DATA' is set to + VALUE. + +'include-certs' + This option overrides the command line option '--include-certs'. A + VALUE of -2 includes all certificates except for the root + certificate, -1 includes all certificates, 0 does not include any + certificates, 1 includes only the signers certificate and all other + positive values include up to VALUE certificates starting with the + signer cert. + +'list-mode' + *Note gpgsm-cmd listkeys::. + +'list-to-output' + If VALUE is true the output of the list commands (*note gpgsm-cmd + listkeys::) is written to the file descriptor set with the last + 'OUTPUT' command. If VALUE is false the output is written via data + lines; this is the default. + +'with-validation' + If VALUE is true for each listed certificate the validation status + is printed. This may result in the download of a CRL or the user + being asked about the trustworthiness of a root certificate. The + default is given by a command line option (*note gpgsm-option + --with-validation::). + +'with-secret' + If VALUE is true certificates with a corresponding private key are + marked by the list commands. + +'validation-model' + This option overrides the command line option 'validation-model' + for the session. (*Note gpgsm-option --validation-model::.) + +'with-key-data' + This option globally enables the command line option + '--with-key-data'. (*Note gpgsm-option --with-key-data::.) + +'enable-audit-log' + If VALUE is true data to write an audit log is gathered. (*Note + gpgsm-cmd getauditlog::.) + +'allow-pinentry-notify' + If this option is used notifications about the launch of a Pinentry + are passed back to the client. + +'with-ephemeral-keys' + If VALUE is true ephemeral certificates are included in the output + of the list commands. + +'no-encrypt-to' + If this option is used all keys set by the command line option + '--encrypt-to' are ignored. + +'offline' + If VALUE is true or VALUE is not given all network access is + disabled for this session. This is the same as the command line + option '--disable-dirmngr'. + + +File: gnupg.info, Node: Invoking SCDAEMON, Next: Specify a User ID, Prev: Invoking GPGSM, Up: Top + +6 Invoking the SCDAEMON +*********************** + +The 'scdaemon' is a daemon to manage smartcards. It is usually invoked +by 'gpg-agent' and in general not used directly. + + *Note Option Index::, for an index to 'scdaemon''s commands and +options. + +* Menu: + +* Scdaemon Commands:: List of all commands. +* Scdaemon Options:: List of all options. +* Card applications:: Description of card applications. +* Scdaemon Configuration:: Configuration files. +* Scdaemon Examples:: Some usage examples. +* Scdaemon Protocol:: The protocol the daemon uses. + + +File: gnupg.info, Node: Scdaemon Commands, Next: Scdaemon Options, Up: Invoking SCDAEMON + +6.1 Commands +============ + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +'--version' + Print the program version and licensing information. Note that you + cannot abbreviate this command. + +'--help, -h' + Print a usage message summarizing the most useful command-line + options. Note that you cannot abbreviate this command. + +'--dump-options' + Print a list of all available options and commands. Note that you + cannot abbreviate this command. + +'--server' + Run in server mode and wait for commands on the 'stdin'. The + default mode is to create a socket and listen for commands there. + +'--multi-server' + Run in server mode and wait for commands on the 'stdin' as well as + on an additional Unix Domain socket. The server command 'GETINFO' + may be used to get the name of that extra socket. + +'--daemon' + Run the program in the background. This option is required to + prevent it from being accidentally running in the background. + + +File: gnupg.info, Node: Scdaemon Options, Next: Card applications, Prev: Scdaemon Commands, Up: Invoking SCDAEMON + +6.2 Option Summary +================== + +'--options FILE' + Reads configuration from FILE instead of from the default per-user + configuration file. The default configuration file is named + 'scdaemon.conf' and expected in the '.gnupg' directory directly + below the home directory of the user. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'-v' +'--verbose' + Outputs additional information while running. You can increase the + verbosity by giving several verbose commands to 'gpgsm', such as + '-vv'. + +'--debug-level LEVEL' + Select the debug level for investigating problems. LEVEL may be a + numeric value or a keyword: + + 'none' + No debugging at all. A value of less than 1 may be used + instead of the keyword. + 'basic' + Some basic debug messages. A value between 1 and 2 may be + used instead of the keyword. + 'advanced' + More verbose debug messages. A value between 3 and 5 may be + used instead of the keyword. + 'expert' + Even more detailed messages. A value between 6 and 8 may be + used instead of the keyword. + 'guru' + All of the debug messages you can get. A value greater than 8 + may be used instead of the keyword. The creation of hash + tracing files is only enabled if the keyword is used. + + How these messages are mapped to the actual debugging flags is not + specified and may change with newer releases of this program. They + are however carefully selected to best aid in debugging. + + Note: All debugging options are subject to change and thus + should not be used by any application program. As the name + says, they are only used as helpers to debug problems. + +'--debug FLAGS' + This option is only useful for debugging and the behavior may + change at any time without notice. FLAGS are bit encoded and may + be given in usual C-Syntax. The currently defined bits are: + + '0 (1)' + command I/O + '1 (2)' + values of big number integers + '2 (4)' + low level crypto operations + '5 (32)' + memory allocation + '6 (64)' + caching + '7 (128)' + show memory statistics + '9 (512)' + write hashed data to files named 'dbgmd-000*' + '10 (1024)' + trace Assuan protocol. See also option + '--debug-assuan-log-cats'. + '11 (2048)' + trace APDU I/O to the card. This may reveal sensitive data. + '12 (4096)' + trace some card reader related function calls. + +'--debug-all' + Same as '--debug=0xffffffff' + +'--debug-wait N' + When running in server mode, wait N seconds before entering the + actual processing loop and print the pid. This gives time to + attach a debugger. + +'--debug-ccid-driver' + Enable debug output from the included CCID driver for smartcards. + Using this option twice will also enable some tracing of the T=1 + protocol. Note that this option may reveal sensitive data. + +'--debug-disable-ticker' + This option disables all ticker functions like checking for card + insertions. + +'--debug-allow-core-dump' + For security reasons we won't create a core dump when the process + aborts. For debugging purposes it is sometimes better to allow + core dump. This option enables it and also changes the working + directory to '/tmp' when running in '--server' mode. + +'--debug-log-tid' + This option appends a thread ID to the PID in the log output. + +'--debug-assuan-log-cats CATS' + Changes the active Libassuan logging categories to CATS. The value + for CATS is an unsigned integer given in usual C-Syntax. A value + of 0 switches to a default category. If this option is not used + the categories are taken from the environment variable + 'ASSUAN_DEBUG'. Note that this option has only an effect if the + Assuan debug flag has also been with the option '--debug'. For a + list of categories see the Libassuan manual. + +'--no-detach' + Don't detach the process from the console. This is mainly useful + for debugging. + +'--listen-backlog N' + Set the size of the queue for pending connections. The default is + 64. This option has an effect only if '--multi-server' is also + used. + +'--log-file FILE' + Append all logging output to FILE. This is very helpful in seeing + what the agent actually does. Use 'socket://' to log to socket. + +'--pcsc-shared' + Use shared mode to access the card via PC/SC. This is a somewhat + dangerous option because Scdaemon assumes exclusivbe access to teh + card and for example caches certain information from the card. Use + this option only if you know what you are doing. + +'--pcsc-driver LIBRARY' + Use LIBRARY to access the smartcard reader. The current default on + Unix is 'libpcsclite.so' and on Windows 'winscard.dll'. Instead of + using this option you might also want to install a symbolic link to + the default file name (e.g. from 'libpcsclite.so.1'). A Unicode + file name may not be used on Windows. + +'--ctapi-driver LIBRARY' + Use LIBRARY to access the smartcard reader. The current default is + 'libtowitoko.so'. Note that the use of this interface is + deprecated; it may be removed in future releases. + +'--disable-ccid' + Disable the integrated support for CCID compliant readers. This + allows falling back to one of the other drivers even if the + internal CCID driver can handle the reader. Note, that CCID + support is only available if libusb was available at build time. + +'--reader-port NUMBER_OR_STRING' + This option may be used to specify the port of the card terminal. + A value of 0 refers to the first serial device; add 32768 to access + USB devices. The default is 32768 (first USB device). PC/SC or + CCID readers might need a string here; run the program in verbose + mode to get a list of available readers. The default is then the + first reader found. + + To get a list of available CCID readers you may use this command: + echo scd getinfo reader_list \ + | gpg-connect-agent --decode | awk '/^D/ {print $2}' + +'--card-timeout N' + If N is not 0 and no client is actively using the card, the card + will be powered down after N seconds. Powering down the card + avoids a potential risk of damaging a card when used with certain + cheap readers. This also allows applications that are not aware of + Scdaemon to access the card. The disadvantage of using a card + timeout is that accessing the card takes longer and that the user + needs to enter the PIN again after the next power up. + + Note that with the current version of Scdaemon the card is powered + down immediately at the next timer tick for any value of N other + than 0. + +'--enable-pinpad-varlen' + Please specify this option when the card reader supports variable + length input for pinpad (default is no). For known readers (listed + in ccid-driver.c and apdu.c), this option is not needed. Note that + if your card reader doesn't supports variable length input but you + want to use it, you need to specify your pinpad request on your + card. + +'--disable-pinpad' + Even if a card reader features a pinpad, do not try to use it. + +'--deny-admin' + This option disables the use of admin class commands for card + applications where this is supported. Currently we support it for + the OpenPGP card. This option is useful to inhibit accidental + access to admin class command which could ultimately lock the card + through wrong PIN numbers. Note that GnuPG versions older than + 2.0.11 featured an '--allow-admin' option which was required to use + such admin commands. This option has no more effect today because + the default is now to allow admin commands. + +'--disable-application NAME' + This option disables the use of the card application named NAME. + This is mainly useful for debugging or if a application with lower + priority should be used by default. + + All the long options may also be given in the configuration file +after stripping off the two leading dashes. + + +File: gnupg.info, Node: Card applications, Next: Scdaemon Configuration, Prev: Scdaemon Options, Up: Invoking SCDAEMON + +6.3 Description of card applications +==================================== + +'scdaemon' supports the card applications as described below. + +* Menu: + +* OpenPGP Card:: The OpenPGP card application +* NKS Card:: The Telesec NetKey card application +* DINSIG Card:: The DINSIG card application +* PKCS#15 Card:: The PKCS#15 card application +* Geldkarte Card:: The Geldkarte application +* SmartCard-HSM:: The SmartCard-HSM application +* Undefined Card:: The Undefined stub application + + +File: gnupg.info, Node: OpenPGP Card, Next: NKS Card, Up: Card applications + +6.3.1 The OpenPGP card application "openpgp" +-------------------------------------------- + +This application is currently only used by 'gpg' but may in future also +be useful with 'gpgsm'. Version 1 and version 2 of the card is +supported. + +The specifications for these cards are available at +<http://g10code.com/docs/openpgp-card-1.0.pdf> and +<http://g10code.com/docs/openpgp-card-2.0.pdf>. + + +File: gnupg.info, Node: NKS Card, Next: DINSIG Card, Prev: OpenPGP Card, Up: Card applications + +6.3.2 The Telesec NetKey card "nks" +----------------------------------- + +This is the main application of the Telesec cards as available in +Germany. It is a superset of the German DINSIG card. The card is used +by 'gpgsm'. + + +File: gnupg.info, Node: DINSIG Card, Next: PKCS#15 Card, Prev: NKS Card, Up: Card applications + +6.3.3 The DINSIG card application "dinsig" +------------------------------------------ + +This is an application as described in the German draft standard _DIN V +66291-1_. It is intended to be used by cards supporting the German +signature law and its bylaws (SigG and SigV). + + +File: gnupg.info, Node: PKCS#15 Card, Next: Geldkarte Card, Prev: DINSIG Card, Up: Card applications + +6.3.4 The PKCS#15 card application "p15" +---------------------------------------- + +This is common framework for smart card applications. It is used by +'gpgsm'. + + +File: gnupg.info, Node: Geldkarte Card, Next: SmartCard-HSM, Prev: PKCS#15 Card, Up: Card applications + +6.3.5 The Geldkarte card application "geldkarte" +------------------------------------------------ + +This is a simple application to display information of a German +Geldkarte. The Geldkarte is a small amount debit card application which +comes with almost all German banking cards. + + +File: gnupg.info, Node: SmartCard-HSM, Next: Undefined Card, Prev: Geldkarte Card, Up: Card applications + +6.3.6 The SmartCard-HSM card application "sc-hsm" +------------------------------------------------- + +This application adds read-only support for keys and certificates stored +on a SmartCard-HSM (http://www.smartcard-hsm.com). + + To generate keys and store certificates you may use OpenSC +(https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM) or the tools from +OpenSCDP (http://www.openscdp.org). + + The SmartCard-HSM cards requires a card reader that supports Extended +Length APDUs. + + +File: gnupg.info, Node: Undefined Card, Prev: SmartCard-HSM, Up: Card applications + +6.3.7 The Undefined card application "undefined" +------------------------------------------------ + +This is a stub application to allow the use of the APDU command even if +no supported application is found on the card. This application is not +used automatically but must be explicitly requested using the SERIALNO +command. + + +File: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON + +6.4 Configuration files +======================= + +There are a few configuration files to control certain aspects of +'scdaemons''s operation. Unless noted, they are expected in the current +home directory (*note option --homedir::). + +'scdaemon.conf' + This is the standard configuration file read by 'scdaemon' on + startup. It may contain any valid long option; the leading two + dashes may not be entered and the option may not be abbreviated. + This default name may be changed on the command line (*note option + --options::). + +'scd-event' + If this file is present and executable, it will be called on every + card reader's status change. An example of this script is provided + with the distribution + +'reader_N.status' + This file is created by 'scdaemon' to let other applications now + about reader status changes. Its use is now deprecated in favor of + 'scd-event'. + + +File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON + +6.5 Examples +============ + + $ scdaemon --server -v + + +File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON + +6.6 Scdaemon's Assuan Protocol +============================== + +The SC-Daemon should be started by the system to provide access to +external tokens. Using Smartcards on a multi-user system does not make +much sense except for system services, but in this case no regular user +accounts are hosted on the machine. + + A client connects to the SC-Daemon by connecting to the socket named +'/usr/local/var/run/gnupg/scdaemon/socket', configuration information is +read from /ETC/GNUPG/SCDAEMON.CONF + + Each connection acts as one session, SC-Daemon takes care of +synchronizing access to a token between sessions. + +* Menu: + +* Scdaemon SERIALNO:: Return the serial number. +* Scdaemon LEARN:: Read all useful information from the card. +* Scdaemon READCERT:: Return a certificate. +* Scdaemon READKEY:: Return a public key. +* Scdaemon PKSIGN:: Signing data with a Smartcard. +* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard. +* Scdaemon GETATTR:: Read an attribute's value. +* Scdaemon SETATTR:: Update an attribute's value. +* Scdaemon WRITEKEY:: Write a key to a card. +* Scdaemon GENKEY:: Generate a new key on-card. +* Scdaemon RANDOM:: Return random bytes generated on-card. +* Scdaemon PASSWD:: Change PINs. +* Scdaemon CHECKPIN:: Perform a VERIFY operation. +* Scdaemon RESTART:: Restart connection +* Scdaemon APDU:: Send a verbatim APDU to the card + + +File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol + +6.6.1 Return the serial number +------------------------------ + +This command should be used to check for the presence of a card. It is +special in that it can be used to reset the card. Most other commands +will return an error when a card change has been detected and the use of +this function is therefore required. + + Background: We want to keep the client clear of handling card changes +between operations; i.e. the client can assume that all operations are +done on the same card unless he call this function. + + SERIALNO + + Return the serial number of the card using a status response like: + + S SERIALNO D27600000000000000000000 + + The serial number is the hex encoded value identified by the '0x5A' +tag in the GDO file (FIX=0x2F02). + + +File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol + +6.6.2 Read all useful information from the card +----------------------------------------------- + + LEARN [--force] + + Learn all useful information of the currently inserted card. When +used without the '--force' option, the command might do an INQUIRE like +this: + + INQUIRE KNOWNCARDP <hexstring_with_serialNumber> + + The client should just send an 'END' if the processing should go on +or a 'CANCEL' to force the function to terminate with a cancel error +message. The response of this command is a list of status lines +formatted as this: + + S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID + + If there is no certificate yet stored on the card a single "X" is +returned in HEXSTRING_WITH_KEYGRIP. + + +File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol + +6.6.3 Return a certificate +-------------------------- + + READCERT HEXIFIED_CERTID|KEYID + + This function is used to read a certificate identified by +HEXIFIED_CERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3' +may be used to read the certificate of version 2 cards. + + +File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol + +6.6.4 Return a public key +------------------------- + + READKEY HEXIFIED_CERTID + + Return the public key for the given cert or key ID as an standard +S-Expression. + + +File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol + +6.6.5 Signing data with a Smartcard +----------------------------------- + +To sign some data the caller should use the command + + SETDATA HEXSTRING + + to tell 'scdaemon' about the data to be signed. The data must be +given in hex notation. The actual signing is done using the command + + PKSIGN KEYID + + where KEYID is the hexified ID of the key to be used. The key id may +have been retrieved using the command 'LEARN'. If another hash +algorithm than SHA-1 is used, that algorithm may be given like: + + PKSIGN --hash=ALGONAME KEYID + + With ALGONAME are one of 'sha1', 'rmd160' or 'md5'. + + +File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol + +6.6.6 Decrypting data with a Smartcard +-------------------------------------- + +To decrypt some data the caller should use the command + + SETDATA HEXSTRING + + to tell 'scdaemon' about the data to be decrypted. The data must be +given in hex notation. The actual decryption is then done using the +command + + PKDECRYPT KEYID + + where KEYID is the hexified ID of the key to be used. + + If the card is aware of the apdding format a status line with padding +information is send before the plaintext data. The key for this status +line is 'PADDING' with the only defined value being 0 and meaning +padding has been removed. + + +File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol + +6.6.7 Read an attribute's value +------------------------------- + +TO BE WRITTEN. + + +File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol + +6.6.8 Update an attribute's value +--------------------------------- + +TO BE WRITTEN. + + +File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol + +6.6.9 Write a key to a card +--------------------------- + + WRITEKEY [--force] KEYID + + This command is used to store a secret key on a smartcard. The +allowed keyids depend on the currently selected smartcard application. +The actual keydata is requested using the inquiry 'KEYDATA' and need to +be provided without any protection. With '--force' set an existing key +under this KEYID will get overwritten. The key data is expected to be +the usual canonical encoded S-expression. + + A PIN will be requested in most cases. This however depends on the +actual card application. + + +File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol + +6.6.10 Generate a new key on-card +--------------------------------- + +TO BE WRITTEN. + + +File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol + +6.6.11 Return random bytes generated on-card +-------------------------------------------- + +TO BE WRITTEN. + + +File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol + +6.6.12 Change PINs +------------------ + + PASSWD [--reset] [--nullpin] CHVNO + + Change the PIN or reset the retry counter of the card holder +verification vector number CHVNO. The option '--nullpin' is used to +initialize the PIN of TCOS cards (6 byte NullPIN only). + + +File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol + +6.6.13 Perform a VERIFY operation +--------------------------------- + + CHECKPIN IDSTR + + Perform a VERIFY operation without doing anything else. This may be +used to initialize a the PIN cache earlier to long lasting operations. +Its use is highly application dependent: + +*OpenPGP* + + Perform a simple verify operation for CHV1 and CHV2, so that + further operations won't ask for CHV2 and it is possible to do a + cheap check on the PIN: If there is something wrong with the PIN + entry system, only the regular CHV will get blocked and not the + dangerous CHV3. IDSTR is the usual card's serial number in hex + notation; an optional fingerprint part will get ignored. + + There is however a special mode if IDSTR is suffixed with the + literal string '[CHV3]': In this case the Admin PIN is checked if + and only if the retry counter is still at 3. + + +File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol + +6.6.14 Perform a RESTART operation +---------------------------------- + + RESTART + + Restart the current connection; this is a kind of warm reset. It +deletes the context used by this connection but does not actually reset +the card. + + This is used by gpg-agent to reuse a primary pipe connection and may +be used by clients to backup from a conflict in the serial command; i.e. +to select another application. + + +File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol + +6.6.15 Send a verbatim APDU to the card +--------------------------------------- + + APDU [--atr] [--more] [--exlen[=N]] [HEXSTRING] + + Send an APDU to the current reader. This command bypasses the high +level functions and sends the data directly to the card. HEXSTRING is +expected to be a proper APDU. If HEXSTRING is not given no commands are +send to the card; However the command will implicitly check whether the +card is ready for use. + + Using the option '--atr' returns the ATR of the card as a status +message before any data like this: + S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1 + + Using the option '--more' handles the card status word MORE_DATA +(61xx) and concatenate all responses to one block. + + Using the option '--exlen' the returned APDU may use extended length +up to N bytes. If N is not given a default value is used (currently +4096). + + +File: gnupg.info, Node: Specify a User ID, Next: Trust Values, Prev: Invoking SCDAEMON, Up: Top + +7 How to Specify a User Id +************************** + +There are different ways to specify a user ID to GnuPG. Some of them are +only valid for 'gpg' others are only good for 'gpgsm'. Here is the +entire list of ways to specify a key: + + * By key Id. This format is deduced from the length of the string + and its content or '0x' prefix. The key Id of an X.509 certificate + are the low 64 bits of its SHA-1 fingerprint. The use of key Ids + is just a shortcut, for all automated processing the fingerprint + should be used. + + When using 'gpg' an exclamation mark (!) may be appended to force + using the specified primary or secondary key and not to try and + calculate which primary or secondary key to use. + + The last four lines of the example give the key ID in their long + form as internally used by the OpenPGP protocol. You can see the + long key ID using the option '--with-colons'. + + 234567C4 + 0F34E556E + 01347A56A + 0xAB123456 + + 234AABBCC34567C4 + 0F323456784E56EAB + 01AB3FED1347A5612 + 0x234AABBCC34567C4 + + * By fingerprint. This format is deduced from the length of the + string and its content or the '0x' prefix. Note, that only the 20 + byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1 + hash of the certificate). + + When using 'gpg' an exclamation mark (!) may be appended to force + using the specified primary or secondary key and not to try and + calculate which primary or secondary key to use. + + The best way to specify a key Id is by using the fingerprint. This + avoids any ambiguities in case that there are duplicated key IDs. + + 1234343434343434C434343434343434 + 123434343434343C3434343434343734349A3434 + 0E12343434343434343434EAB3484343434343434 + 0xE12343434343434343434EAB3484343434343434 + + 'gpgsm' also accepts colons between each pair of hexadecimal digits + because this is the de-facto standard on how to present X.509 + fingerprints. 'gpg' also allows the use of the space separated + SHA-1 fingerprint as printed by the key listing commands. + + * By exact match on OpenPGP user ID. This is denoted by a leading + equal sign. It does not make sense for X.509 certificates. + + =Heinrich Heine <heinrichh@uni-duesseldorf.de> + + * By exact match on an email address. This is indicated by enclosing + the email address in the usual way with left and right angles. + + <heinrichh@uni-duesseldorf.de> + + * By partial match on an email address. This is indicated by + prefixing the search string with an '@'. This uses a substring + search but considers only the mail address (i.e. inside the angle + brackets). + + @heinrichh + + * By exact match on the subject's DN. This is indicated by a leading + slash, directly followed by the RFC-2253 encoded DN of the subject. + Note that you can't use the string printed by 'gpgsm --list-keys' + because that one has been reordered and modified for better + readability; use '--with-colons' to print the raw (but standard + escaped) RFC-2253 string. + + /CN=Heinrich Heine,O=Poets,L=Paris,C=FR + + * By exact match on the issuer's DN. This is indicated by a leading + hash mark, directly followed by a slash and then directly followed + by the RFC-2253 encoded DN of the issuer. This should return the + Root cert of the issuer. See note above. + + #/CN=Root Cert,O=Poets,L=Paris,C=FR + + * By exact match on serial number and issuer's DN. This is indicated + by a hash mark, followed by the hexadecimal representation of the + serial number, then followed by a slash and the RFC-2253 encoded DN + of the issuer. See note above. + + #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR + + * By keygrip. This is indicated by an ampersand followed by the 40 + hex digits of a keygrip. 'gpgsm' prints the keygrip when using the + command '--dump-cert'. + + &D75F22C3F86E355877348498CDC92BD21010A480 + + * By substring match. This is the default mode but applications may + want to explicitly indicate this by putting the asterisk in front. + Match is not case sensitive. + + Heine + *Heine + + * . and + prefixes These prefixes are reserved for looking up mails + anchored at the end and for a word search mode. They are not yet + implemented and using them is undefined. + + Please note that we have reused the hash mark identifier which was +used in old GnuPG versions to indicate the so called local-id. It is +not anymore used and there should be no conflict when used with X.509 +stuff. + + Using the RFC-2253 format of DNs has the drawback that it is not +possible to map them back to the original encoding, however we don't +have to do this because our key database stores this encoding as meta +data. + + +File: gnupg.info, Node: Trust Values, Next: Helper Tools, Prev: Specify a User ID, Up: Top + +8 Trust Values +************** + +Trust values are used to indicate ownertrust and validity of keys and +user IDs. They are displayed with letters or strings: + +- +unknown + No ownertrust assigned / not yet calculated. + +e +expired + + Trust calculation has failed; probably due to an expired key. + +q +undefined, undef + Not enough information for calculation. + +n +never + Never trust this key. + +m +marginal + Marginally trusted. + +f +full + Fully trusted. + +u +ultimate + Ultimately trusted. + +r +revoked + For validity only: the key or the user ID has been revoked. + +? +err + The program encountered an unknown trust value. + + +File: gnupg.info, Node: Helper Tools, Next: Web Key Service, Prev: Trust Values, Up: Top + +9 Helper Tools +************** + +GnuPG comes with a couple of smaller tools: + +* Menu: + +* watchgnupg:: Read logs from a socket. +* gpgv:: Verify OpenPGP signatures. +* addgnupghome:: Create .gnupg home directories. +* gpgconf:: Modify .gnupg home directories. +* applygnupgdefaults:: Run gpgconf for all users. +* gpg-preset-passphrase:: Put a passphrase into the cache. +* gpg-connect-agent:: Communicate with a running agent. +* dirmngr-client:: How to use the Dirmngr client tool. +* gpgparsemail:: Parse a mail message into an annotated format +* gpgtar:: Encrypt or sign files into an archive. +* gpg-check-pattern:: Check a passphrase on stdin against the patternfile. + + +File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools + +9.1 Read logs from a socket +=========================== + +Most of the main utilities are able to write their log files to a Unix +Domain socket if configured that way. 'watchgnupg' is a simple listener +for such a socket. It ameliorates the output with a time stamp and +makes sure that long lines are not interspersed with log output from +other utilities. This tool is not available for Windows. + +'watchgnupg' is commonly invoked as + + watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log + +This starts it on the current terminal for listening on the standard +logging socket (which is either '~/.gnupg/S.log' or +'/var/run/user/UID/gnupg/S.log'). + +'watchgnupg' understands these options: + +'--force' + Delete an already existing socket file. + +'--tcp N' + Instead of reading from a local socket, listen for connects on TCP + port N. + +'--time-only' + Do not print the date part of the timestamp. + +'--verbose' + Enable extra informational output. + +'--version' + Print version of the program and exit. + +'--help' + Display a brief help page and exit. + + +Examples +******** + + $ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log + + This waits for connections on the local socket (e.g. +'/home/foo/.gnupg/S.log') and shows all log entries. To make this work +the option 'log-file' needs to be used with all modules which logs are +to be shown. The suggested entry for the configuration files is: + + log-file socket:// + + If the default socket as given above and returned by "echo $(gpgconf +-list-dirs socketdir)/S.log" is not desired an arbitrary socket name can +be specified, for example 'socket:///home/foo/bar/mysocket'. For +debugging purposes it is also possible to do remote logging. Take care +if you use this feature because the information is send in the clear +over the network. Use this syntax in the conf files: + + log-file tcp://192.168.1.1:4711 + + You may use any port and not just 4711 as shown above; only IP +addresses are supported (v4 and v6) and no host names. You need to +start 'watchgnupg' with the 'tcp' option. Note that under Windows the +registry entry HKCU\SOFTWARE\GNU\GNUPG:DEFAULTLOGFILE can be used to +change the default log output from 'stderr' to whatever is given by that +entry. However the only useful entry is a TCP name for remote +debugging. + + +File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools + +9.2 Verify OpenPGP signatures +============================= + +'gpgv' is an OpenPGP signature verification tool. + + This program is actually a stripped-down version of 'gpg' which is +only able to check signatures. It is somewhat smaller than the +fully-blown 'gpg' and uses a different (and simpler) way to check that +the public keys used to make the signature are valid. There are no +configuration files and only a few options are implemented. + + 'gpgv' assumes that all keys in the keyring are trustworthy. That +does also mean that it does not check for expired or revoked keys. + + If no '--keyring' option is given, 'gpgv' looks for a "default" +keyring named 'trustedkeys.kbx' (preferred) or 'trustedkeys.gpg' in the +home directory of GnuPG, either the default home directory or the one +set by the '--homedir' option or the 'GNUPGHOME' environment variable. +If any '--keyring' option is used, 'gpgv' will not look for the default +keyring. The '--keyring' option may be used multiple times and all +specified keyrings will be used together. + + + 'gpgv' recognizes these options: + +'--verbose' +'-v' + Gives more information during processing. If used twice, the input + data is listed in detail. + +'--quiet' +'-q' + Try to be as quiet as possible. + +'--keyring FILE' + Add FILE to the list of keyrings. If FILE begins with a tilde and + a slash, these are replaced by the HOME directory. If the filename + does not contain a slash, it is assumed to be in the home-directory + ("~/.gnupg" if -homedir is not used). + +'--output FILE' +'-o FILE' + Write output to FILE; to write to stdout use '-'. This option can + be used to get the signed text from a cleartext or binary + signature; it also works for detached signatures, but in that case + this option is in general not useful. Note that an existing file + will be overwritten. + +'--status-fd N' + Write special status strings to the file descriptor N. See the + file DETAILS in the documentation for a listing of them. + +'--logger-fd n' + Write log output to file descriptor 'n' and not to stderr. + +'--log-file file' + Same as '--logger-fd', except the logger data is written to file + 'file'. Use 'socket://' to log to socket. + +'--ignore-time-conflict' + GnuPG normally checks that the timestamps associated with keys and + signatures have plausible values. However, sometimes a signature + seems to be older than the key due to clock problems. This option + turns these checks into warnings. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'--weak-digest name' + Treat the specified digest algorithm as weak. Signatures made over + weak digests algorithms are normally rejected. This option can be + supplied multiple times if multiple algorithms should be considered + weak. MD5 is always considered weak, and does not need to be + listed explicitly. + +'--enable-special-filenames' + This option enables a mode in which filenames of the form '-&n', + where n is a non-negative decimal number, refer to the file + descriptor n and not to a file with that name. + + The program returns 0 if everything is fine, 1 if at least one +signature was bad, and other error codes for fatal errors. + +9.2.1 Examples +-------------- + +gpgv 'pgpfile' +gpgv 'sigfile' ['datafile'] + Verify the signature of the file. The second form is used for + detached signatures, where 'sigfile' is the detached signature + (either ASCII-armored or binary) and 'datafile' contains the signed + data; if 'datafile' is "-" the signed data is expected on 'stdin'; + if 'datafile' is not given the name of the file holding the signed + data is constructed by cutting off the extension (".asc", ".sig" or + ".sign") from 'sigfile'. + +9.2.2 Environment +----------------- + +HOME + Used to locate the default home directory. + +GNUPGHOME + If set directory used instead of "~/.gnupg". + +9.2.3 FILES +----------- + +~/.gnupg/trustedkeys.gpg + The default keyring with the allowed keys. + + 'gpg'(1) + + +File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools + +9.3 Create .gnupg home directories +================================== + +If GnuPG is installed on a system with existing user accounts, it is +sometimes required to populate the GnuPG home directory with existing +files. Especially a 'trustlist.txt' and a keybox with some initial +certificates are often desired. This script helps to do this by copying +all files from '/etc/skel/.gnupg' to the home directories of the +accounts given on the command line. It takes care not to overwrite +existing GnuPG home directories. + +'addgnupghome' is invoked by root as: + + addgnupghome account1 account2 ... accountn + + +File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools + +9.4 Modify .gnupg home directories +================================== + +The 'gpgconf' is a utility to automatically and reasonable safely query +and modify configuration files in the '.gnupg' home directory. It is +designed not to be invoked manually by the user, but automatically by +graphical user interfaces (GUI).(1) + + 'gpgconf' provides access to the configuration of one or more +components of the GnuPG system. These components correspond more or +less to the programs that exist in the GnuPG framework, like GPG, GPGSM, +DirMngr, etc. But this is not a strict one-to-one relationship. Not +all configuration options are available through 'gpgconf'. 'gpgconf' +provides a generic and abstract method to access the most important +configuration options that can feasibly be controlled via such a +mechanism. + + 'gpgconf' can be used to gather and change the options available in +each component, and can also provide their default values. 'gpgconf' +will give detailed type information that can be used to restrict the +user's input without making an attempt to commit the changes. + + 'gpgconf' provides the backend of a configuration editor. The +configuration editor would usually be a graphical user interface program +that displays the current options, their default values, and allows the +user to make changes to the options. These changes can then be made +active with 'gpgconf' again. Such a program that uses 'gpgconf' in this +way will be called GUI throughout this section. + +* Menu: + +* Invoking gpgconf:: List of all commands and options. +* Format conventions:: Formatting conventions relevant for all commands. +* Listing components:: List all gpgconf components. +* Checking programs:: Check all programs known to gpgconf. +* Listing options:: List all options of a component. +* Changing options:: Changing options of a component. +* Listing global options:: List all global options. +* Querying versions:: Get and compare software versions. +* Files used by gpgconf:: What files are used by gpgconf. + + ---------- Footnotes ---------- + + (1) Please note that currently no locking is done, so concurrent +access should be avoided. There are some precautions to avoid +corruption with concurrent usage, but results may be inconsistent and +some changes may get lost. The stateless design makes it difficult to +provide more guarantees. + + +File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf + +9.4.1 Invoking gpgconf +---------------------- + +One of the following commands must be given: + +'--list-components' + List all components. This is the default command used if none is + specified. + +'--check-programs' + List all available backend programs and test whether they are + runnable. + +'--list-options COMPONENT' + List all options of the component COMPONENT. + +'--change-options COMPONENT' + Change the options of the component COMPONENT. + +'--check-options COMPONENT' + Check the options for the component COMPONENT. + +'--apply-profile FILE' + Apply the configuration settings listed in FILE to the + configuration files. If FILE has no suffix and no slashes the + command first tries to read a file with the suffix '.prf' from the + data directory ('gpgconf --list-dirs datadir') before it reads the + file verbatim. A profile is divided into sections using the + bracketed component name. Each section then lists the option which + shall go into the respective configuration file. + +'--apply-defaults' + Update all configuration files with values taken from the global + configuration file (usually '/etc/gnupg/gpgconf.conf'). Note: This + is a legacy mechanism. Please use global configuraion files + instead. + +'--list-dirs [NAMES]' +'-L' + Lists the directories used by 'gpgconf'. One directory is listed + per line, and each line consists of a colon-separated list where + the first field names the directory type (for example 'sysconfdir') + and the second field contains the percent-escaped directory. + Although they are not directories, the socket file names used by + 'gpg-agent' and 'dirmngr' are printed as well. Note that the + socket file names and the 'homedir' lines are the default names and + they may be overridden by command line switches. If NAMES are + given only the directories or file names specified by the list + names are printed without any escaping. + +'--list-config [FILENAME]' + List the global configuration file in a colon separated format. If + FILENAME is given, check that file instead. + +'--check-config [FILENAME]' + Run a syntax check on the global configuration file. If FILENAME + is given, check that file instead. + +'--query-swdb PACKAGE_NAME [VERSION_STRING]' + Returns the current version for PACKAGE_NAME and if VERSION_STRING + is given also an indicator on whether an update is available. The + actual file with the software version is automatically downloaded + and checked by 'dirmngr'. 'dirmngr' uses a thresholds to avoid + download the file too often and it does this by default only if it + can be done via Tor. To force an update of that file this command + can be used: + + gpg-connect-agent --dirmngr 'loadswdb --force' /bye + +'--reload [COMPONENT]' +'-R' + Reload all or the given component. This is basically the same as + sending a SIGHUP to the component. Components which don't support + reloading are ignored. Without COMPONENT or by using "all" for + COMPONENT all components which are daemons are reloaded. + +'--launch [COMPONENT]' + If the COMPONENT is not already running, start it. 'component' + must be a daemon. This is in general not required because the + system starts these daemons as needed. However, external software + making direct use of 'gpg-agent' or 'dirmngr' may use this command + to ensure that they are started. Using "all" for COMPONENT + launches all components which are daemons. + +'--kill [COMPONENT]' +'-K' + Kill the given component that runs as a daemon, including + 'gpg-agent', 'dirmngr', and 'scdaemon'. A 'component' which does + not run as a daemon will be ignored. Using "all" for COMPONENT + kills all components running as daemons. Note that as of now + reload and kill have the same effect for 'scdaemon'. + +'--create-socketdir' + Create a directory for sockets below /run/user or /var/run/user. + This is command is only required if a non default home directory is + used and the /run based sockets shall be used. For the default + home directory GnUPG creates a directory on the fly. + +'--remove-socketdir' + Remove a directory created with command '--create-socketdir'. + + The following options may be used: + +'-o FILE' +'--output FILE' + Write output to FILE. Default is to write to stdout. + +'-v' +'--verbose' + Outputs additional information while running. Specifically, this + extends numerical field values by human-readable descriptions. + +'-q' +'--quiet' + Try to be as quiet as possible. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'-n' +'--dry-run' + Do not actually change anything. This is currently only + implemented for '--change-options' and can be used for testing + purposes. + +'-r' +'--runtime' + Only used together with '--change-options'. If one of the modified + options can be changed in a running daemon process, signal the + running daemon to ask it to reparse its configuration file after + changing. + + This means that the changes will take effect at run-time, as far as + this is possible. Otherwise, they will take effect at the next + start of the respective backend programs. + +'--status-fd N' + Write special status strings to the file descriptor N. This + program returns the status messages SUCCESS or FAILURE which are + helpful when the caller uses a double fork approach and can't + easily get the return code of the process. + + +File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf + +9.4.2 Format conventions +------------------------ + +Some lines in the output of 'gpgconf' contain a list of colon-separated +fields. The following conventions apply: + + * The GUI program is required to strip off trailing newline and/or + carriage return characters from the output. + + * 'gpgconf' will never leave out fields. If a certain version + provides a certain field, this field will always be present in all + 'gpgconf' versions from that time on. + + * Future versions of 'gpgconf' might append fields to the list. New + fields will always be separated from the previously last field by a + colon separator. The GUI should be prepared to parse the last + field it knows about up until a colon or end of line. + + * Not all fields are defined under all conditions. You are required + to ignore the content of undefined fields. + + There are several standard types for the content of a field: + +verbatim + Some fields contain strings that are not escaped in any way. Such + fields are described to be used _verbatim_. These fields will + never contain a colon character (for obvious reasons). No + de-escaping or other formatting is required to use the field + content. This is for easy parsing of the output, when it is known + that the content can never contain any special characters. + +percent-escaped + Some fields contain strings that are described to be + _percent-escaped_. Such strings need to be de-escaped before their + content can be presented to the user. A percent-escaped string is + de-escaped by replacing all occurrences of '%XY' by the byte that + has the hexadecimal value 'XY'. 'X' and 'Y' are from the set + '0-9a-f'. + +localized + Some fields contain strings that are described to be _localized_. + Such strings are translated to the active language and formatted in + the active character set. + +unsigned number + Some fields contain an _unsigned number_. This number will always + fit into a 32-bit unsigned integer variable. The number may be + followed by a space, followed by a human readable description of + that value (if the verbose option is used). You should ignore + everything in the field that follows the number. + +signed number + Some fields contain a _signed number_. This number will always fit + into a 32-bit signed integer variable. The number may be followed + by a space, followed by a human readable description of that value + (if the verbose option is used). You should ignore everything in + the field that follows the number. + +boolean value + Some fields contain a _boolean value_. This is a number with + either the value 0 or 1. The number may be followed by a space, + followed by a human readable description of that value (if the + verbose option is used). You should ignore everything in the field + that follows the number; checking just the first character is + sufficient in this case. + +option + Some fields contain an _option_ argument. The format of an option + argument depends on the type of the option and on some flags: + + no argument + The simplest case is that the option does not take an argument + at all (TYPE '0'). Then the option argument is an unsigned + number that specifies how often the option occurs. If the + 'list' flag is not set, then the only valid number is '1'. + Options that do not take an argument never have the 'default' + or 'optional arg' flag set. + + number + If the option takes a number argument (ALT-TYPE is '2' or + '3'), and it can only occur once ('list' flag is not set), + then the option argument is either empty (only allowed if the + argument is optional), or it is a number. A number is a + string that begins with an optional minus character, followed + by one or more digits. The number must fit into an integer + variable (unsigned or signed, depending on ALT-TYPE). + + number list + If the option takes a number argument and it can occur more + than once, then the option argument is either empty, or it is + a comma-separated list of numbers as described above. + + string + If the option takes a string argument (ALT-TYPE is 1), and it + can only occur once ('list' flag is not set) then the option + argument is either empty (only allowed if the argument is + optional), or it starts with a double quote character ('"') + followed by a percent-escaped string that is the argument + value. Note that there is only a leading double quote + character, no trailing one. The double quote character is + only needed to be able to differentiate between no value and + the empty string as value. + + string list + If the option takes a string argument and it can occur more + than once, then the option argument is either empty, or it is + a comma-separated list of string arguments as described above. + + The active language and character set are currently determined from +the locale environment of the 'gpgconf' program. + + +File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf + +9.4.3 Listing components +------------------------ + +The command '--list-components' will list all components that can be +configured with 'gpgconf'. Usually, one component will correspond to +one GnuPG-related program and contain the options of that program's +configuration file that can be modified using 'gpgconf'. However, this +is not necessarily the case. A component might also be a group of +selected options from several programs, or contain entirely virtual +options that have a special effect rather than changing exactly one +option in one configuration file. + + A component is a set of configuration options that semantically +belong together. Furthermore, several changes to a component can be +made in an atomic way with a single operation. The GUI could for +example provide a menu with one entry for each component, or a window +with one tabulator sheet per component. + + The command '--list-components' lists all available components, one +per line. The format of each line is: + + 'NAME:DESCRIPTION:PGMNAME:' + +NAME + This field contains a name tag of the component. The name tag is + used to specify the component in all communication with 'gpgconf'. + The name tag is to be used _verbatim_. It is thus not in any + escaped format. + +DESCRIPTION + The _string_ in this field contains a human-readable description of + the component. It can be displayed to the user of the GUI for + informational purposes. It is _percent-escaped_ and _localized_. + +PGMNAME + The _string_ in this field contains the absolute name of the + program's file. It can be used to unambiguously invoke that + program. It is _percent-escaped_. + + Example: + $ gpgconf --list-components + gpg:GPG for OpenPGP:/usr/local/bin/gpg2: + gpg-agent:GPG Agent:/usr/local/bin/gpg-agent: + scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon: + gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm: + dirmngr:Directory Manager:/usr/local/bin/dirmngr: + + +File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf + +9.4.4 Checking programs +----------------------- + +The command '--check-programs' is similar to '--list-components' but +works on backend programs and not on components. It runs each program +to test whether it is installed and runnable. This also includes a +syntax check of all config file options of the program. + + The command '--check-programs' lists all available programs, one per +line. The format of each line is: + + 'NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:' + +NAME + This field contains a name tag of the program which is identical to + the name of the component. The name tag is to be used _verbatim_. + It is thus not in any escaped format. This field may be empty to + indicate a continuation of error descriptions for the last name. + The description and pgmname fields are then also empty. + +DESCRIPTION + The _string_ in this field contains a human-readable description of + the component. It can be displayed to the user of the GUI for + informational purposes. It is _percent-escaped_ and _localized_. + +PGMNAME + The _string_ in this field contains the absolute name of the + program's file. It can be used to unambiguously invoke that + program. It is _percent-escaped_. + +AVAIL + The _boolean value_ in this field indicates whether the program is + installed and runnable. + +OKAY + The _boolean value_ in this field indicates whether the program's + config file is syntactically okay. + +CFGFILE + If an error occurred in the configuration file (as indicated by a + false value in the field 'okay'), this field has the name of the + failing configuration file. It is _percent-escaped_. + +LINE + If an error occurred in the configuration file, this field has the + line number of the failing statement in the configuration file. It + is an _unsigned number_. + +ERROR + If an error occurred in the configuration file, this field has the + error text of the failing statement in the configuration file. It + is _percent-escaped_ and _localized_. + +In the following example the 'dirmngr' is not runnable and the +configuration file of 'scdaemon' is not okay. + + $ gpgconf --check-programs + gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1: + gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1: + scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0: + gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1: + dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0: + +The command '--check-options COMPONENT' will verify the configuration +file in the same manner as '--check-programs', but only for the +component COMPONENT. + + +File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf + +9.4.5 Listing options +--------------------- + +Every component contains one or more options. Options may be gathered +into option groups to allow the GUI to give visual hints to the user +about which options are related. + + The command '--list-options COMPONENT' lists all options (and the +groups they belong to) in the component COMPONENT, one per line. +COMPONENT must be the string in the field NAME in the output of the +'--list-components' command. + + Take care if system-wide options are used: gpgconf may not be able to +properly show the options and the listed options may have no actual +effect in case the system-wide options enforced their own settings. + + There is one line for each option and each group. First come all +options that are not in any group. Then comes a line describing a +group. Then come all options that belong into each group. Then comes +the next group and so on. There does not need to be any group (and in +this case the output will stop after the last non-grouped option). + + The format of each line is: + + 'NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE' + +NAME + This field contains a name tag for the group or option. The name + tag is used to specify the group or option in all communication + with 'gpgconf'. The name tag is to be used _verbatim_. It is thus + not in any escaped format. + +FLAGS + The flags field contains an _unsigned number_. Its value is the + OR-wise combination of the following flag values: + + 'group (1)' + If this flag is set, this is a line describing a group and not + an option. + + The following flag values are only defined for options (that is, if + the 'group' flag is not used). + + 'optional arg (2)' + If this flag is set, the argument is optional. This is never + set for TYPE '0' (none) options. + + 'list (4)' + If this flag is set, the option can be given multiple times. + + 'runtime (8)' + If this flag is set, the option can be changed at runtime. + + 'default (16)' + If this flag is set, a default value is available. + + 'default desc (32)' + If this flag is set, a (runtime) default is available. This + and the 'default' flag are mutually exclusive. + + 'no arg desc (64)' + If this flag is set, and the 'optional arg' flag is set, then + the option has a special meaning if no argument is given. + + 'no change (128)' + If this flag is set, 'gpgconf' ignores requests to change the + value. GUI frontends should grey out this option. Note, that + manual changes of the configuration files are still possible. + +LEVEL + This field is defined for options and for groups. It contains an + _unsigned number_ that specifies the expert level under which this + group or option should be displayed. The following expert levels + are defined for options (they have analogous meaning for groups): + + 'basic (0)' + This option should always be offered to the user. + + 'advanced (1)' + This option may be offered to advanced users. + + 'expert (2)' + This option should only be offered to expert users. + + 'invisible (3)' + This option should normally never be displayed, not even to + expert users. + + 'internal (4)' + This option is for internal use only. Ignore it. + + The level of a group will always be the lowest level of all options + it contains. + +DESCRIPTION + This field is defined for options and groups. The _string_ in this + field contains a human-readable description of the option or group. + It can be displayed to the user of the GUI for informational + purposes. It is _percent-escaped_ and _localized_. + +TYPE + This field is only defined for options. It contains an _unsigned + number_ that specifies the type of the option's argument, if any. + The following types are defined: + + Basic types: + + 'none (0)' + No argument allowed. + + 'string (1)' + An _unformatted string_. + + 'int32 (2)' + A _signed number_. + + 'uint32 (3)' + An _unsigned number_. + + Complex types: + + 'pathname (32)' + A _string_ that describes the pathname of a file. The file + does not necessarily need to exist. + + 'ldap server (33)' + A _string_ that describes an LDAP server in the format: + + 'HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN' + + 'key fingerprint (34)' + A _string_ with a 40 digit fingerprint specifying a + certificate. + + 'pub key (35)' + A _string_ that describes a certificate by user ID, key ID or + fingerprint. + + 'sec key (36)' + A _string_ that describes a certificate with a key by user ID, + key ID or fingerprint. + + 'alias list (37)' + A _string_ that describes an alias list, like the one used + with gpg's group option. The list consists of a key, an equal + sign and space separated values. + + More types will be added in the future. Please see the ALT-TYPE + field for information on how to cope with unknown types. + +ALT-TYPE + This field is identical to TYPE, except that only the types '0' to + '31' are allowed. The GUI is expected to present the user the + option in the format specified by TYPE. But if the argument type + TYPE is not supported by the GUI, it can still display the option + in the more generic basic type ALT-TYPE. The GUI must support all + the defined basic types to be able to display all options. More + basic types may be added in future versions. If the GUI encounters + a basic type it doesn't support, it should report an error and + abort the operation. + +ARGNAME + This field is only defined for options with an argument type TYPE + that is not '0'. In this case it may contain a _percent-escaped_ + and _localized string_ that gives a short name for the argument. + The field may also be empty, though, in which case a short name is + not known. + +DEFAULT + This field is defined only for options for which the 'default' or + 'default desc' flag is set. If the 'default' flag is set, its + format is that of an _option argument_ (*note Format conventions::, + for details). If the default value is empty, then no default is + known. Otherwise, the value specifies the default value for this + option. If the 'default desc' flag is set, the field is either + empty or contains a description of the effect if the option is not + given. + +ARGDEF + This field is defined only for options for which the 'optional arg' + flag is set. If the 'no arg desc' flag is not set, its format is + that of an _option argument_ (*note Format conventions::, for + details). If the default value is empty, then no default is known. + Otherwise, the value specifies the default argument for this + option. If the 'no arg desc' flag is set, the field is either + empty or contains a description of the effect of this option if no + argument is given. + +VALUE + This field is defined only for options. Its format is that of an + _option argument_. If it is empty, then the option is not + explicitly set in the current configuration, and the default + applies (if any). Otherwise, it contains the current value of the + option. Note that this field is also meaningful if the option + itself does not take a real argument (in this case, it contains the + number of times the option appears). + + +File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf + +9.4.6 Changing options +---------------------- + +The command '--change-options COMPONENT' will attempt to change the +options of the component COMPONENT to the specified values. COMPONENT +must be the string in the field NAME in the output of the +'--list-components' command. You have to provide the options that shall +be changed in the following format on standard input: + + 'NAME:FLAGS:NEW-VALUE' + +NAME + This is the name of the option to change. NAME must be the string + in the field NAME in the output of the '--list-options' command. + +FLAGS + The flags field contains an _unsigned number_. Its value is the + OR-wise combination of the following flag values: + + 'default (16)' + If this flag is set, the option is deleted and the default + value is used instead (if applicable). + +NEW-VALUE + The new value for the option. This field is only defined if the + 'default' flag is not set. The format is that of an _option + argument_. If it is empty (or the field is omitted), the default + argument is used (only allowed if the argument is optional for this + option). Otherwise, the option will be set to the specified value. + +The output of the command is the same as that of '--check-options' for +the modified configuration file. + + Examples: + + To set the force option, which is of basic type 'none (0)': + + $ echo 'force:0:1' | gpgconf --change-options dirmngr + + To delete the force option: + + $ echo 'force:16:' | gpgconf --change-options dirmngr + + The '--runtime' option can influence when the changes take effect. + + +File: gnupg.info, Node: Listing global options, Next: Querying versions, Prev: Changing options, Up: gpgconf + +9.4.7 Listing global options +---------------------------- + +Some legacy applications look at the global configuration file for the +gpgconf tool itself; this is the file 'gpgconf.conf'. Modern +applications should not use it but use per component global +configuration files which are more flexible than the 'gpgconf.conf'. +Using both files is not suggested. + + The colon separated listing format is record oriented and uses the +first field to identify the record type: + +'k' + This describes a key record to start the definition of a new + ruleset for a user/group. The format of a key record is: + + 'k:USER:GROUP:' + + USER + This is the user field of the key. It is percent escaped. + See the definition of the gpgconf.conf format for details. + + GROUP + This is the group field of the key. It is percent escaped. + +'r' + This describes a rule record. All rule records up to the next key + record make up a rule set for that key. The format of a rule + record is: + + 'r:::COMPONENT:OPTION:FLAG:VALUE:' + + COMPONENT + This is the component part of a rule. It is a plain string. + + OPTION + This is the option part of a rule. It is a plain string. + + FLAG + This is the flags part of a rule. There may be only one flag + per rule but by using the same component and option, several + flags may be assigned to an option. It is a plain string. + + VALUE + This is the optional value for the option. It is a percent + escaped string with a single quotation mark to indicate a + string. The quotation mark is only required to distinguish + between no value specified and an empty string. + +Unknown record types should be ignored. Note that there is +intentionally no feature to change the global option file through +'gpgconf'. + + +File: gnupg.info, Node: Querying versions, Next: Files used by gpgconf, Prev: Listing global options, Up: gpgconf + +9.4.8 Get and compare software versions. +---------------------------------------- + +The GnuPG Project operates a server to query the current versions of +software packages related to GnuPG. 'gpgconf' can be used to access this +online database. To allow for offline operations, this feature works by +having 'dirmngr' download a file from 'https://versions.gnupg.org', +checking the signature of that file and storing the file in the GnuPG +home directory. If 'gpgconf' is used and 'dirmngr' is running, it may +ask 'dirmngr' to refresh that file before itself uses the file. + + The command '--query-swdb' returns information for the given package +in a colon delimited format: + +NAME + This is the name of the package as requested. Note that "gnupg" is + a special name which is replaced by the actual package implementing + this version of GnuPG. For this name it is also not required to + specify a version because 'gpgconf' takes its own version in this + case. + +IVERSION + The currently installed version or an empty string. The value is + taken from the command line argument but may be provided by gpg if + not given. + +STATUS + The status of the software package according to this table: + '-' + No information available. This is either because no current + version has been specified or due to an error. + '?' + The given name is not known in the online database. + 'u' + An update of the software is available. + 'c' + The installed version of the software is current. + 'n' + The installed version is already newer than the released + version. + +URGENCY + If the value (the empty string should be considered as zero) is + greater than zero an important update is available. + +ERROR + This returns an 'gpg-error' error code to distinguish between + various failure modes. + +FILEDATE + This gives the date of the file with the version numbers in + standard ISO format ('yyyymmddThhmmss'). The date has been + extracted by 'dirmngr' from the signature of the file. + +VERIFIED + This gives the date in ISO format the file was downloaded. This + value can be used to evaluate the freshness of the information. + +VERSION + This returns the version string for the requested software from the + file. + +RELDATE + This returns the release date in ISO format. + +SIZE + This returns the size of the package as decimal number of bytes. + +HASH + This returns a hexified SHA-2 hash of the package. + +More fields may be added in future to the output. + + +File: gnupg.info, Node: Files used by gpgconf, Prev: Querying versions, Up: gpgconf + +9.4.9 Files used by gpgconf +--------------------------- + +'/etc/gnupg/gpgconf.conf' + If this file exists, it is processed as a global configuration + file. This is a legacy mechanism which should not be used tigether + with the modern global per component configuration files. A + commented example can be found in the 'examples' directory of the + distribution. + +'GNUPGHOME/swdb.lst' + A file with current software versions. 'dirmngr' creates this file + on demand from an online resource. + + +File: gnupg.info, Node: applygnupgdefaults, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools + +9.5 Run gpgconf for all users +============================= + +This is a legacy script. Modern application should use the per +component global configuration files under '/etc/gnupg/'. + + This script is a wrapper around 'gpgconf' to run it with the command +'--apply-defaults' for all real users with an existing GnuPG home +directory. Admins might want to use this script to update he GnuPG +configuration files for all users after '/etc/gnupg/gpgconf.conf' has +been changed. This allows enforcing certain policies for all users. +Note, that this is not a bulletproof way to force a user to use certain +options. A user may always directly edit the configuration files and +bypass gpgconf. + +'applygnupgdefaults' is invoked by root as: + + applygnupgdefaults + + +File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: applygnupgdefaults, Up: Helper Tools + +9.6 Put a passphrase into the cache +=================================== + +The 'gpg-preset-passphrase' is a utility to seed the internal cache of a +running 'gpg-agent' with passphrases. It is mainly useful for +unattended machines, where the usual 'pinentry' tool may not be used and +the passphrases for the to be used keys are given at machine startup. + + This program works with GnuPG 2 and later. GnuPG 1.x is not +supported. + + Passphrases set with this utility don't expire unless the '--forget' +option is used to explicitly clear them from the cache -- or 'gpg-agent' +is either restarted or reloaded (by sending a SIGHUP to it). Note that +the maximum cache time as set with '--max-cache-ttl' is still honored. +It is necessary to allow this passphrase presetting by starting +'gpg-agent' with the '--allow-preset-passphrase'. + +* Menu: + +* Invoking gpg-preset-passphrase:: List of all commands and options. + + +File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase + +9.6.1 List of all commands and options +-------------------------------------- + +'gpg-preset-passphrase' is invoked this way: + + gpg-preset-passphrase [options] [command] CACHEID + + CACHEID is either a 40 character keygrip of hexadecimal characters +identifying the key for which the passphrase should be set or cleared. +The keygrip is listed along with the key when running the command: +'gpgsm --with-keygrip --list-secret-keys'. Alternatively an arbitrary +string may be used to identify a passphrase; it is suggested that such a +string is prefixed with the name of the application (e.g 'foo:12346'). +Scripts should always use the option '--with-colons', which provides the +keygrip in a "grp" line (cf. 'doc/DETAILS')/ + +One of the following command options must be given: + +'--preset' + Preset a passphrase. This is what you usually will use. + 'gpg-preset-passphrase' will then read the passphrase from 'stdin'. + +'--forget' + Flush the passphrase for the given cache ID from the cache. + +The following additional options may be used: + +'-v' +'--verbose' + Output additional information while running. + +'-P STRING' +'--passphrase STRING' + Instead of reading the passphrase from 'stdin', use the supplied + STRING as passphrase. Note that this makes the passphrase visible + for other users. + + +File: gnupg.info, Node: gpg-connect-agent, Next: dirmngr-client, Prev: gpg-preset-passphrase, Up: Helper Tools + +9.7 Communicate with a running agent +==================================== + +The 'gpg-connect-agent' is a utility to communicate with a running +'gpg-agent'. It is useful to check out the commands 'gpg-agent' +provides using the Assuan interface. It might also be useful for +scripting simple applications. Input is expected at stdin and output +gets printed to stdout. + + It is very similar to running 'gpg-agent' in server mode; but here we +connect to a running instance. + +* Menu: + +* Invoking gpg-connect-agent:: List of all options. +* Controlling gpg-connect-agent:: Control commands. + + +File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent + +9.7.1 List of all options +------------------------- + +'gpg-connect-agent' is invoked this way: + + gpg-connect-agent [options] [commands] + +The following options may be used: + +'-v' +'--verbose' + Output additional information while running. + +'-q' +'--quiet' + Try to be as quiet as possible. + +'--homedir DIR' + Set the name of the home directory to DIR. If this option is not + used, the home directory defaults to '~/.gnupg'. It is only + recognized when given on the command line. It also overrides any + home directory stated through the environment variable 'GNUPGHOME' + or (on Windows systems) by means of the Registry entry + HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR. + + On Windows systems it is possible to install GnuPG as a portable + application. In this case only this command line option is + considered, all other ways to set a home directory are ignored. + + To install GnuPG as a portable application under Windows, create an + empty file named 'gpgconf.ctl' in the same directory as the tool + 'gpgconf.exe'. The root of the installation is then that + directory; or, if 'gpgconf.exe' has been installed directly below a + directory named 'bin', its parent directory. You also need to make + sure that the following directories exist and are writable: + 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg' + for internal cache files. + +'--agent-program FILE' + Specify the agent program to be started if none is running. The + default value is determined by running 'gpgconf' with the option + '--list-dirs'. Note that the pipe symbol ('|') is used for a + regression test suite hack and may thus not be used in the file + name. + +'--dirmngr-program FILE' + Specify the directory manager (keyserver client) program to be + started if none is running. This has only an effect if used + together with the option '--dirmngr'. + +'--dirmngr' + Connect to a running directory manager (keyserver client) instead + of to the gpg-agent. If a dirmngr is not running, start it. + +'-S' +'--raw-socket NAME' + Connect to socket NAME assuming this is an Assuan style server. Do + not run any special initializations or environment checks. This + may be used to directly connect to any Assuan style socket server. + +'-E' +'--exec' + Take the rest of the command line as a program and it's arguments + and execute it as an Assuan server. Here is how you would run + 'gpgsm': + gpg-connect-agent --exec gpgsm --server + Note that you may not use options on the command line in this case. + +'--no-ext-connect' + When using '-S' or '--exec', 'gpg-connect-agent' connects to the + Assuan server in extended mode to allow descriptor passing. This + option makes it use the old mode. + +'--no-autostart' + Do not start the gpg-agent or the dirmngr if it has not yet been + started. + +'-r FILE' +'--run FILE' + Run the commands from FILE at startup and then continue with the + regular input method. Note, that commands given on the command + line are executed after this file. + +'-s' +'--subst' + Run the command '/subst' at startup. + +'--hex' + Print data lines in a hex format and the ASCII representation of + non-control characters. + +'--decode' + Decode data lines. That is to remove percent escapes but make sure + that a new line always starts with a D and a space. + + +File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent + +9.7.2 Control commands +---------------------- + +While reading Assuan commands, gpg-agent also allows a few special +commands to control its operation. These control commands all start +with a slash ('/'). + +'/echo ARGS' + Just print ARGS. + +'/let NAME VALUE' + Set the variable NAME to VALUE. Variables are only substituted on + the input if the '/subst' has been used. Variables are referenced + by prefixing the name with a dollar sign and optionally include the + name in curly braces. The rules for a valid name are identically + to those of the standard bourne shell. This is not yet enforced + but may be in the future. When used with curly braces no leading + or trailing white space is allowed. + + If a variable is not found, it is searched in the environment and + if found copied to the table of variables. + + Variable functions are available: The name of the function must be + followed by at least one space and the at least one argument. The + following functions are available: + + 'get' + Return a value described by the argument. Available arguments + are: + + 'cwd' + The current working directory. + 'homedir' + The gnupg homedir. + 'sysconfdir' + GnuPG's system configuration directory. + 'bindir' + GnuPG's binary directory. + 'libdir' + GnuPG's library directory. + 'libexecdir' + GnuPG's library directory for executable files. + 'datadir' + GnuPG's data directory. + 'serverpid' + The PID of the current server. Command '/serverpid' must + have been given to return a useful value. + + 'unescape ARGS' + Remove C-style escapes from ARGS. Note that '\0' and '\x00' + terminate the returned string implicitly. The string to be + converted are the entire arguments right behind the delimiting + space of the function name. + + 'unpercent ARGS' + 'unpercent+ ARGS' + Remove percent style escaping from ARGS. Note that '%00' + terminates the string implicitly. The string to be converted + are the entire arguments right behind the delimiting space of + the function name. 'unpercent+' also maps plus signs to a + spaces. + + 'percent ARGS' + 'percent+ ARGS' + Escape the ARGS using percent style escaping. Tabs, + formfeeds, linefeeds, carriage returns and colons are escaped. + 'percent+' also maps spaces to plus signs. + + 'errcode ARG' + 'errsource ARG' + 'errstring ARG' + Assume ARG is an integer and evaluate it using 'strtol'. + Return the gpg-error error code, error source or a formatted + string with the error code and error source. + + '+' + '-' + '*' + '/' + '%' + Evaluate all arguments as long integers using 'strtol' and + apply this operator. A division by zero yields an empty + string. + + '!' + '|' + '&' + Evaluate all arguments as long integers using 'strtol' and + apply the logical operators NOT, OR or AND. The NOT operator + works on the last argument only. + +'/definq NAME VAR' + Use content of the variable VAR for inquiries with NAME. NAME may + be an asterisk ('*') to match any inquiry. + +'/definqfile NAME FILE' + Use content of FILE for inquiries with NAME. NAME may be an + asterisk ('*') to match any inquiry. + +'/definqprog NAME PROG' + Run PROG for inquiries matching NAME and pass the entire line to it + as command line arguments. + +'/datafile NAME' + Write all data lines from the server to the file NAME. The file is + opened for writing and created if it does not exists. An existing + file is first truncated to 0. The data written to the file fully + decoded. Using a single dash for NAME writes to stdout. The file + is kept open until a new file is set using this command or this + command is used without an argument. + +'/showdef' + Print all definitions + +'/cleardef' + Delete all definitions + +'/sendfd FILE MODE' + Open FILE in MODE (which needs to be a valid 'fopen' mode string) + and send the file descriptor to the server. This is usually + followed by a command like 'INPUT FD' to set the input source for + other commands. + +'/recvfd' + Not yet implemented. + +'/open VAR FILE [MODE]' + Open FILE and assign the file descriptor to VAR. Warning: This + command is experimental and might change in future versions. + +'/close FD' + Close the file descriptor FD. Warning: This command is + experimental and might change in future versions. + +'/showopen' + Show a list of open files. + +'/serverpid' + Send the Assuan command 'GETINFO pid' to the server and store the + returned PID for internal purposes. + +'/sleep' + Sleep for a second. + +'/hex' +'/nohex' + Same as the command line option '--hex'. + +'/decode' +'/nodecode' + Same as the command line option '--decode'. + +'/subst' +'/nosubst' + Enable and disable variable substitution. It defaults to disabled + unless the command line option '--subst' has been used. If /subst + as been enabled once, leading whitespace is removed from input + lines which makes scripts easier to read. + +'/while CONDITION' +'/end' + These commands provide a way for executing loops. All lines + between the 'while' and the corresponding 'end' are executed as + long as the evaluation of CONDITION yields a non-zero value or is + the string 'true' or 'yes'. The evaluation is done by passing + CONDITION to the 'strtol' function. Example: + + /subst + /let i 3 + /while $i + /echo loop counter is $i + /let i ${- $i 1} + /end + +'/if CONDITION' +'/end' + These commands provide a way for conditional execution. All lines + between the 'if' and the corresponding 'end' are executed only if + the evaluation of CONDITION yields a non-zero value or is the + string 'true' or 'yes'. The evaluation is done by passing + CONDITION to the 'strtol' function. + +'/run FILE' + Run commands from FILE. + +'/bye' + Terminate the connection and the program. + +'/help' + Print a list of available control commands. + + +File: gnupg.info, Node: dirmngr-client, Next: gpgparsemail, Prev: gpg-connect-agent, Up: Helper Tools + +9.8 The Dirmngr Client Tool +=========================== + +The 'dirmngr-client' is a simple tool to contact a running dirmngr and +test whether a certificate has been revoked -- either by being listed in +the corresponding CRL or by running the OCSP protocol. If no dirmngr is +running, a new instances will be started but this is in general not a +good idea due to the huge performance overhead. + +The usual way to run this tool is either: + + dirmngr-client ACERT + +or + + dirmngr-client <ACERT + + Where ACERT is one DER encoded (binary) X.509 certificates to be +tested. The return value of this command is + +'0' + The certificate under question is valid; i.e. there is a valid CRL + available and it is not listed there or the OCSP request returned + that that certificate is valid. + +'1' + The certificate has been revoked + +'2 (and other values)' + There was a problem checking the revocation state of the + certificate. A message to stderr has given more detailed + information. Most likely this is due to a missing or expired CRL + or due to a network problem. + +'dirmngr-client' may be called with the following options: + +'--version' + Print the program version and licensing information. Note that you + cannot abbreviate this command. + +'--help, -h' + Print a usage message summarizing the most useful command-line + options. Note that you cannot abbreviate this command. + +'--quiet, -q' + Make the output extra brief by suppressing any informational + messages. + +'-v' +'--verbose' + Outputs additional information while running. You can increase the + verbosity by giving several verbose commands to DIRMNGR, such as + '-vv'. + +'--pem' + Assume that the given certificate is in PEM (armored) format. + +'--ocsp' + Do the check using the OCSP protocol and ignore any CRLs. + +'--force-default-responder' + When checking using the OCSP protocol, force the use of the default + OCSP responder. That is not to use the Reponder as given by the + certificate. + +'--ping' + Check whether the dirmngr daemon is up and running. + +'--cache-cert' + Put the given certificate into the cache of a running dirmngr. + This is mainly useful for debugging. + +'--validate' + Validate the given certificate using dirmngr's internal validation + code. This is mainly useful for debugging. + +'--load-crl' + This command expects a list of filenames with DER encoded CRL + files. With the option '--url' URLs are expected in place of + filenames and they are loaded directly from the given location. + All CRLs will be validated and then loaded into dirmngr's cache. + +'--lookup' + Take the remaining arguments and run a lookup command on each of + them. The results are Base-64 encoded outputs (without header + lines). This may be used to retrieve certificates from a server. + However the output format is not very well suited if more than one + certificate is returned. + +'--url' +'-u' + Modify the 'lookup' and 'load-crl' commands to take an URL. + +'--local' +'-l' + Let the 'lookup' command only search the local cache. + +'--squid-mode' + Run DIRMNGR-CLIENT in a mode suitable as a helper program for + Squid's 'external_acl_type' option. + + +File: gnupg.info, Node: gpgparsemail, Next: gpgtar, Prev: dirmngr-client, Up: Helper Tools + +9.9 Parse a mail message into an annotated format +================================================= + +The 'gpgparsemail' is a utility currently only useful for debugging. +Run it with '--help' for usage information. + + +File: gnupg.info, Node: gpgtar, Next: gpg-check-pattern, Prev: gpgparsemail, Up: Helper Tools + +9.10 Encrypt or sign files into an archive +========================================== + +'gpgtar' encrypts or signs files into an archive. It is an gpg-ized tar +using the same format as used by PGP's PGP Zip. + +'gpgtar' is invoked this way: + + gpgtar [options] FILENAME1 [FILENAME2, ...] DIRECTORY [DIRECTORY2, ...] + +'gpgtar' understands these options: + +'--create' + Put given files and directories into a vanilla "ustar" archive. + +'--extract' + Extract all files from a vanilla "ustar" archive. + +'--encrypt' +'-e' + Encrypt given files and directories into an archive. This option + may be combined with option '--symmetric' for an archive that may + be decrypted via a secret key or a passphrase. + +'--decrypt' +'-d' + Extract all files from an encrypted archive. + +'--sign' +'-s' + Make a signed archive from the given files and directories. This + can be combined with option '--encrypt' to create a signed and then + encrypted archive. + +'--list-archive' +'-t' + List the contents of the specified archive. + +'--symmetric' +'-c' + Encrypt with a symmetric cipher using a passphrase. The default + symmetric cipher used is AES-128, but may be chosen with the + '--cipher-algo' option to 'gpg'. + +'--recipient USER' +'-r USER' + Encrypt for user id USER. For details see 'gpg'. + +'--local-user USER' +'-u USER' + Use USER as the key to sign with. For details see 'gpg'. + +'--output FILE' +'-o FILE' + Write the archive to the specified file FILE. + +'--verbose' +'-v' + Enable extra informational output. + +'--quiet' +'-q' + Try to be as quiet as possible. + +'--skip-crypto' + Skip all crypto operations and create or extract vanilla "ustar" + archives. + +'--dry-run' + Do not actually output the extracted files. + +'--directory DIR' +'-C DIR' + Extract the files into the directory DIR. The default is to take + the directory name from the input filename. If no input filename + is known a directory named 'GPGARCH' is used. For tarball + creation, switch to directory DIR before performing any operations. + +'--files-from FILE' +'-T FILE' + Take the file names to work from the file FILE; one file per line. + +'--null' + Modify option '--files-from' to use a binary nul instead of a + linefeed to separate file names. + +'--utf8-strings' + Assume that the file names read by '--files-from' are UTF-8 + encoded. This option has an effect only on Windows where the + active code page is otherwise assumed. + +'--openpgp' + This option has no effect because OpenPGP encryption and signing is + the default. + +'--cms' + This option is reserved and shall not be used. It will eventually + be used to encrypt or sign using the CMS protocol; but that is not + yet implemented. + +'--batch' + Use batch mode. Never ask but use the default action. This option + is passed directly to 'gpg'. + +'--yes' + Assume "yes" on most questions. Often used together with '--batch' + to overwrite existing files. This option is passed directly to + 'gpg'. + +'--no' + Assume "no" on most questions. This option is passed directly to + 'gpg'. + +'--require-compliance' + This option is passed directly to 'gpg'. + +'--status-fd N' + Write special status strings to the file descriptor N. See the + file DETAILS in the documentation for a listing of them. + +'--with-log' + When extracting an encrypted tarball also write a log file with the + gpg output to a file named after the extraction directory with the + suffix ".log". + +'--set-filename FILE' + Use the last component of FILE as the output directory. The + default is to take the directory name from the input filename. If + no input filename is known a directory named 'GPGARCH' is used. + This option is deprecated in favor of option '--directory'. + +'--gpg GPGCMD' + Use the specified command GPGCMD instead of 'gpg'. + +'--gpg-args ARGS' + Pass the specified extra options to 'gpg'. + +'--tar-args ARGS' + Assume ARGS are standard options of the command 'tar' and parse + them. The only supported tar options are "-directory", + "-files-from", and "-null" This is an obsolete options because + those supported tar options can also be given directly. + +'--version' + Print version of the program and exit. + +'--help' + Display a brief help page and exit. + +The program returns 0 if everything was fine, 1 otherwise. + +Some examples: + +Encrypt the contents of directory 'mydocs' for user Bob to file 'test1': + + gpgtar --encrypt --output test1 -r Bob mydocs + +List the contents of archive 'test1': + + gpgtar --list-archive test1 + + +File: gnupg.info, Node: gpg-check-pattern, Prev: gpgtar, Up: Helper Tools + +9.11 Check a passphrase on stdin against the patternfile +======================================================== + +'gpg-check-pattern' checks a passphrase given on stdin against a +specified pattern file. + + The pattern file is line based with comment lines beginning on the +_first_ position with a '#'. Empty lines and lines with only white +spaces are ignored. The actual pattern lines may either be verbatim +string pattern and match as they are (trailing spaces are ignored) or +extended regular expressions indicated by a '/' or '!/' in the first +column and terminated by another '/' or end of line. If a regular +expression starts with '!/' the match result is reversed. By default +all comparisons are case insensitive. + + Tag lines may be used to further control the operation of this tool. +The currently defined tags are: + +'[icase]' + Switch to case insensitive comparison for all further patterns. + This is the default. + +'[case]' + Switch to case sensitive comparison for all further patterns. + +'[reject]' + Switch to reject mode. This is the default mode. + +'[accept]' + Switch to accept mode. + + In the future more tags may be introduced and thus it is advisable +not to start a plain pattern string with an open bracket. The tags must +be given verbatim on the line with no spaces to the left or any non +white space characters to the right. + + In reject mode the program exits on the first match with an exit code +of 1 (failure). If at the end of the pattern list the reject mode is +still active the program exits with code 0 (success). + + In accept mode blocks of patterns are used. A block starts at the +next pattern after an "accept" tag and ends with the last pattern before +the next "accept" or "reject" tag or at the end of the pattern list. If +all patterns in a block match the program exits with an exit code of 0 +(success). If any pattern in a block do not match the next pattern +block is evaluated. If at the end of the pattern list the accept mode +is still active the program exits with code 1 (failure). + + +'--verbose' + Enable extra informational output. + +'--check' + Run only a syntax check on the patternfile. + +'--null' + Input is expected to be null delimited. + + +File: gnupg.info, Node: Web Key Service, Next: Howtos, Prev: Helper Tools, Up: Top + +10 Web Key Service +****************** + +GnuPG comes with tools used to maintain and access a Web Key Directory. + +* Menu: + +* gpg-wks-client:: Send requests via WKS +* gpg-wks-server:: Server to provide the WKS. + + +File: gnupg.info, Node: gpg-wks-client, Next: gpg-wks-server, Up: Web Key Service + +10.1 Send requests via WKS +========================== + +The 'gpg-wks-client' is used to send requests to a Web Key Service +provider. This is usually done to upload a key into a Web Key +Directory. + + With the '--supported' command the caller can test whether a site +supports the Web Key Service. The argument is an arbitrary address in +the to be tested domain. For example 'foo@example.net'. The command +returns success if the Web Key Service is supported. The operation is +silent; to get diagnostic output use the option '--verbose'. See option +'--with-colons' for a variant of this command. + + With the '--check' command the caller can test whether a key exists +for a supplied mail address. The command returns success if a key is +available. + + The '--create' command is used to send a request for publication in +the Web Key Directory. The arguments are the fingerprint of the key and +the user id to publish. The output from the command is a properly +formatted mail with all standard headers. This mail can be fed to +'sendmail(8)' or any other tool to actually send that mail. If +'sendmail(8)' is installed the option '--send' can be used to directly +send the created request. If the provider request a 'mailbox-only' user +id and no such user id is found, 'gpg-wks-client' will try an additional +user id. + + The '--receive' and '--read' commands are used to process +confirmation mails as send from the service provider. The former +expects an encrypted MIME messages, the latter an already decrypted MIME +message. The result of these commands are another mail which can be +send in the same way as the mail created with '--create'. + + The command '--install-key' manually installs a key into a local +directory (see option '-C') reflecting the structure of a WKD. The +arguments are a file with the keyblock and the user-id to install. If +the first argument resembles a fingerprint the key is taken from the +current keyring; to force the use of a file, prefix the first argument +with "./". If no arguments are given the parameters are read from +stdin; the expected format are lines with the fingerprint and the +mailbox separated by a space. The command '--remove-key' removes a key +from that directory, its only argument is a user-id. + + The command '--mirror' is similar to '--install-key' but takes the +keys from the the LDAP server configured for Dirmngr. If no arguments +are given all keys and user ids are installed. If arguments are given +they are taken as domain names to limit the to be installed keys. The +option '--blacklist' may be used to further limit the to be installed +keys. + + The command '--print-wkd-hash' prints the WKD user-id identifiers and +the corresponding mailboxes from the user-ids given on the command line +or via stdin (one user-id per line). + + The command '--print-wkd-url' prints the URLs used to fetch the key +for the given user-ids from WKD. The meanwhile preferred format with +sub-domains is used here. + + 'gpg-wks-client' is not commonly invoked directly and thus it is not +installed in the bin directory. Here is an example how it can be +invoked manually to check for a Web Key Directory entry for +'foo@example.org': + + $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@example.net + +'gpg-wks-client' understands these options: + +'--send' + Directly send created mails using the 'sendmail' command. Requires + installation of that command. + +'--with-colons' + This option has currently only an effect on the '--supported' + command. If it is used all arguments on the command line are taken + as domain names and tested for WKD support. The output format is + one line per domain with colon delimited fields. The currently + specified fields are (future versions may specify additional + fields): + + 1 - domain + This is the domain name. Although quoting is not required for + valid domain names this field is specified to be quoted in + standard C manner. + + 2 - WKD + If the value is true the domain supports the Web Key + Directory. + + 3 - WKS + If the value is true the domain supports the Web Key Service + protocol to upload keys to the directory. + + 4 - error-code + This may contain an gpg-error code to describe certain + failures. Use 'gpg-error CODE' to explain the code. + + 5 - protocol-version + The minimum protocol version supported by the server. + + 6 - auth-submit + The auth-submit flag from the policy file of the server. + + 7 - mailbox-only + The mailbox-only flag from the policy file of the server. + +'--output FILE' +'-o' + Write the created mail to FILE instead of stdout. Note that the + value '-' for FILE is the same as writing to stdout. + +'--status-fd N' + Write special status strings to the file descriptor N. This + program returns only the status messages SUCCESS or FAILURE which + are helpful when the caller uses a double fork approach and can't + easily get the return code of the process. + +'-C DIR' +'--directory DIR' + Use DIR as top level directory for the commands '--mirror', + '--install-key' and '--remove-key'. The default is 'openpgpkey'. + +'--blacklist FILE' + This option is used to exclude certain mail addresses from a mirror + operation. The format of FILE is one mail address (just the + addrspec, e.g. "postel@isi.edu") per line. Empty lines and lines + starting with a '#' are ignored. + +'--verbose' + Enable extra informational output. + +'--quiet' + Disable almost all informational output. + +'--version' + Print version of the program and exit. + +'--help' + Display a brief help page and exit. + + +File: gnupg.info, Node: gpg-wks-server, Prev: gpg-wks-client, Up: Web Key Service + +10.2 Provide the Web Key Service +================================ + +The 'gpg-wks-server' is a server site implementation of the Web Key +Service. It receives requests for publication, sends confirmation +requests, receives confirmations, and published the key. It also has +features to ease the setup and maintenance of a Web Key Directory. + + When used with the command '--receive' a single Web Key Service mail +is processed. Commonly this command is used with the option '--send' to +directly send the crerated mails back. See below for an installation +example. + + The command '--cron' is used for regualr cleanup tasks. For example +non-confirmed requested should be removed after their expire time. It +is best to run this command once a day from a cronjob. + + The command '--list-domains' prints all configured domains. Further +it creates missing directories for the configuration and prints warnings +pertaining to problems in the configuration. + + The command '--check-key' (or just '--check') checks whether a key +with the given user-id is installed. The process returns success in +this case; to also print a diagnostic use the option '-v'. If the key +is not installed a diagnostic is printed and the process returns +failure; to suppress the diagnostic, use option '-q'. More than one +user-id can be given; see also option 'with-file'. + + The command '--install-key' manually installs a key into the WKD. The +arguments are a file with the keyblock and the user-id to install. If +the first argument resembles a fingerprint the key is taken from the +current keyring; to force the use of a file, prefix the first argument +with "./". If no arguments are given the parameters are read from +stdin; the expected format are lines with the fingerprint and the +mailbox separated by a space. + + The command '--remove-key' uninstalls a key from the WKD. The process +returns success in this case; to also print a diagnostic, use option +'-v'. If the key is not installed a diagnostic is printed and the +process returns failure; to suppress the diagnostic, use option '-q'. + + The command '--revoke-key' is not yet functional. + +'gpg-wks-server' understands these options: + +'-C DIR' +'--directory DIR' + Use DIR as top level directory for domains. The default is + '/var/lib/gnupg/wks'. + +'--from MAILADDR' + Use MAILADDR as the default sender address. + +'--header NAME=VALUE' + Add the mail header "NAME: VALUE" to all outgoing mails. + +'--send' + Directly send created mails using the 'sendmail' command. Requires + installation of that command. + +'-o FILE' +'--output FILE' + Write the created mail also to FILE. Note that the value '-' for + FILE would write it to stdout. + +'--with-dir' + When used with the command '--list-domains' print for each + installed domain the domain name and its directory name. + +'--with-file' + When used with the command '--check-key' print for each user-id, + the address, 'i' for installed key or 'n' for not installed key, + and the filename. + +'--verbose' + Enable extra informational output. + +'--quiet' + Disable almost all informational output. + +'--version' + Print version of the program and exit. + +'--help' + Display a brief help page and exit. + + +Examples +******** + +The Web Key Service requires a working directory to store keys pending +for publication. As root create a working directory: + + # mkdir /var/lib/gnupg/wks + # chown webkey:webkey /var/lib/gnupg/wks + # chmod 2750 /var/lib/gnupg/wks + + Then under your webkey account create directories for all your +domains. Here we do it for "example.net": + + $ mkdir /var/lib/gnupg/wks/example.net + + Finally run + + $ gpg-wks-server --list-domains + + to create the required sub-directories with the permissions set +correctly. For each domain a submission address needs to be configured. +All service mails are directed to that address. It can be the same +address for all configured domains, for example: + + $ cd /var/lib/gnupg/wks/example.net + $ echo key-submission@example.net >submission-address + + The protocol requires that the key to be published is send with an +encrypted mail to the service. Thus you need to create a key for the +submission address: + + $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net + $ gpg -K key-submission@example.net + + The output of the last command looks similar to this: + + sec rsa2048 2016-08-30 [SC] + C0FCF8642D830C53246211400346653590B3795B + uid [ultimate] key-submission@example.net + ssb rsa2048 2016-08-30 [E] + + Take the fingerprint from that output and manually publish the key: + + $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \ + > key-submission@example.net + + Finally that submission address needs to be redirected to a script +running 'gpg-wks-server'. The 'procmail' command can be used for this: +Redirect the submission address to the user "webkey" and put this into +webkey's '.procmailrc': + + :0 + * !^From: webkey@example.net + * !^X-WKS-Loop: webkey.example.net + |gpg-wks-server -v --receive \ + --header X-WKS-Loop=webkey.example.net \ + --from webkey@example.net --send + + +File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Web Key Service, Up: Top + +11 How to do certain things +*************************** + +This is a collection of small howto documents. + +* Menu: + +* Howto Create a Server Cert:: Creating a TLS server certificate. + + +File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos + +11.1 Creating a TLS server certificate +====================================== + +Here is a brief run up on how to create a server certificate. It has +actually been done this way to get a certificate from CAcert to be used +on a real server. It has only been tested with this CA, but there +shouldn't be any problem to run this against any other CA. + + We start by generating an X.509 certificate signing request. As +there is no need for a configuration file, you may simply enter: + + $ gpgsm --generate-key >example.com.cert-req.pem + Please select what kind of key you want: + (1) RSA + (2) Existing key + (3) Existing key from card + Your selection? 1 + + I opted for creating a new RSA key. The other option is to use an +already existing key, by selecting '2' and entering the so-called +keygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you +this keygrip. Using '3' offers another menu to create a certificate +directly from a smart card based key. + + Let's continue: + + What keysize do you want? (3072) + Requested keysize is 3072 bits + + Hitting enter chooses the default RSA key size of 3072 bits. Keys +smaller than 2048 bits are too weak on the modern Internet. If you +choose a larger (stronger) key, your server will need to do more work. + + Possible actions for a RSA key: + (1) sign, encrypt + (2) sign + (3) encrypt + Your selection? 1 + + Selecting "sign" enables use of the key for Diffie-Hellman key +exchange mechanisms (DHE and ECDHE) in TLS, which are preferred because +they offer forward secrecy. Selecting "encrypt" enables RSA key +exchange mechanisms, which are still common in some places. Selecting +both enables both key exchange mechanisms. + + Now for some real data: + + Enter the X.509 subject name: CN=example.com + + This is the most important value for a server certificate. Enter +here the canonical name of your server machine. You may add other +virtual server names later. + + E-Mail addresses (end with an empty line): + > + + We don't need email addresses in a TLS server certificate and CAcert +would anyway ignore such a request. Thus just hit enter. + + If you want to create a client certificate for email encryption, this +would be the place to enter your mail address (e.g. <joe@example.org>). +You may enter as many addresses as you like, however the CA may not +accept them all or reject the entire request. + + Enter DNS names (optional; end with an empty line): + > example.com + > www.example.com + > + + Here I entered the names of the services which the machine actually +provides. You almost always want to include the canonical name here +too. The browser will accept a certificate for any of these names. As +usual the CA must approve all of these names. + + URIs (optional; end with an empty line): + > + + It is possible to insert arbitrary URIs into a certificate; for a +server certificate this does not make sense. + + Create self-signed certificate? (y/N) + + Since we are creating a certificate signing request, and not a full +certificate, we answer no here, or just hit enter for the default. + + We have now entered all required information and 'gpgsm' will display +what it has gathered and ask whether to create the certificate request: + + These parameters are used: + Key-Type: RSA + Key-Length: 3072 + Key-Usage: sign, encrypt + Name-DN: CN=example.com + Name-DNS: example.com + Name-DNS: www.example.com + + Proceed with creation? (y/N) y + + 'gpgsm' will now start working on creating the request. As this +includes the creation of an RSA key it may take a while. During this +time you will be asked 3 times for a passphrase to protect the created +private key on your system. A pop up window will appear to ask for it. +The first two prompts are for the new passphrase and for re-entering it; +the third one is required to actually create the certificate signing +request. + + When it is ready, you should see the final notice: + + Ready. You should now send this request to your CA. + + Now, you may look at the created request: + + $ cat example.com.cert-req.pem + -----BEGIN CERTIFICATE REQUEST----- + MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW + h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC + Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW + GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm + DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n + xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq + hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs + ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN + b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ + hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D + bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk + VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3 + k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU= + -----END CERTIFICATE REQUEST----- + $ + + You may now proceed by logging into your account at the CAcert +website, choose 'Server Certificates - New', check 'sign by class 3 root +certificate', paste the above request block into the text field and +click on 'Submit'. + + If everything works out fine, a certificate will be shown. Now run + + $ gpgsm --import + + and paste the certificate from the CAcert page into your terminal +followed by a Ctrl-D + + -----BEGIN CERTIFICATE----- + MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl + [...] + rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs + Rtct3tIX + -----END CERTIFICATE----- + gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found + gpgsm: certificate imported + + gpgsm: total number processed: 1 + gpgsm: imported: 1 + + 'gpgsm' tells you that it has imported the certificate. It is now +associated with the key you used when creating the request. The root +certificate has not been found, so you may want to import it from the +CACert website. + + To see the content of your certificate, you may now enter: + + $ gpgsm -K example.com + /home/foo/.gnupg/pubring.kbx + --------------------------- + Serial number: 4C + Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...] + Subject: /CN=example.com + aka: (dns-name example.com) + aka: (dns-name www.example.com) + validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51 + key type: 3072 bit RSA + key usage: digitalSignature keyEncipherment + ext key usage: clientAuth (suggested), serverAuth (suggested), [...] + fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57 + + I used '-K' above because this will only list certificates for which +a private key is available. To see more details, you may use +'--dump-secret-keys' instead of '-K'. + + To make actual use of the certificate you need to install it on your +server. Server software usually expects a PKCS\#12 file with key and +certificate. To create such a file, run: + + $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem + + You will be asked for the passphrase as well as for a new passphrase +to be used to protect the PKCS\#12 file. The file now contains the +certificate as well as the private key: + + $ cat example-cert.pem + Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...] + Serial ...: 4C + Subject ..: /CN=example.com + aka ..: (dns-name example.com) + aka ..: (dns-name www.example.com) + + -----BEGIN PKCS12----- + MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu + [...many more lines...] + -----END PKCS12----- + $ + + Copy this file in a secure way to the server, install it there and +delete the file then. You may export the file again at any time as long +as it is available in GnuPG's private key database. + + +File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top + +12 Notes pertaining to certain OSes +*********************************** + +GnuPG has been developed on GNU/Linux systems and is know to work on +almost all Free OSes. All modern POSIX systems should be supported +right now, however there are probably a lot of smaller glitches we need +to fix first. The major problem areas are: + + * We are planning to use file descriptor passing for interprocess + communication. This will allow us save a lot of resources and + improve performance of certain operations a lot. Systems not + supporting this won't gain these benefits but we try to keep them + working the standard way as it is done today. + + * We require more or less full POSIX compatibility. This has been + around for 15 years now and thus we don't believe it makes sense to + support non POSIX systems anymore. Well, we of course the usual + workarounds for near POSIX systems well be applied. + + There is one exception of this rule: Systems based the Microsoft + Windows API (called here _W32_) will be supported to some extend. + +* Menu: + +* W32 Notes:: Microsoft Windows Notes + + +File: gnupg.info, Node: W32 Notes, Up: System Notes + +12.1 Microsoft Windows Notes +============================ + +Current limitations are: + + * 'gpgconf' does not create backup files, so in case of trouble your + configuration file might get lost. + + * 'watchgnupg' is not available. Logging to sockets is not possible. + + * The periodical smartcard status checking done by 'scdaemon' is not + yet supported. + + +File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top + +13 How to solve problems +************************ + +Everyone knows that software often does not do what it should do and +thus there is a need to track down problems. We call this debugging in +a reminiscent to the moth jamming a relay in a Mark II box back in 1947. + + Most of the problems a merely configuration and user problems but +nevertheless they are the most annoying ones and responsible for many +gray hairs. We try to give some guidelines here on how to identify and +solve the problem at hand. + +* Menu: + +* Debugging Tools:: Description of some useful tools. +* Debugging Hints:: Various hints on debugging. +* Common Problems:: Commonly seen problems. +* Architecture Details:: How the whole thing works internally. + + +File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging + +13.1 Debugging Tools +==================== + +The GnuPG distribution comes with a couple of tools, useful to help find +and solving problems. + +* Menu: + +* kbxutil:: Scrutinizing a keybox file. + + +File: gnupg.info, Node: kbxutil, Up: Debugging Tools + +13.1.1 Scrutinizing a keybox file +--------------------------------- + +A keybox is a file format used to store public keys along with meta +information and indices. The commonly used one is the file +'pubring.kbx' in the '.gnupg' directory. It contains all X.509 +certificates as well as OpenPGP keys. + +When called the standard way, e.g.: + + 'kbxutil ~/.gnupg/pubring.kbx' + +it lists all records (called blobs) with there meta-information in a +human readable format. + +To see statistics on the keybox in question, run it using + + 'kbxutil --stats ~/.gnupg/pubring.kbx' + +and you get an output like: + + Total number of blobs: 99 + header: 1 + empty: 0 + openpgp: 0 + x509: 98 + non flagged: 81 + secret flagged: 0 + ephemeral flagged: 17 + + In this example you see that the keybox does not have any OpenPGP +keys but contains 98 X.509 certificates and a total of 17 keys or +certificates are flagged as ephemeral, meaning that they are only +temporary stored (cached) in the keybox and won't get listed using the +usual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored +in a standard way and directly available from 'gpgsm'. + +To find duplicated certificates and keyblocks in a keybox file (this +should not occur but sometimes things go wrong), run it using + + 'kbxutil --find-dups ~/.gnupg/pubring.kbx' + + +File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging + +13.2 Various hints on debugging +=============================== + + * How to find the IP address of a keyserver + + If a round robin URL of is used for a keyserver (e.g. + subkeys.gnupg.org); it is not easy to see what server is actually + used. Using the keyserver debug option as in + + gpg --keyserver-options debug=1 -v --refresh-key 1E42B367 + + is thus often helpful. Note that the actual output depends on the + backend and may change from release to release. + + * Logging on WindowsCE + + For development, the best logging method on WindowsCE is the use of + remote debugging using a log file name of 'tcp://<ip-addr>:<port>'. + The command 'watchgnupg' may be used on the remote host to listen + on the given port (*note option watchgnupg --tcp::). For in the + field tests it is better to make use of the logging facility + provided by the 'gpgcedev' driver (part of libassuan); this is + enabled by using a log file name of 'GPG2:' (*note option + --log-file::). + + +File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging + +13.3 Commonly Seen Problems +=========================== + + * Error code 'Not supported' from Dirmngr + + Most likely the option 'enable-ocsp' is active for gpgsm but + Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in + 'dirmngr.conf'. + + * The Curses based Pinentry does not work + + The far most common reason for this is that the environment + variable 'GPG_TTY' has not been set correctly. Make sure that it + has been set to a real tty device and not just to '/dev/tty'; i.e. + 'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' -- + note the back ticks. Also make sure that this environment variable + gets exported, that is you should follow up the setting with an + 'export GPG_TTY' (assuming a Bourne style shell). Even for GUI + based Pinentries; you should have set 'GPG_TTY'. See the section + on installing the 'gpg-agent' on how to do it. + + * SSH hangs while a popping up pinentry was expected + + SSH has no way to tell the gpg-agent what terminal or X display it + is running on. So when remotely logging into a box where a + gpg-agent with SSH support is running, the pinentry will get popped + up on whatever display the gpg-agent has been started. To solve + this problem you may issue the command + + echo UPDATESTARTUPTTY | gpg-connect-agent + + and the next pinentry will pop up on your display or screen. + However, you need to kill the running pinentry first because only + one pinentry may be running at once. If you plan to use ssh on a + new display you should issue the above command before invoking ssh + or any other service making use of ssh. + + * Exporting a secret key without a certificate + + It may happen that you have created a certificate request using + 'gpgsm' but not yet received and imported the certificate from the + CA. However, you want to export the secret key to another machine + right now to import the certificate over there then. You can do + this with a little trick but it requires that you know the + approximate time you created the signing request. By running the + command + + ls -ltr ~/.gnupg/private-keys-v1.d + + you get a listing of all private keys under control of 'gpg-agent'. + Pick the key which best matches the creation time and run the + command + + /usr/local/libexec/gpg-protect-tool --p12-export \ + ~/.gnupg/private-keys-v1.d/FOO >FOO.p12 + + (Please adjust the path to 'gpg-protect-tool' to the appropriate + location). FOO is the name of the key file you picked (it should + have the suffix '.key'). A Pinentry box will pop up and ask you + for the current passphrase of the key and a new passphrase to + protect it in the pkcs#12 file. + + To import the created file on the machine you use this command: + + /usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12 + + You will be asked for the pkcs#12 passphrase and a new passphrase + to protect the imported private key at its new location. + + Note that there is no easy way to match existing certificates with + stored private keys because some private keys are used for Secure + Shell or other purposes and don't have a corresponding certificate. + + * A root certificate does not verify + + A common problem is that the root certificate misses the required + basicConstraints attribute and thus 'gpgsm' rejects this + certificate. An error message indicating "no value" is a sign for + such a certificate. You may use the 'relax' flag in + 'trustlist.txt' to accept the certificate anyway. Note that the + fingerprint and this flag may only be added manually to + 'trustlist.txt'. + + * Error message: "digest algorithm N has not been enabled" + + The signature is broken. You may try the option + '--extra-digest-algo SHA256' to workaround the problem. The number + N is the internal algorithm identifier; for example 8 refers to + SHA-256. + + * The Windows version does not work under Wine + + When running the W32 version of 'gpg' under Wine you may get an + error messages like: + + gpg: fatal: WriteConsole failed: Access denied + + The solution is to use the command 'wineconsole'. + + Some operations like '--generate-key' really want to talk to the + console directly for increased security (for example to prevent the + passphrase from appearing on the screen). So, you should use + 'wineconsole' instead of 'wine', which will launch a windows + console that implements those additional features. + + * Why does GPG's -search-key list weird keys? + + For performance reasons the keyservers do not check the keys the + same way 'gpg' does. It may happen that the listing of keys + available on the keyservers shows keys with wrong user IDs or with + user Ids from other keys. If you try to import this key, the bad + keys or bad user ids won't get imported, though. This is a bit + unfortunate but we can't do anything about it without actually + downloading the keys. + + +File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging + +13.4 How the whole thing works internally +========================================= + +* Menu: + +* Component interaction:: How the components work together. +* GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x. + + +File: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details + +13.4.1 How the components work together +--------------------------------------- + + + +Figure 13.1: GnuPG module overview + + +File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details + +13.4.2 Relationship between GnuPG 1.4 and 2.x +--------------------------------------------- + +Here is a little picture showing how the different GnuPG versions make +use of a smartcard: + + + +Figure 13.2: GnuPG card architecture + + +File: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top + +GNU General Public License +************************** + + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> + + Everyone is permitted to copy and distribute verbatim copies of this + license document, but changing it is not allowed. + +Preamble +======== + +The GNU General Public License is a free, copyleft license for software +and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program-to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public + License. + + "Copyright" also means copyright-like laws that apply to other + kinds of works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this + License. Each licensee is addressed as "you". "Licensees" and + "recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the + work in a fashion requiring copyright permission, other than the + making of an exact copy. The resulting work is called a "modified + version" of the earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work + based on the Program. + + To "propagate" a work means to do anything with it that, without + permission, would make you directly or secondarily liable for + infringement under applicable copyright law, except executing it on + a computer or modifying a private copy. Propagation includes + copying, distribution (with or without modification), making + available to the public, and in some countries other activities as + well. + + To "convey" a work means any kind of propagation that enables other + parties to make or receive copies. Mere interaction with a user + through a computer network, with no transfer of a copy, is not + conveying. + + An interactive user interface displays "Appropriate Legal Notices" + to the extent that it includes a convenient and prominently visible + feature that (1) displays an appropriate copyright notice, and (2) + tells the user that there is no warranty for the work (except to + the extent that warranties are provided), that licensees may convey + the work under this License, and how to view a copy of this + License. If the interface presents a list of user commands or + options, such as a menu, a prominent item in the list meets this + criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work + for making modifications to it. "Object code" means any non-source + form of a work. + + A "Standard Interface" means an interface that either is an + official standard defined by a recognized standards body, or, in + the case of interfaces specified for a particular programming + language, one that is widely used among developers working in that + language. + + The "System Libraries" of an executable work include anything, + other than the work as a whole, that (a) is included in the normal + form of packaging a Major Component, but which is not part of that + Major Component, and (b) serves only to enable use of the work with + that Major Component, or to implement a Standard Interface for + which an implementation is available to the public in source code + form. A "Major Component", in this context, means a major + essential component (kernel, window system, and so on) of the + specific operating system (if any) on which the executable work + runs, or a compiler used to produce the work, or an object code + interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all + the source code needed to generate, install, and (for an executable + work) run the object code and to modify the work, including scripts + to control those activities. However, it does not include the + work's System Libraries, or general-purpose tools or generally + available free programs which are used unmodified in performing + those activities but which are not part of the work. For example, + Corresponding Source includes interface definition files associated + with source files for the work, and the source code for shared + libraries and dynamically linked subprograms that the work is + specifically designed to require, such as by intimate data + communication or control flow between those subprograms and other + parts of the work. + + The Corresponding Source need not include anything that users can + regenerate automatically from other parts of the Corresponding + Source. + + The Corresponding Source for a work in source code form is that + same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of + copyright on the Program, and are irrevocable provided the stated + conditions are met. This License explicitly affirms your unlimited + permission to run the unmodified Program. The output from running + a covered work is covered by this License only if the output, given + its content, constitutes a covered work. This License acknowledges + your rights of fair use or other equivalent, as provided by + copyright law. + + You may make, run and propagate covered works that you do not + convey, without conditions so long as your license otherwise + remains in force. You may convey covered works to others for the + sole purpose of having them make modifications exclusively for you, + or provide you with facilities for running those works, provided + that you comply with the terms of this License in conveying all + material for which you do not control copyright. Those thus making + or running the covered works for you must do so exclusively on your + behalf, under your direction and control, on terms that prohibit + them from making any copies of your copyrighted material outside + their relationship with you. + + Conveying under any other circumstances is permitted solely under + the conditions stated below. Sublicensing is not allowed; section + 10 makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological + measure under any applicable law fulfilling obligations under + article 11 of the WIPO copyright treaty adopted on 20 December + 1996, or similar laws prohibiting or restricting circumvention of + such measures. + + When you convey a covered work, you waive any legal power to forbid + circumvention of technological measures to the extent such + circumvention is effected by exercising rights under this License + with respect to the covered work, and you disclaim any intention to + limit operation or modification of the work as a means of + enforcing, against the work's users, your or third parties' legal + rights to forbid circumvention of technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you + receive it, in any medium, provided that you conspicuously and + appropriately publish on each copy an appropriate copyright notice; + keep intact all notices stating that this License and any + non-permissive terms added in accord with section 7 apply to the + code; keep intact all notices of the absence of any warranty; and + give all recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, + and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to + produce it from the Program, in the form of source code under the + terms of section 4, provided that you also meet all of these + conditions: + + a. The work must carry prominent notices stating that you + modified it, and giving a relevant date. + + b. The work must carry prominent notices stating that it is + released under this License and any conditions added under + section 7. This requirement modifies the requirement in + section 4 to "keep intact all notices". + + c. You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable + section 7 additional terms, to the whole of the work, and all + its parts, regardless of how they are packaged. This License + gives no permission to license the work in any other way, but + it does not invalidate such permission if you have separately + received it. + + d. If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has + interactive interfaces that do not display Appropriate Legal + Notices, your work need not make them do so. + + A compilation of a covered work with other separate and independent + works, which are not by their nature extensions of the covered + work, and which are not combined with it such as to form a larger + program, in or on a volume of a storage or distribution medium, is + called an "aggregate" if the compilation and its resulting + copyright are not used to limit the access or legal rights of the + compilation's users beyond what the individual works permit. + Inclusion of a covered work in an aggregate does not cause this + License to apply to the other parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms + of sections 4 and 5, provided that you also convey the + machine-readable Corresponding Source under the terms of this + License, in one of these ways: + + a. Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b. Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that + product model, to give anyone who possesses the object code + either (1) a copy of the Corresponding Source for all the + software in the product that is covered by this License, on a + durable physical medium customarily used for software + interchange, for a price no more than your reasonable cost of + physically performing this conveying of source, or (2) access + to copy the Corresponding Source from a network server at no + charge. + + c. Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, + and only if you received the object code with such an offer, + in accord with subsection 6b. + + d. Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to + the Corresponding Source in the same way through the same + place at no further charge. You need not require recipients + to copy the Corresponding Source along with the object code. + If the place to copy the object code is a network server, the + Corresponding Source may be on a different server (operated by + you or a third party) that supports equivalent copying + facilities, provided you maintain clear directions next to the + object code saying where to find the Corresponding Source. + Regardless of what server hosts the Corresponding Source, you + remain obligated to ensure that it is available for as long as + needed to satisfy these requirements. + + e. Convey the object code using peer-to-peer transmission, + provided you inform other peers where the object code and + Corresponding Source of the work are being offered to the + general public at no charge under subsection 6d. + + A separable portion of the object code, whose source code is + excluded from the Corresponding Source as a System Library, need + not be included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means + any tangible personal property which is normally used for personal, + family, or household purposes, or (2) anything designed or sold for + incorporation into a dwelling. In determining whether a product is + a consumer product, doubtful cases shall be resolved in favor of + coverage. For a particular product received by a particular user, + "normally used" refers to a typical or common use of that class of + product, regardless of the status of the particular user or of the + way in which the particular user actually uses, or expects or is + expected to use, the product. A product is a consumer product + regardless of whether the product has substantial commercial, + industrial or non-consumer uses, unless such uses represent the + only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, + procedures, authorization keys, or other information required to + install and execute modified versions of a covered work in that + User Product from a modified version of its Corresponding Source. + The information must suffice to ensure that the continued + functioning of the modified object code is in no case prevented or + interfered with solely because modification has been made. + + If you convey an object code work under this section in, or with, + or specifically for use in, a User Product, and the conveying + occurs as part of a transaction in which the right of possession + and use of the User Product is transferred to the recipient in + perpetuity or for a fixed term (regardless of how the transaction + is characterized), the Corresponding Source conveyed under this + section must be accompanied by the Installation Information. But + this requirement does not apply if neither you nor any third party + retains the ability to install modified object code on the User + Product (for example, the work has been installed in ROM). + + The requirement to provide Installation Information does not + include a requirement to continue to provide support service, + warranty, or updates for a work that has been modified or installed + by the recipient, or for the User Product in which it has been + modified or installed. Access to a network may be denied when the + modification itself materially and adversely affects the operation + of the network or violates the rules and protocols for + communication across the network. + + Corresponding Source conveyed, and Installation Information + provided, in accord with this section must be in a format that is + publicly documented (and with an implementation available to the + public in source code form), and must require no special password + or key for unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of + this License by making exceptions from one or more of its + conditions. Additional permissions that are applicable to the + entire Program shall be treated as though they were included in + this License, to the extent that they are valid under applicable + law. If additional permissions apply only to part of the Program, + that part may be used separately under those permissions, but the + entire Program remains governed by this License without regard to + the additional permissions. + + When you convey a copy of a covered work, you may at your option + remove any additional permissions from that copy, or from any part + of it. (Additional permissions may be written to require their own + removal in certain cases when you modify the work.) You may place + additional permissions on material, added by you to a covered work, + for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material + you add to a covered work, you may (if authorized by the copyright + holders of that material) supplement the terms of this License with + terms: + + a. Disclaiming warranty or limiting liability differently from + the terms of sections 15 and 16 of this License; or + + b. Requiring preservation of specified reasonable legal notices + or author attributions in that material or in the Appropriate + Legal Notices displayed by works containing it; or + + c. Prohibiting misrepresentation of the origin of that material, + or requiring that modified versions of such material be marked + in reasonable ways as different from the original version; or + + d. Limiting the use for publicity purposes of names of licensors + or authors of the material; or + + e. Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f. Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified + versions of it) with contractual assumptions of liability to + the recipient, for any liability that these contractual + assumptions directly impose on those licensors and authors. + + All other non-permissive additional terms are considered "further + restrictions" within the meaning of section 10. If the Program as + you received it, or any part of it, contains a notice stating that + it is governed by this License along with a term that is a further + restriction, you may remove that term. If a license document + contains a further restriction but permits relicensing or conveying + under this License, you may add to a covered work material governed + by the terms of that license document, provided that the further + restriction does not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you + must place, in the relevant source files, a statement of the + additional terms that apply to those files, or a notice indicating + where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in + the form of a separately written license, or stated as exceptions; + the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly + provided under this License. Any attempt otherwise to propagate or + modify it is void, and will automatically terminate your rights + under this License (including any patent licenses granted under the + third paragraph of section 11). + + However, if you cease all violation of this License, then your + license from a particular copyright holder is reinstated (a) + provisionally, unless and until the copyright holder explicitly and + finally terminates your license, and (b) permanently, if the + copyright holder fails to notify you of the violation by some + reasonable means prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is + reinstated permanently if the copyright holder notifies you of the + violation by some reasonable means, this is the first time you have + received notice of violation of this License (for any work) from + that copyright holder, and you cure the violation prior to 30 days + after your receipt of the notice. + + Termination of your rights under this section does not terminate + the licenses of parties who have received copies or rights from you + under this License. If your rights have been terminated and not + permanently reinstated, you do not qualify to receive new licenses + for the same material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or + run a copy of the Program. Ancillary propagation of a covered work + occurring solely as a consequence of using peer-to-peer + transmission to receive a copy likewise does not require + acceptance. However, nothing other than this License grants you + permission to propagate or modify any covered work. These actions + infringe copyright if you do not accept this License. Therefore, + by modifying or propagating a covered work, you indicate your + acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically + receives a license from the original licensors, to run, modify and + propagate that work, subject to this License. You are not + responsible for enforcing compliance by third parties with this + License. + + An "entity transaction" is a transaction transferring control of an + organization, or substantially all assets of one, or subdividing an + organization, or merging organizations. If propagation of a + covered work results from an entity transaction, each party to that + transaction who receives a copy of the work also receives whatever + licenses to the work the party's predecessor in interest had or + could give under the previous paragraph, plus a right to possession + of the Corresponding Source of the work from the predecessor in + interest, if the predecessor has it or can get it with reasonable + efforts. + + You may not impose any further restrictions on the exercise of the + rights granted or affirmed under this License. For example, you + may not impose a license fee, royalty, or other charge for exercise + of rights granted under this License, and you may not initiate + litigation (including a cross-claim or counterclaim in a lawsuit) + alleging that any patent claim is infringed by making, using, + selling, offering for sale, or importing the Program or any portion + of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this + License of the Program or a work on which the Program is based. + The work thus licensed is called the contributor's "contributor + version". + + A contributor's "essential patent claims" are all patent claims + owned or controlled by the contributor, whether already acquired or + hereafter acquired, that would be infringed by some manner, + permitted by this License, of making, using, or selling its + contributor version, but do not include claims that would be + infringed only as a consequence of further modification of the + contributor version. For purposes of this definition, "control" + includes the right to grant patent sublicenses in a manner + consistent with the requirements of this License. + + Each contributor grants you a non-exclusive, worldwide, + royalty-free patent license under the contributor's essential + patent claims, to make, use, sell, offer for sale, import and + otherwise run, modify and propagate the contents of its contributor + version. + + In the following three paragraphs, a "patent license" is any + express agreement or commitment, however denominated, not to + enforce a patent (such as an express permission to practice a + patent or covenant not to sue for patent infringement). To "grant" + such a patent license to a party means to make such an agreement or + commitment not to enforce a patent against the party. + + If you convey a covered work, knowingly relying on a patent + license, and the Corresponding Source of the work is not available + for anyone to copy, free of charge and under the terms of this + License, through a publicly available network server or other + readily accessible means, then you must either (1) cause the + Corresponding Source to be so available, or (2) arrange to deprive + yourself of the benefit of the patent license for this particular + work, or (3) arrange, in a manner consistent with the requirements + of this License, to extend the patent license to downstream + recipients. "Knowingly relying" means you have actual knowledge + that, but for the patent license, your conveying the covered work + in a country, or your recipient's use of the covered work in a + country, would infringe one or more identifiable patents in that + country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or + arrangement, you convey, or propagate by procuring conveyance of, a + covered work, and grant a patent license to some of the parties + receiving the covered work authorizing them to use, propagate, + modify or convey a specific copy of the covered work, then the + patent license you grant is automatically extended to all + recipients of the covered work and works based on it. + + A patent license is "discriminatory" if it does not include within + the scope of its coverage, prohibits the exercise of, or is + conditioned on the non-exercise of one or more of the rights that + are specifically granted under this License. You may not convey a + covered work if you are a party to an arrangement with a third + party that is in the business of distributing software, under which + you make payment to the third party based on the extent of your + activity of conveying the work, and under which the third party + grants, to any of the parties who would receive the covered work + from you, a discriminatory patent license (a) in connection with + copies of the covered work conveyed by you (or copies made from + those copies), or (b) primarily for and in connection with specific + products or compilations that contain the covered work, unless you + entered into that arrangement, or that patent license was granted, + prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting + any implied license or other defenses to infringement that may + otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement + or otherwise) that contradict the conditions of this License, they + do not excuse you from the conditions of this License. If you + cannot convey a covered work so as to satisfy simultaneously your + obligations under this License and any other pertinent obligations, + then as a consequence you may not convey it at all. For example, + if you agree to terms that obligate you to collect a royalty for + further conveying from those to whom you convey the Program, the + only way you could satisfy both those terms and this License would + be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have + permission to link or combine any covered work with a work licensed + under version 3 of the GNU Affero General Public License into a + single combined work, and to convey the resulting work. The terms + of this License will continue to apply to the part which is the + covered work, but the special requirements of the GNU Affero + General Public License, section 13, concerning interaction through + a network will apply to the combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new + versions of the GNU General Public License from time to time. Such + new versions will be similar in spirit to the present version, but + may differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the + Program specifies that a certain numbered version of the GNU + General Public License "or any later version" applies to it, you + have the option of following the terms and conditions either of + that numbered version or of any later version published by the Free + Software Foundation. If the Program does not specify a version + number of the GNU General Public License, you may choose any + version ever published by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future + versions of the GNU General Public License can be used, that + proxy's public statement of acceptance of a version permanently + authorizes you to choose that version for the Program. + + Later license versions may give you additional or different + permissions. However, no additional obligations are imposed on any + author or copyright holder as a result of your choosing to follow a + later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY + APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE + COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" + WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE + RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. + SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL + NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN + WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES + AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR + DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR + CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE + THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA + BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER + PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF + THE POSSIBILITY OF SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided + above cannot be given local legal effect according to their terms, + reviewing courts shall apply local law that most closely + approximates an absolute waiver of all civil liability in + connection with the Program, unless a warranty or assumption of + liability accompanies a copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + +How to Apply These Terms to Your New Programs +============================================= + +If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these +terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + ONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES. + Copyright (C) YEAR NAME OF AUTHOR + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or (at + your option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + +Also add information on how to contact you by electronic and paper mail. + +If the program does terminal interaction, make it output a short notice +like this when it starts in an interactive mode: + + PROGRAM Copyright (C) YEAR NAME OF AUTHOR + This program comes with ABSOLUTELY NO WARRANTY; for details + type 'show w'. This is free software, and you are + welcome to redistribute it under certain conditions; + type 'show c' for details. + + The hypothetical commands 'show w' and 'show c' should show the +appropriate parts of the General Public License. Of course, your +program's commands might be different; for a GUI interface, you would +use an "about box". + + You should also get your employer (if you work as a programmer) or +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. For more information on this, and how to apply and follow +the GNU GPL, see <https://www.gnu.org/licenses/>. + + The GNU General Public License does not permit incorporating your +program into proprietary programs. If your program is a subroutine +library, you may consider it more useful to permit linking proprietary +applications with the library. If this is what you want to do, use the +GNU Lesser General Public License instead of this License. But first, +please read <https://www.gnu.org/philosophy/why-not-lgpl.html>. + + +File: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top + +Contributors to GnuPG +********************* + +The GnuPG project would like to thank its many contributors. Without +them the project would not have been nearly as successful as it has +been. Any omissions in this list are accidental. Feel free to contact +the maintainer if you have been left out or some of your contributions +are not listed. + + David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils +Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch +wrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis, +Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc +László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander +Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda +Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun +Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann, +Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki +IIDA did the official translations. Mike Ashley wrote and maintains the +GNU Privacy Handbook. David Scribner is the current FAQ editor. +Lorenzo Cappelletti maintains the web site. + + The new modularized architecture of gnupg 1.9 as well as the +X.509/CMS part has been developed as part of the Ägypten project. +Direct contributors to this project are: Bernhard Herzog, who did +extensive testing and tracked down a lot of bugs. Bernhard Reiter, who +made sure that we met the specifications and the deadlines. He did +extensive testing and came up with a lot of suggestions. Jan-Oliver +Wagner made sure that we met the specifications and the deadlines. He +also did extensive testing and came up with a lot of suggestions. +Karl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and +misconceptions while working on KDE integration. Marcus Brinkman +extended GPGME, cleaned up the Assuan code and fixed bugs all over the +place. Moritz Schulte took over Libgcrypt maintenance and developed it +into a stable an useful library. Steffen Hansen had a hard time to +write the dirmngr due to underspecified interfaces. Thomas Koester did +extensive testing and tracked down a lot of bugs. Werner Koch designed +the system and wrote most of the code. + + The following people helped greatly by suggesting improvements, +testing, fixing bugs, providing resources and doing other important +tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand +Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews, +Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian +Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de +Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere, +Christian Kurz, Christian von Roques, Christopher Oliver, Christian +Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra, +David C Niemi, David Champion, David Ellement, David Hallinan, David +Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri, +Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas, +Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor, +Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco +Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin, +Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg +Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg +Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust, +Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh +Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan +Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff +Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio +MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett, +John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph +Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel, +Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin +Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman, +M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus +Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin +Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala, +Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels, +Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael +Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F. +Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver +Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per +Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter +Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong, +Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner, +Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann, +Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts, +Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL +Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller, +Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne +Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas +Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom +Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner, +Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P. +Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne +Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki +and Gerlinde Klaes. + + This software has been made possible by the previous work of Chris +Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul +Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher +Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA +mathematicians and all the folks who have worked hard to create complete +and free operating systems. + + And finally we'd like to thank everyone who uses these tools, submits +bug reports and generally reminds us why we're doing this work in the +first place. + + +File: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top + +Glossary +******** + +'ARL' + The _Authority Revocation List_ is technical identical to a CRL but + used for CAs and not for end user certificates. + +'Chain model' + Verification model for X.509 which uses the creation date of a + signature as the date the validation starts and in turn checks that + each certificate has been issued within the time frame, the issuing + certificate was valid. This allows the verification of signatures + after the CA's certificate expired. The validation test also + required an online check of the certificate status. The chain + model is required by the German signature law. See also _Shell + model_. + +'CMS' + The _Cryptographic Message Standard_ describes a message format for + encryption and digital signing. It is closely related to the X.509 + certificate format. CMS was formerly known under the name 'PKCS#7' + and is described by 'RFC3369'. + +'CRL' + The _Certificate Revocation List_ is a list containing certificates + revoked by the issuer. + +'CSR' + The _Certificate Signing Request_ is a message send to a CA to ask + them to issue a new certificate. The data format of such a signing + request is called PCKS#10. + +'OpenPGP' + A data format used to build a PKI and to exchange encrypted or + signed messages. In contrast to X.509, OpenPGP also includes the + message format but does not explicitly demand a specific PKI. + However any kind of PKI may be build upon the OpenPGP protocol. + +'Keygrip' + This term is used by GnuPG to describe a 20 byte hash value used to + identify a certain key without referencing to a concrete protocol. + It is used internally to access a private key. Usually it is shown + and entered as a 40 character hexadecimal formatted string. + +'OCSP' + The _Online Certificate Status Protocol_ is used as an alternative + to a CRL. It is described in 'RFC 2560'. + +'PSE' + The _Personal Security Environment_ describes a database to store + private keys. This is either a smartcard or a collection of files + on a disk; the latter is often called a Soft-PSE. + +'Shell model' + The standard model for validation of certificates under X.509. At + the time of the verification all certificates must be valid and not + expired. See also _Chain model_. + +'X.509' + Description of a PKI used with CMS. It is for example defined by + 'RFC3280'. + + +File: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top + +Option Index +************ + + +* Menu: + +* --override-compliance-check: GPG Esoteric Options. + (line 424) +* add-servers: Dirmngr Options. (line 313) +* agent-program: GPG Configuration Options. + (line 755) +* agent-program <1>: Configuration Options. + (line 53) +* agent-program <2>: Invoking gpg-connect-agent. + (line 42) +* allow-admin: Scdaemon Options. (line 204) +* allow-emacs-pinentry: Agent Options. (line 206) +* allow-freeform-uid: GPG Esoteric Options. + (line 367) +* allow-loopback-pinentry: Agent Options. (line 188) +* allow-multiple-messages: GPG Esoteric Options. + (line 560) +* allow-non-selfsigned-uid: GPG Esoteric Options. + (line 362) +* allow-ocsp: Dirmngr Options. (line 330) +* allow-preset-passphrase: Agent Options. (line 183) +* allow-secret-key-import: GPG Esoteric Options. + (line 556) +* allow-version-check: Dirmngr Options. (line 138) +* allow-weak-digest-algos: GPG Esoteric Options. + (line 403) +* allow-weak-key-signatures: GPG Esoteric Options. + (line 419) +* always-trust: Deprecated Options. (line 21) +* armor: GPG Input and Output. + (line 8) +* armor <1>: Input and Output. (line 8) +* ask-cert-expire: GPG Esoteric Options. + (line 521) +* ask-cert-level: GPG Configuration Options. + (line 360) +* ask-sig-expire: GPG Esoteric Options. + (line 507) +* assume-armor: Input and Output. (line 14) +* assume-base64: Input and Output. (line 18) +* assume-binary: Input and Output. (line 21) +* attribute-fd: GPG Esoteric Options. + (line 92) +* attribute-file: GPG Esoteric Options. + (line 98) +* auto-check-trustdb: GPG Configuration Options. + (line 742) +* auto-expand-secmem: Agent Options. (line 456) +* auto-issuer-key-retrieve: Certificate Options. (line 62) +* auto-key-import: GPG Configuration Options. + (line 578) +* auto-key-locate: GPG Configuration Options. + (line 509) +* auto-key-retrieve: GPG Configuration Options. + (line 590) +* base64: Input and Output. (line 11) +* batch: Agent Options. (line 48) +* batch <1>: GPG Configuration Options. + (line 45) +* batch <2>: gpgtar. (line 104) +* blacklist: gpg-wks-client. (line 126) +* bzip2-compress-level: GPG Configuration Options. + (line 334) +* bzip2-decompress-lowmem: GPG Configuration Options. + (line 344) +* c: Dirmngr Options. (line 87) +* cache-cert: dirmngr-client. (line 72) +* call-dirmngr: Operational GPGSM Commands. + (line 27) +* call-protect-tool: Operational GPGSM Commands. + (line 41) +* card-edit: Operational GPG Commands. + (line 210) +* card-status: Operational GPG Commands. + (line 216) +* card-timeout: Scdaemon Options. (line 180) +* cert-digest-algo: GPG Esoteric Options. + (line 238) +* cert-notation: GPG Esoteric Options. + (line 124) +* cert-policy-url: GPG Esoteric Options. + (line 160) +* change-passphrase: OpenPGP Key Management. + (line 452) +* change-passphrase <1>: Certificate Management. + (line 109) +* change-pin: Operational GPG Commands. + (line 219) +* check: gpg-check-pattern. (line 56) +* check-passphrase-pattern: Agent Options. (line 260) +* check-signatures: Operational GPG Commands. + (line 140) +* check-sigs: Operational GPG Commands. + (line 141) +* check-sym-passphrase-pattern: Agent Options. (line 260) +* check-trustdb: Operational GPG Commands. + (line 349) +* cipher-algo: GPG Esoteric Options. + (line 199) +* cipher-algo <1>: CMS Options. (line 13) +* clear-sign: Operational GPG Commands. + (line 17) +* clearsign: Operational GPG Commands. + (line 18) +* cms: gpgtar. (line 99) +* command-fd: GPG Esoteric Options. + (line 350) +* command-file: GPG Esoteric Options. + (line 357) +* comment: GPG Esoteric Options. + (line 103) +* compatibility-flags: Esoteric Options. (line 57) +* compliance: Compliance Options. (line 67) +* compliance <1>: Esoteric Options. (line 18) +* compliant-needed: GPG Configuration Options. + (line 717) +* compress-algo: GPG Esoteric Options. + (line 215) +* compress-level: GPG Configuration Options. + (line 334) +* connect-quick-timeout: Dirmngr Options. (line 125) +* connect-timeout: Dirmngr Options. (line 125) +* create: gpgtar. (line 16) +* create-socketdir: Invoking gpgconf. (line 96) +* csh: Agent Options. (line 146) +* csh <1>: Dirmngr Options. (line 87) +* ctapi-driver: Scdaemon Options. (line 157) +* daemon: Agent Commands. (line 27) +* daemon <1>: Dirmngr Commands. (line 27) +* daemon <2>: Scdaemon Commands. (line 31) +* dearmor: Operational GPG Commands. + (line 403) +* debug: Agent Options. (line 82) +* debug <1>: Dirmngr Options. (line 59) +* debug <2>: GPG Esoteric Options. + (line 47) +* debug <3>: Esoteric Options. (line 90) +* debug <4>: Scdaemon Options. (line 69) +* debug-all: Agent Options. (line 106) +* debug-all <1>: Dirmngr Options. (line 66) +* debug-all <2>: GPG Esoteric Options. + (line 53) +* debug-all <3>: Esoteric Options. (line 117) +* debug-all <4>: Scdaemon Options. (line 96) +* debug-allow-core-dump: Esoteric Options. (line 120) +* debug-allow-core-dump <1>: Scdaemon Options. (line 113) +* debug-assuan-log-cats: Scdaemon Options. (line 122) +* debug-disable-ticker: Scdaemon Options. (line 109) +* debug-ignore-expiration: Esoteric Options. (line 131) +* debug-iolbf: GPG Esoteric Options. + (line 56) +* debug-level: Agent Options. (line 57) +* debug-level <1>: Dirmngr Options. (line 34) +* debug-level <2>: GPG Esoteric Options. + (line 22) +* debug-level <3>: Esoteric Options. (line 65) +* debug-level <4>: Scdaemon Options. (line 40) +* debug-log-tid: Scdaemon Options. (line 119) +* debug-no-chain-validation: Esoteric Options. (line 127) +* debug-pinentry: Agent Options. (line 126) +* debug-quick-random: Agent Options. (line 114) +* debug-wait: Agent Options. (line 109) +* debug-wait <1>: Dirmngr Options. (line 74) +* debug-wait <2>: Scdaemon Options. (line 99) +* debug-wait <3>: Scdaemon Options. (line 104) +* decode: Invoking gpg-connect-agent. + (line 95) +* decrypt: Operational GPG Commands. + (line 59) +* decrypt <1>: Operational GPGSM Commands. + (line 11) +* decrypt <2>: gpgtar. (line 29) +* decrypt-files: Operational GPG Commands. + (line 114) +* default-cache-ttl: Agent Options. (line 217) +* default-cache-ttl <1>: Agent Options. (line 226) +* default-cert-expire: GPG Esoteric Options. + (line 527) +* default-cert-level: GPG Configuration Options. + (line 368) +* default-key: GPG Configuration Options. + (line 10) +* default-key <1>: Input and Output. (line 34) +* default-keyserver-url: GPG Esoteric Options. + (line 589) +* default-new-key-algo STRING: GPG Esoteric Options. + (line 534) +* default-preference-list: GPG Esoteric Options. + (line 584) +* default-recipient: GPG Configuration Options. + (line 19) +* default-recipient-self: GPG Configuration Options. + (line 23) +* default-sig-expire: GPG Esoteric Options. + (line 513) +* delete-keys: Operational GPG Commands. + (line 224) +* delete-keys <1>: Certificate Management. + (line 60) +* delete-secret-and-public-key: Operational GPG Commands. + (line 244) +* delete-secret-keys: Operational GPG Commands. + (line 233) +* deny-admin: Scdaemon Options. (line 204) +* desig-revoke: OpenPGP Key Management. + (line 134) +* detach-sign: Operational GPG Commands. + (line 28) +* digest-algo: GPG Esoteric Options. + (line 208) +* directory: gpgtar. (line 76) +* directory <1>: gpg-wks-client. (line 122) +* directory <2>: gpg-wks-server. (line 50) +* dirmngr: Invoking gpg-connect-agent. + (line 54) +* dirmngr-program: GPG Configuration Options. + (line 762) +* dirmngr-program <1>: Configuration Options. + (line 59) +* dirmngr-program <2>: Invoking gpg-connect-agent. + (line 49) +* disable-application: Scdaemon Options. (line 214) +* disable-ccid: Scdaemon Options. (line 162) +* disable-check-own-socket: Agent Options. (line 342) +* disable-check-own-socket <1>: Dirmngr Options. (line 79) +* disable-cipher-algo: GPG Esoteric Options. + (line 246) +* disable-crl-checks: Certificate Options. (line 13) +* disable-dsa2: GPG Configuration Options. + (line 196) +* disable-extended-key-format: Agent Options. (line 388) +* disable-http: Dirmngr Options. (line 217) +* disable-ipv4: Dirmngr Options. (line 211) +* disable-ipv6: Dirmngr Options. (line 211) +* disable-large-rsa: GPG Configuration Options. + (line 187) +* disable-ldap: Dirmngr Options. (line 214) +* disable-mdc: OpenPGP Options. (line 25) +* disable-ocsp: Certificate Options. (line 53) +* disable-pinpad: Scdaemon Options. (line 201) +* disable-policy-checks: Certificate Options. (line 8) +* disable-pubkey-algo: GPG Esoteric Options. + (line 251) +* disable-scdaemon: Agent Options. (line 336) +* disable-signer-uid: OpenPGP Options. (line 31) +* disable-trusted-cert-crl-check: Certificate Options. (line 24) +* display: Agent Options. (line 360) +* display-charset: GPG Configuration Options. + (line 281) +* display-charset:iso-8859-1: GPG Configuration Options. + (line 291) +* display-charset:iso-8859-15: GPG Configuration Options. + (line 297) +* display-charset:iso-8859-2: GPG Configuration Options. + (line 294) +* display-charset:koi8-r: GPG Configuration Options. + (line 300) +* display-charset:utf-8: GPG Configuration Options. + (line 303) +* dry-run: GPG Esoteric Options. + (line 8) +* dry-run <1>: gpgtar. (line 72) +* dump-cert: Certificate Management. + (line 36) +* dump-chain: Certificate Management. + (line 40) +* dump-external-keys: Certificate Management. + (line 47) +* dump-keys: Certificate Management. + (line 36) +* dump-options: Agent Commands. (line 19) +* dump-options <1>: Dirmngr Commands. (line 18) +* dump-options <2>: General GPG Commands. + (line 20) +* dump-options <3>: General GPGSM Commands. + (line 19) +* dump-options <4>: Scdaemon Commands. (line 18) +* dump-secret-keys: Certificate Management. + (line 43) +* edit-card: Operational GPG Commands. + (line 209) +* edit-key: OpenPGP Key Management. + (line 139) +* emit-version: GPG Esoteric Options. + (line 114) +* enable-crl-checks: Certificate Options. (line 13) +* enable-dsa2: GPG Configuration Options. + (line 196) +* enable-extended-key-format: Agent Options. (line 388) +* enable-issuer-based-crl-check: Certificate Options. (line 45) +* enable-large-rsa: GPG Configuration Options. + (line 187) +* enable-ocsp: Certificate Options. (line 53) +* enable-passphrase-history: Agent Options. (line 283) +* enable-pinpad-varlen: Scdaemon Options. (line 193) +* enable-policy-checks: Certificate Options. (line 8) +* enable-progress-filter: GPG Esoteric Options. + (line 69) +* enable-putty-support: Agent Options. (line 402) +* enable-special-filenames: GPG Esoteric Options. + (line 571) +* enable-special-filenames <1>: gpgv. (line 97) +* enable-ssh-support: Agent Options. (line 402) +* enable-trusted-cert-crl-check: Certificate Options. (line 24) +* enarmor: Operational GPG Commands. + (line 403) +* encrypt: Operational GPG Commands. + (line 32) +* encrypt <1>: Operational GPGSM Commands. + (line 7) +* encrypt <2>: gpgtar. (line 23) +* encrypt-files: Operational GPG Commands. + (line 111) +* encrypt-to: GPG Key related Options. + (line 35) +* enforce-passphrase-constraints: Agent Options. (line 244) +* escape-from-lines: GPG Esoteric Options. + (line 276) +* exec: Invoking gpg-connect-agent. + (line 65) +* exec-path: GPG Configuration Options. + (line 225) +* exit-on-status-write-error: GPG Configuration Options. + (line 791) +* expert: GPG Configuration Options. + (line 846) +* export: Operational GPG Commands. + (line 250) +* export <1>: Certificate Management. + (line 69) +* export-filter: GPG Input and Output. + (line 131) +* export-options: GPG Input and Output. + (line 220) +* export-ownertrust: Operational GPG Commands. + (line 364) +* export-secret-key-p12: Certificate Management. + (line 82) +* export-secret-key-p8: Certificate Management. + (line 91) +* export-secret-key-raw: Certificate Management. + (line 91) +* export-secret-keys: Operational GPG Commands. + (line 268) +* export-secret-subkeys: Operational GPG Commands. + (line 268) +* export-ssh-key: Operational GPG Commands. + (line 290) +* extra-digest-algo: Esoteric Options. (line 7) +* extra-socket: Agent Options. (line 374) +* extract: gpgtar. (line 19) +* faked-system-time: Agent Options. (line 52) +* faked-system-time <1>: GPG Esoteric Options. + (line 60) +* faked-system-time <2>: Esoteric Options. (line 46) +* fast-list-mode: GPG Esoteric Options. + (line 462) +* fetch-crl: Dirmngr Commands. (line 52) +* fetch-keys: Operational GPG Commands. + (line 333) +* fingerprint: Operational GPG Commands. + (line 194) +* fixed-list-mode: GPG Input and Output. + (line 284) +* flush: Dirmngr Commands. (line 62) +* for-your-eyes-only: GPG Esoteric Options. + (line 185) +* forbid-gen-key: GPG Esoteric Options. + (line 551) +* force: Dirmngr Options. (line 93) +* force <1>: watchgnupg. (line 23) +* force-crl-refresh: Certificate Options. (line 35) +* force-default-responder: dirmngr-client. (line 64) +* force-mdc: OpenPGP Options. (line 25) +* force-sign-key: GPG Esoteric Options. + (line 545) +* forget: Invoking gpg-preset-passphrase. + (line 26) +* from: gpg-wks-server. (line 54) +* full-gen-key: OpenPGP Key Management. + (line 111) +* full-generate-key: OpenPGP Key Management. + (line 110) +* gen-key: OpenPGP Key Management. + (line 104) +* gen-key <1>: Certificate Management. + (line 8) +* gen-prime: Operational GPG Commands. + (line 398) +* gen-random: Operational GPG Commands. + (line 391) +* gen-revoke: OpenPGP Key Management. + (line 120) +* generate-designated-revocation: OpenPGP Key Management. + (line 133) +* generate-key: OpenPGP Key Management. + (line 103) +* generate-key <1>: Certificate Management. + (line 7) +* generate-revocation: OpenPGP Key Management. + (line 119) +* gnupg: Compliance Options. (line 12) +* gpg: gpgtar. (line 135) +* gpg-agent-info: GPG Configuration Options. + (line 752) +* gpg-args: gpgtar. (line 138) +* gpgconf-list: GPG Esoteric Options. + (line 605) +* gpgconf-test: GPG Esoteric Options. + (line 609) +* grab: Agent Options. (line 153) +* group: GPG Key related Options. + (line 55) +* header: gpg-wks-server. (line 57) +* help: Agent Commands. (line 15) +* help <1>: Dirmngr Commands. (line 14) +* help <2>: General GPG Commands. + (line 12) +* help <3>: General GPGSM Commands. + (line 11) +* help <4>: Scdaemon Commands. (line 14) +* help <5>: watchgnupg. (line 39) +* help <6>: dirmngr-client. (line 44) +* help <7>: gpgtar. (line 150) +* help <8>: gpg-wks-client. (line 141) +* help <9>: gpg-wks-server. (line 87) +* hex: Invoking gpg-connect-agent. + (line 91) +* hidden-encrypt-to: GPG Key related Options. + (line 43) +* hidden-recipient: GPG Key related Options. + (line 14) +* hidden-recipient-file: GPG Key related Options. + (line 29) +* homedir: Agent Options. (line 17) +* homedir <1>: GPG Configuration Options. + (line 260) +* homedir <2>: Configuration Options. + (line 16) +* homedir <3>: Scdaemon Options. (line 13) +* homedir <4>: gpgv. (line 69) +* homedir <5>: Invoking gpgconf. (line 120) +* homedir <6>: Invoking gpg-connect-agent. + (line 21) +* honor-http-proxy: Dirmngr Options. (line 236) +* http-proxy: Dirmngr Options. (line 240) +* ignore-cache-for-signing: Agent Options. (line 211) +* ignore-cert: Dirmngr Options. (line 389) +* ignore-cert-extension: Dirmngr Options. (line 379) +* ignore-cert-extension <1>: Certificate Options. (line 82) +* ignore-cert-with-oid: Esoteric Options. (line 37) +* ignore-crc-error: GPG Esoteric Options. + (line 387) +* ignore-http-dp: Dirmngr Options. (line 220) +* ignore-ldap-dp: Dirmngr Options. (line 227) +* ignore-mdc-error: GPG Esoteric Options. + (line 394) +* ignore-ocsp-service-url: Dirmngr Options. (line 232) +* ignore-time-conflict: GPG Esoteric Options. + (line 373) +* ignore-time-conflict <1>: gpgv. (line 63) +* ignore-valid-from: GPG Esoteric Options. + (line 380) +* import: Operational GPG Commands. + (line 304) +* import <1>: Certificate Management. + (line 99) +* import-filter: GPG Input and Output. + (line 131) +* import-options: GPG Input and Output. + (line 45) +* import-ownertrust: Operational GPG Commands. + (line 370) +* include-certs: CMS Options. (line 7) +* include-key-block: OpenPGP Options. (line 38) +* input-size-hint: GPG Input and Output. + (line 29) +* interactive: GPG Esoteric Options. + (line 19) +* keep-display: Agent Options. (line 365) +* keep-tty: Agent Options. (line 365) +* key-origin: GPG Input and Output. + (line 37) +* keydb-clear-some-cert-flags: Certificate Management. + (line 52) +* keyedit:addcardkey: OpenPGP Key Management. + (line 281) +* keyedit:addkey: OpenPGP Key Management. + (line 278) +* keyedit:addphoto: OpenPGP Key Management. + (line 201) +* keyedit:addrevoker: OpenPGP Key Management. + (line 330) +* keyedit:adduid: OpenPGP Key Management. + (line 198) +* keyedit:bkuptocard: OpenPGP Key Management. + (line 295) +* keyedit:change-usage: OpenPGP Key Management. + (line 357) +* keyedit:check: OpenPGP Key Management. + (line 194) +* keyedit:clean: OpenPGP Key Management. + (line 343) +* keyedit:cross-certify: OpenPGP Key Management. + (line 366) +* keyedit:delkey: OpenPGP Key Management. + (line 306) +* keyedit:delsig: OpenPGP Key Management. + (line 184) +* keyedit:deluid: OpenPGP Key Management. + (line 211) +* keyedit:disable: OpenPGP Key Management. + (line 326) +* keyedit:enable: OpenPGP Key Management. + (line 326) +* keyedit:expire: OpenPGP Key Management. + (line 315) +* keyedit:key: OpenPGP Key Management. + (line 148) +* keyedit:keyserver: OpenPGP Key Management. + (line 228) +* keyedit:keytocard: OpenPGP Key Management. + (line 284) +* keyedit:lsign: OpenPGP Key Management. + (line 159) +* keyedit:minimize: OpenPGP Key Management. + (line 352) +* keyedit:notation: OpenPGP Key Management. + (line 235) +* keyedit:nrsign: OpenPGP Key Management. + (line 164) +* keyedit:passwd: OpenPGP Key Management. + (line 336) +* keyedit:pref: OpenPGP Key Management. + (line 243) +* keyedit:primary: OpenPGP Key Management. + (line 220) +* keyedit:quit: OpenPGP Key Management. + (line 377) +* keyedit:revkey: OpenPGP Key Management. + (line 312) +* keyedit:revsig: OpenPGP Key Management. + (line 189) +* keyedit:revuid: OpenPGP Key Management. + (line 217) +* keyedit:save: OpenPGP Key Management. + (line 374) +* keyedit:setpref: OpenPGP Key Management. + (line 255) +* keyedit:showphoto: OpenPGP Key Management. + (line 208) +* keyedit:showpref: OpenPGP Key Management. + (line 247) +* keyedit:sign: OpenPGP Key Management. + (line 152) +* keyedit:toggle: OpenPGP Key Management. + (line 339) +* keyedit:trust: OpenPGP Key Management. + (line 321) +* keyedit:tsign: OpenPGP Key Management. + (line 168) +* keyedit:uid: OpenPGP Key Management. + (line 144) +* keyid-format: GPG Configuration Options. + (line 627) +* keyring: GPG Configuration Options. + (line 229) +* keyring <1>: gpgv. (line 38) +* keyserver: Dirmngr Options. (line 148) +* keyserver <1>: GPG Configuration Options. + (line 636) +* keyserver <2>: Configuration Options. + (line 43) +* keyserver-options: GPG Configuration Options. + (line 655) +* kill: Invoking gpgconf. (line 89) +* known-notation: GPG Esoteric Options. + (line 151) +* launch: Invoking gpgconf. (line 80) +* lc-ctype: Agent Options. (line 360) +* lc-messages: Agent Options. (line 360) +* ldap-proxy: Dirmngr Options. (line 245) +* ldapserver: Dirmngr Options. (line 275) +* ldapserverlist-file: Dirmngr Options. (line 256) +* ldaptimeout: Dirmngr Options. (line 309) +* learn-card: Certificate Management. + (line 104) +* legacy-list-mode: GPG Input and Output. + (line 290) +* limit-card-insert-tries: GPG Configuration Options. + (line 800) +* list-archive: gpgtar. (line 39) +* list-chain: Certificate Management. + (line 32) +* list-config: GPG Esoteric Options. + (line 594) +* list-crls: Dirmngr Commands. (line 40) +* list-gcrypt-config: GPG Esoteric Options. + (line 602) +* list-keys: Operational GPG Commands. + (line 119) +* list-keys <1>: Certificate Management. + (line 17) +* list-keys <2>: Certificate Management. + (line 28) +* list-only: GPG Esoteric Options. + (line 11) +* list-options: GPG Configuration Options. + (line 71) +* list-options:show-keyring: GPG Configuration Options. + (line 119) +* list-options:show-keyserver-urls: GPG Configuration Options. + (line 103) +* list-options:show-notations: GPG Configuration Options. + (line 99) +* list-options:show-only-fpr-mbox: GPG Configuration Options. + (line 134) +* list-options:show-photos: GPG Configuration Options. + (line 79) +* list-options:show-policy-urls: GPG Configuration Options. + (line 93) +* list-options:show-sig-expire: GPG Configuration Options. + (line 123) +* list-options:show-sig-subpackets: GPG Configuration Options. + (line 127) +* list-options:show-std-notations: GPG Configuration Options. + (line 99) +* list-options:show-uid-validity: GPG Configuration Options. + (line 107) +* list-options:show-unusable-subkeys: GPG Configuration Options. + (line 115) +* list-options:show-unusable-uids: GPG Configuration Options. + (line 111) +* list-options:show-usage: GPG Configuration Options. + (line 87) +* list-options:show-user-notations: GPG Configuration Options. + (line 99) +* list-packets: Operational GPG Commands. + (line 203) +* list-secret-keys: Operational GPG Commands. + (line 130) +* list-secret-keys <1>: Certificate Management. + (line 24) +* list-signatures: GPG Esoteric Options. + (line 450) +* list-sigs: GPG Esoteric Options. + (line 451) +* listen-backlog: Agent Options. (line 370) +* listen-backlog <1>: Dirmngr Options. (line 134) +* listen-backlog <2>: Scdaemon Options. (line 135) +* load-crl: Dirmngr Commands. (line 44) +* load-crl <1>: dirmngr-client. (line 80) +* local-user: GPG Key related Options. + (line 77) +* local-user <1>: Input and Output. (line 41) +* local-user <2>: gpgtar. (line 53) +* locate-external-keys: Operational GPG Commands. + (line 170) +* locate-keys: Operational GPG Commands. + (line 170) +* lock-multiple: GPG Configuration Options. + (line 780) +* lock-never: GPG Configuration Options. + (line 784) +* lock-once: GPG Configuration Options. + (line 776) +* log-file: Agent Options. (line 159) +* log-file <1>: Dirmngr Options. (line 30) +* log-file <2>: GPG Esoteric Options. + (line 86) +* log-file <3>: Configuration Options. + (line 80) +* log-file <4>: Scdaemon Options. (line 140) +* log-file <5>: gpgv. (line 59) +* logger-fd: GPG Esoteric Options. + (line 82) +* logger-fd <1>: gpgv. (line 56) +* lookup: dirmngr-client. (line 86) +* lsign-key: OpenPGP Key Management. + (line 392) +* mangle-dos-filenames: GPG Configuration Options. + (line 352) +* marginals-needed: GPG Configuration Options. + (line 721) +* max-cache-ttl: Agent Options. (line 232) +* max-cache-ttl-ssh: Agent Options. (line 238) +* max-cert-depth: GPG Configuration Options. + (line 729) +* max-output: GPG Input and Output. + (line 19) +* max-passphrase-days: Agent Options. (line 278) +* max-replies: Dirmngr Options. (line 376) +* min-cert-level: GPG Configuration Options. + (line 397) +* min-passphrase-len: Agent Options. (line 248) +* min-passphrase-nonalpha: Agent Options. (line 253) +* min-rsa-length: Compliance Options. (line 72) +* min-rsa-length <1>: Esoteric Options. (line 22) +* multi-server: Scdaemon Commands. (line 26) +* multifile: Operational GPG Commands. + (line 100) +* nameserver: Dirmngr Options. (line 203) +* no: GPG Configuration Options. + (line 67) +* no <1>: gpgtar. (line 113) +* no-allow-external-cache: Agent Options. (line 196) +* no-allow-loopback-pinentry: Agent Options. (line 188) +* no-allow-mark-trusted: Agent Options. (line 167) +* no-armor: GPG Input and Output. + (line 12) +* no-auto-key-import: GPG Configuration Options. + (line 578) +* no-auto-key-retrieve: GPG Configuration Options. + (line 590) +* no-autostart: GPG Configuration Options. + (line 769) +* no-autostart <1>: Configuration Options. + (line 69) +* no-autostart <2>: Invoking gpg-connect-agent. + (line 77) +* no-batch: GPG Configuration Options. + (line 45) +* no-common-certs-import: Esoteric Options. (line 168) +* no-default-keyring: GPG Esoteric Options. + (line 432) +* no-default-recipient: GPG Configuration Options. + (line 29) +* no-detach: Agent Options. (line 131) +* no-detach <1>: Scdaemon Options. (line 131) +* no-encrypt-to: GPG Key related Options. + (line 51) +* no-expensive-trust-checks: GPG Esoteric Options. + (line 576) +* no-ext-connect: Invoking gpg-connect-agent. + (line 72) +* no-grab: Agent Options. (line 153) +* no-greeting: GPG Configuration Options. + (line 814) +* no-groups: GPG Key related Options. + (line 73) +* no-keyring: GPG Esoteric Options. + (line 438) +* no-literal: GPG Esoteric Options. + (line 470) +* no-mangle-dos-filenames: GPG Configuration Options. + (line 352) +* no-options: GPG Configuration Options. + (line 327) +* no-random-seed-file: GPG Configuration Options. + (line 808) +* no-secmem-warning: GPG Configuration Options. + (line 817) +* no-secmem-warning <1>: Configuration Options. + (line 76) +* no-sig-cache: GPG Configuration Options. + (line 732) +* no-skip-hidden-recipients: GPG Key related Options. + (line 108) +* no-symkey-cache: GPG Esoteric Options. + (line 337) +* no-tty: GPG Configuration Options. + (line 58) +* no-use-standard-socket: Agent Options. (line 350) +* no-use-tor: Dirmngr Options. (line 98) +* no-user-trustlist: Agent Options. (line 172) +* no-verbose: GPG Configuration Options. + (line 37) +* not-dash-escaped: GPG Esoteric Options. + (line 266) +* null: gpgtar. (line 86) +* null <1>: gpg-check-pattern. (line 59) +* ocsp: dirmngr-client. (line 61) +* ocsp-current-period: Dirmngr Options. (line 371) +* ocsp-max-clock-skew: Dirmngr Options. (line 363) +* ocsp-max-period: Dirmngr Options. (line 367) +* ocsp-responder: Dirmngr Options. (line 337) +* ocsp-signer: Dirmngr Options. (line 342) +* only-ldap-proxy: Dirmngr Options. (line 251) +* openpgp: Compliance Options. (line 19) +* openpgp <1>: gpgtar. (line 95) +* options: Agent Options. (line 10) +* options <1>: Dirmngr Options. (line 11) +* options <2>: Dirmngr Options. (line 16) +* options <3>: GPG Configuration Options. + (line 322) +* options <4>: Configuration Options. + (line 10) +* options <5>: Scdaemon Options. (line 7) +* output: GPG Input and Output. + (line 16) +* output <1>: Input and Output. (line 51) +* output <2>: gpgv. (line 45) +* output <3>: gpgtar. (line 57) +* output <4>: gpg-wks-client. (line 111) +* output <5>: gpg-wks-server. (line 65) +* override-session-key: GPG Esoteric Options. + (line 494) +* p12-charset: Input and Output. (line 24) +* passphrase: GPG Esoteric Options. + (line 312) +* passphrase <1>: Invoking gpg-preset-passphrase. + (line 36) +* passphrase-fd: GPG Esoteric Options. + (line 291) +* passphrase-fd <1>: Esoteric Options. (line 136) +* passphrase-file: GPG Esoteric Options. + (line 301) +* passphrase-repeat: GPG Esoteric Options. + (line 283) +* passwd: OpenPGP Key Management. + (line 453) +* passwd <1>: Certificate Management. + (line 110) +* pcsc-driver: Scdaemon Options. (line 150) +* pcsc-shared: Scdaemon Options. (line 144) +* pem: dirmngr-client. (line 58) +* permission-warning: GPG Configuration Options. + (line 820) +* personal-cipher-preferences: OpenPGP Options. (line 46) +* personal-compress-preferences: OpenPGP Options. (line 64) +* personal-digest-preferences: OpenPGP Options. (line 55) +* pgp6: Compliance Options. (line 44) +* pgp7: Compliance Options. (line 54) +* pgp8: Compliance Options. (line 60) +* photo-viewer: GPG Configuration Options. + (line 202) +* pinentry-formatted-passphrase: Agent Options. (line 297) +* pinentry-invisible-char: Agent Options. (line 286) +* pinentry-mode: GPG Esoteric Options. + (line 322) +* pinentry-mode <1>: Esoteric Options. (line 145) +* pinentry-program: Agent Options. (line 310) +* pinentry-timeout: Agent Options. (line 291) +* pinentry-touch-file: Agent Options. (line 323) +* ping: dirmngr-client. (line 69) +* policy-file: Configuration Options. + (line 50) +* prefer-system-dirmngr: Configuration Options. + (line 63) +* preserve-permissions: GPG Esoteric Options. + (line 579) +* preset: Invoking gpg-preset-passphrase. + (line 22) +* primary-keyring: GPG Configuration Options. + (line 243) +* print-md: Operational GPG Commands. + (line 386) +* q: Invoking gpg-connect-agent. + (line 18) +* quick-add-key: OpenPGP Key Management. + (line 69) +* quick-add-uid: OpenPGP Key Management. + (line 420) +* quick-gen-key: OpenPGP Key Management. + (line 10) +* quick-generate-key: OpenPGP Key Management. + (line 10) +* quick-lsign-key: OpenPGP Key Management. + (line 398) +* quick-revoke-sig: OpenPGP Key Management. + (line 435) +* quick-revoke-uid: OpenPGP Key Management. + (line 427) +* quick-set-expire: OpenPGP Key Management. + (line 60) +* quick-set-primary-uid: OpenPGP Key Management. + (line 445) +* quick-sign-key: OpenPGP Key Management. + (line 398) +* quiet: Agent Options. (line 45) +* quiet <1>: GPG Configuration Options. + (line 40) +* quiet <2>: gpgv. (line 35) +* quiet <3>: Invoking gpgconf. (line 117) +* quiet <4>: Invoking gpg-connect-agent. + (line 18) +* quiet <5>: dirmngr-client. (line 48) +* quiet <6>: gpgtar. (line 65) +* quiet <7>: gpg-wks-client. (line 135) +* quiet <8>: gpg-wks-server. (line 81) +* raw-socket: Invoking gpg-connect-agent. + (line 59) +* reader-port: Scdaemon Options. (line 168) +* rebuild-keydb-caches: Operational GPG Commands. + (line 380) +* receive-keys: Operational GPG Commands. + (line 313) +* recipient: GPG Key related Options. + (line 8) +* recipient <1>: Input and Output. (line 46) +* recipient <2>: gpgtar. (line 49) +* recipient-file: GPG Key related Options. + (line 22) +* recursive-resolver: Dirmngr Options. (line 117) +* recv-keys: Operational GPG Commands. + (line 314) +* refresh-keys: Operational GPG Commands. + (line 317) +* reload: Invoking gpgconf. (line 74) +* remove-socketdir: Invoking gpgconf. (line 102) +* request-origin: GPG Esoteric Options. + (line 342) +* request-origin <1>: Esoteric Options. (line 160) +* require-compliance: Compliance Options. (line 77) +* require-compliance <1>: Esoteric Options. (line 27) +* require-compliance <2>: gpgtar. (line 117) +* require-cross-certification: GPG Configuration Options. + (line 839) +* require-secmem: GPG Configuration Options. + (line 834) +* resolver-timeout: Dirmngr Options. (line 120) +* rfc2440: Compliance Options. (line 37) +* rfc4880: Compliance Options. (line 25) +* rfc4880bis: Compliance Options. (line 30) +* run: Invoking gpg-connect-agent. + (line 82) +* s: Dirmngr Options. (line 87) +* s2k-calibration: Agent Options. (line 465) +* s2k-cipher-algo: OpenPGP Options. (line 74) +* s2k-count: Agent Options. (line 472) +* s2k-count <1>: OpenPGP Options. (line 90) +* s2k-digest-algo: OpenPGP Options. (line 79) +* s2k-mode: OpenPGP Options. (line 83) +* scdaemon-program: Agent Options. (line 332) +* search-keys: Operational GPG Commands. + (line 323) +* secret-keyring: GPG Configuration Options. + (line 248) +* send: gpg-wks-client. (line 72) +* send <1>: gpg-wks-server. (line 60) +* send-keys: Operational GPG Commands. + (line 257) +* sender: GPG Key related Options. + (line 81) +* server: Agent Commands. (line 23) +* server <1>: Dirmngr Commands. (line 22) +* server <2>: Operational GPGSM Commands. + (line 24) +* server <3>: Scdaemon Commands. (line 22) +* set-filename: GPG Esoteric Options. + (line 178) +* set-filename <1>: gpgtar. (line 129) +* set-filesize: GPG Esoteric Options. + (line 474) +* set-notation: GPG Esoteric Options. + (line 124) +* set-policy-url: GPG Esoteric Options. + (line 160) +* sh: Agent Options. (line 146) +* sh <1>: Dirmngr Options. (line 87) +* show-keyring: Deprecated Options. (line 16) +* show-keys: Operational GPG Commands. + (line 185) +* show-notation: Deprecated Options. (line 25) +* show-photos: Deprecated Options. (line 8) +* show-policy-url: Deprecated Options. (line 33) +* show-session-key: GPG Esoteric Options. + (line 478) +* shutdown: Dirmngr Commands. (line 58) +* sig-keyserver-url: GPG Esoteric Options. + (line 170) +* sig-notation: GPG Esoteric Options. + (line 124) +* sig-policy-url: GPG Esoteric Options. + (line 160) +* sign: Operational GPG Commands. + (line 8) +* sign <1>: Operational GPGSM Commands. + (line 16) +* sign-key: OpenPGP Key Management. + (line 388) +* skip-crypto: gpgtar. (line 68) +* skip-hidden-recipients: GPG Key related Options. + (line 108) +* skip-verify: GPG Esoteric Options. + (line 442) +* squid-mode: dirmngr-client. (line 101) +* ssh-fingerprint-digest: Agent Options. (line 450) +* standard-resolver: Dirmngr Options. (line 110) +* status-fd: GPG Esoteric Options. + (line 74) +* status-fd <1>: gpgv. (line 52) +* status-fd <2>: Invoking gpgconf. (line 158) +* status-fd <3>: gpgtar. (line 120) +* status-fd <4>: gpg-wks-client. (line 115) +* status-file: GPG Esoteric Options. + (line 78) +* steal-socket: Agent Options. (line 135) +* store: Operational GPG Commands. + (line 55) +* subst: Invoking gpg-connect-agent. + (line 88) +* supervised: Agent Commands. (line 36) +* supervised <1>: Dirmngr Commands. (line 33) +* symmetric: Operational GPG Commands. + (line 42) +* sys-trustlist-name: Agent Options. (line 177) +* tar-args: gpgtar. (line 141) +* textmode: OpenPGP Options. (line 8) +* throw-keyids: GPG Esoteric Options. + (line 257) +* time-only: watchgnupg. (line 30) +* tls-debug: Dirmngr Options. (line 69) +* tofu-default-policy: GPG Configuration Options. + (line 725) +* tofu-policy: Operational GPG Commands. + (line 408) +* trust-model: GPG Configuration Options. + (line 412) +* trust-model:always: GPG Configuration Options. + (line 493) +* trust-model:auto: GPG Configuration Options. + (line 502) +* trust-model:classic: GPG Configuration Options. + (line 420) +* trust-model:direct: GPG Configuration Options. + (line 485) +* trust-model:pgp: GPG Configuration Options. + (line 415) +* trust-model:tofu: GPG Configuration Options. + (line 423) +* trust-model:tofu+pgp: GPG Configuration Options. + (line 473) +* trustdb-name: GPG Configuration Options. + (line 253) +* trusted-key: GPG Configuration Options. + (line 403) +* try-all-secrets: GPG Key related Options. + (line 100) +* try-secret-key: GPG Key related Options. + (line 89) +* ttyname: Agent Options. (line 360) +* ttytype: Agent Options. (line 360) +* ungroup: GPG Key related Options. + (line 70) +* update-trustdb: Operational GPG Commands. + (line 339) +* url: dirmngr-client. (line 94) +* url <1>: dirmngr-client. (line 98) +* use-agent: GPG Configuration Options. + (line 749) +* use-embedded-filename: GPG Esoteric Options. + (line 194) +* use-standard-socket: Agent Options. (line 350) +* use-standard-socket-p: Agent Options. (line 350) +* use-tor: Dirmngr Options. (line 98) +* utf8-strings: GPG Configuration Options. + (line 308) +* utf8-strings <1>: gpgtar. (line 90) +* v: Dirmngr Options. (line 25) +* v <1>: Configuration Options. + (line 38) +* v <2>: Scdaemon Options. (line 35) +* v <3>: dirmngr-client. (line 53) +* validate: dirmngr-client. (line 76) +* validation-model: Certificate Options. (line 73) +* verbose: Agent Options. (line 39) +* verbose <1>: Dirmngr Options. (line 25) +* verbose <2>: GPG Configuration Options. + (line 33) +* verbose <3>: Configuration Options. + (line 38) +* verbose <4>: Scdaemon Options. (line 35) +* verbose <5>: watchgnupg. (line 33) +* verbose <6>: gpgv. (line 30) +* verbose <7>: Invoking gpg-preset-passphrase. + (line 32) +* verbose <8>: Invoking gpg-connect-agent. + (line 14) +* verbose <9>: dirmngr-client. (line 53) +* verbose <10>: gpgtar. (line 61) +* verbose <11>: gpg-check-pattern. (line 53) +* verbose <12>: gpg-wks-client. (line 132) +* verbose <13>: gpg-wks-server. (line 78) +* verify: Operational GPG Commands. + (line 67) +* verify <1>: Operational GPGSM Commands. + (line 20) +* verify-files: Operational GPG Commands. + (line 108) +* verify-options: GPG Configuration Options. + (line 138) +* verify-options:pka-lookups: GPG Configuration Options. + (line 174) +* verify-options:pka-trust-increase: GPG Configuration Options. + (line 181) +* verify-options:show-keyserver-urls: GPG Configuration Options. + (line 157) +* verify-options:show-notations: GPG Configuration Options. + (line 153) +* verify-options:show-photos: GPG Configuration Options. + (line 143) +* verify-options:show-policy-urls: GPG Configuration Options. + (line 147) +* verify-options:show-primary-uid-only: GPG Configuration Options. + (line 169) +* verify-options:show-std-notations: GPG Configuration Options. + (line 153) +* verify-options:show-uid-validity: GPG Configuration Options. + (line 161) +* verify-options:show-unusable-uids: GPG Configuration Options. + (line 165) +* verify-options:show-user-notations: GPG Configuration Options. + (line 153) +* version: Agent Commands. (line 10) +* version <1>: Dirmngr Commands. (line 10) +* version <2>: General GPG Commands. + (line 7) +* version <3>: General GPGSM Commands. + (line 7) +* version <4>: Scdaemon Commands. (line 10) +* version <5>: watchgnupg. (line 36) +* version <6>: dirmngr-client. (line 40) +* version <7>: gpgtar. (line 147) +* version <8>: gpg-wks-client. (line 138) +* version <9>: gpg-wks-server. (line 84) +* warranty: General GPG Commands. + (line 17) +* warranty <1>: General GPGSM Commands. + (line 15) +* weak-digest: GPG Esoteric Options. + (line 411) +* weak-digest <1>: gpgv. (line 90) +* with-colons: GPG Input and Output. + (line 276) +* with-colons <1>: gpg-wks-client. (line 76) +* with-dir: gpg-wks-server. (line 69) +* with-ephemeral-keys: Esoteric Options. (line 52) +* with-file: gpg-wks-server. (line 73) +* with-fingerprint: GPG Input and Output. + (line 296) +* with-icao-spelling: GPG Input and Output. + (line 307) +* with-key-data: GPG Esoteric Options. + (line 446) +* with-key-data <1>: Input and Output. (line 54) +* with-key-origin: GPG Input and Output. + (line 315) +* with-keygrip: GPG Input and Output. + (line 311) +* with-log: gpgtar. (line 124) +* with-secret: GPG Input and Output. + (line 326) +* with-secret <1>: Input and Output. (line 78) +* with-subkey-fingerprint: GPG Input and Output. + (line 300) +* with-validation: Input and Output. (line 60) +* with-wkd-hash: GPG Input and Output. + (line 321) +* xauthority: Agent Options. (line 360) +* yes: GPG Configuration Options. + (line 63) +* yes <1>: gpgtar. (line 108) + + +File: gnupg.info, Node: Environment Index, Next: Index, Prev: Option Index, Up: Top + +Environment Variable and File Index +*********************************** + + +* Menu: + +* .gpg-v21-migrated: GPG Configuration. (line 77) +* ~/.gnupg: GPG Configuration. (line 27) +* ASSUAN_DEBUG: Scdaemon Options. (line 122) +* COLUMNS: GPG Configuration. (line 118) +* com-certs.pem: GPGSM Configuration. (line 84) +* dirmngr.conf: Dirmngr Configuration. + (line 12) +* DISPLAY: GPGSM OPTION. (line 21) +* GNUPGHOME: Agent Options. (line 17) +* GNUPGHOME <1>: GPG Configuration Options. + (line 260) +* GNUPGHOME <2>: GPG Configuration. (line 106) +* GNUPGHOME <3>: Configuration Options. + (line 16) +* GNUPGHOME <4>: Scdaemon Options. (line 13) +* GNUPGHOME <5>: gpgv. (line 69) +* GNUPGHOME <6>: Invoking gpgconf. (line 120) +* GNUPGHOME <7>: Invoking gpg-connect-agent. + (line 21) +* GNUPG_BUILD_ROOT: GPG Configuration. (line 130) +* GNUPG_EXEC_DEBUG_FLAGS: GPG Configuration. (line 135) +* gpg-agent.conf: Agent Configuration. (line 11) +* gpg.conf: GPG Configuration. (line 11) +* gpgconf.ctl: Agent Options. (line 28) +* gpgconf.ctl <1>: GPG Configuration Options. + (line 271) +* gpgconf.ctl <2>: Configuration Options. + (line 27) +* gpgconf.ctl <3>: Scdaemon Options. (line 24) +* gpgconf.ctl <4>: gpgv. (line 80) +* gpgconf.ctl <5>: Invoking gpgconf. (line 131) +* gpgconf.ctl <6>: Invoking gpg-connect-agent. + (line 32) +* gpgsm.conf: GPGSM Configuration. (line 11) +* GPG_TTY: Invoking GPG-AGENT. (line 22) +* GPG_TTY <1>: GPGSM OPTION. (line 23) +* help.txt: GPGSM Configuration. (line 72) +* HKCU\Software\GNU\GnuPG:DefaultLogFile: Agent Options. (line 159) +* HKCU\Software\GNU\GnuPG:HomeDir: Agent Options. (line 17) +* HKCU\Software\GNU\GnuPG:HomeDir <1>: GPG Configuration Options. + (line 260) +* HKCU\Software\GNU\GnuPG:HomeDir <2>: Configuration Options. + (line 16) +* HKCU\Software\GNU\GnuPG:HomeDir <3>: Scdaemon Options. (line 13) +* HKCU\Software\GNU\GnuPG:HomeDir <4>: gpgv. (line 69) +* HKCU\Software\GNU\GnuPG:HomeDir <5>: Invoking gpgconf. (line 120) +* HKCU\Software\GNU\GnuPG:HomeDir <6>: Invoking gpg-connect-agent. + (line 21) +* HOME: GPG Configuration. (line 103) +* http_proxy: Dirmngr Options. (line 240) +* LANGUAGE: GPG Configuration. (line 121) +* LC_CTYPE: GPGSM OPTION. (line 27) +* LC_MESSAGES: GPGSM OPTION. (line 29) +* LINES: GPG Configuration. (line 118) +* openpgp-revocs.d: GPG Configuration. (line 91) +* PATH: GPG Configuration Options. + (line 225) +* PINENTRY_USER_DATA: GPG Configuration. (line 113) +* PINENTRY_USER_DATA <1>: GPGSM OPTION. (line 33) +* policies.txt: GPGSM Configuration. (line 18) +* private-keys-v1.d: Agent Configuration. (line 106) +* pubring.gpg: GPG Configuration. (line 32) +* pubring.kbx: GPG Configuration. (line 50) +* pubring.kbx <1>: GPGSM Configuration. (line 100) +* qualified.txt: GPGSM Configuration. (line 33) +* random_seed: GPG Configuration. (line 88) +* random_seed <1>: GPGSM Configuration. (line 106) +* S.gpg-agent: GPGSM Configuration. (line 111) +* secring.gpg: GPG Configuration. (line 69) +* SHELL: Agent Options. (line 146) +* sshcontrol: Agent Configuration. (line 76) +* TERM: GPGSM OPTION. (line 25) +* trustdb.gpg: GPG Configuration. (line 80) +* trustlist.txt: Agent Configuration. (line 20) +* XAUTHORITY: GPGSM OPTION. (line 31) + + +File: gnupg.info, Node: Index, Prev: Environment Index, Up: Top + +Index +***** + + +* Menu: + +* command options: Invoking GPG-AGENT. (line 6) +* command options <1>: Invoking DIRMNGR. (line 6) +* command options <2>: Invoking GPG. (line 6) +* command options <3>: Invoking GPGSM. (line 6) +* command options <4>: Invoking SCDAEMON. (line 6) +* contributors: Contributors. (line 6) +* DIRMNGR command options: Invoking DIRMNGR. (line 6) +* GPG command options: Invoking GPG. (line 6) +* GPG-AGENT command options: Invoking GPG-AGENT. (line 6) +* gpgconf.conf: Files used by gpgconf. + (line 7) +* GPGSM command options: Invoking GPGSM. (line 6) +* options, DIRMNGR command: Invoking DIRMNGR. (line 6) +* options, GPG command: Invoking GPG. (line 6) +* options, GPG-AGENT command: Invoking GPG-AGENT. (line 6) +* options, GPGSM command: Invoking GPGSM. (line 6) +* options, SCDAEMON command: Invoking SCDAEMON. (line 6) +* relax: Agent Configuration. (line 64) +* scd-event: Scdaemon Configuration. + (line 18) +* SCDAEMON command options: Invoking SCDAEMON. (line 6) +* scdaemon.conf: Scdaemon Configuration. + (line 11) +* SIGHUP: Agent Signals. (line 12) +* SIGHUP <1>: Dirmngr Signals. (line 12) +* SIGINT: Agent Signals. (line 31) +* SIGINT <1>: Dirmngr Signals. (line 26) +* SIGTERM: Agent Signals. (line 26) +* SIGTERM <1>: Dirmngr Signals. (line 19) +* SIGUSR1: Agent Signals. (line 34) +* SIGUSR1 <1>: Dirmngr Signals. (line 29) +* SIGUSR2: Agent Signals. (line 37) +* swdb.lst: Files used by gpgconf. + (line 14) +* trust values: Trust Values. (line 6) + diff --git a/doc/gnupg.texi b/doc/gnupg.texi new file mode 100644 index 0000000..3364148 --- /dev/null +++ b/doc/gnupg.texi @@ -0,0 +1,241 @@ +\input texinfo @c -*-texinfo-*- +@c %**start of header +@setfilename gnupg.info +@include defs.inc +@settitle Using the GNU Privacy Guard + +@c A couple of macros with no effect on texinfo +@c but used by the yat2m processor. +@macro manpage {a} +@end macro +@macro mansect {a} +@end macro +@macro manpause +@end macro +@macro mancont +@end macro + + + +@c Create a separate index for command line options. +@defcodeindex op +@c Create an index vor environment variables and files. +@defcodeindex ef + +@c Merge the function index into the concept index. +@syncodeindex fn cp +@c Merge the variable index into the concept index. +@syncodeindex vr cp +@c Merge the keystroke index into the concept index. +@syncodeindex ky cp +@c Merge the program index into the concept index. +@syncodeindex pg cp +@c Merge the data type index into the concept index. +@syncodeindex tp cp +@c %**end of header +@copying +This is the @cite{The GNU Privacy Guard Manual} (version +@value{VERSION}, @value{UPDATED-MONTH}). + +@iftex +Published by The GnuPG Project@* +@url{https://gnupg.org}@* +(or @url{http://ic6au7wa3f6naxjq.onion}) +@end iftex + +@copyright{} 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.@* +@copyright{} 2013, 2014, 2015 Werner Koch.@* +@copyright{} 2015, 2016, 2017 g10 Code GmbH. + +@quotation +Permission is granted to copy, distribute and/or modify this document +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 3 of the License, or (at your +option) any later version. The text of the license can be found in the +section entitled ``Copying''. +@end quotation +@end copying + + +@dircategory GNU Utilities +@direntry +* gpg2: (gnupg). OpenPGP encryption and signing tool. +* gpgsm: (gnupg). S/MIME encryption and signing tool. +* gpg-agent: (gnupg). The secret key daemon. +* dirmngr: (gnupg). X.509 CRL and OCSP server. +* dirmngr-client: (gnupg). X.509 CRL and OCSP client. +@end direntry + + +@c +@c Printing stuff taken from gcc. +@c +@macro gnupgtabopt{body} +@code{\body\} +@end macro +@macro gnupgoptlist{body} +@smallexample +\body\ +@end smallexample +@end macro +@c Makeinfo handles the above macro OK, TeX needs manual line breaks; +@c they get lost at some point in handling the macro. But if @macro is +@c used here rather than @alias, it produces double line breaks. +@iftex +@alias gol = * +@end iftex +@ifnottex +@macro gol +@end macro +@end ifnottex + + +@c +@c Titlepage +@c +@setchapternewpage odd +@titlepage +@title Using the GNU Privacy Guard +@subtitle Version @value{VERSION} +@subtitle @value{UPDATED-MONTH} + +@sp 3 + +@image{gnupg-logo,,,The GnuPG Logo} + +@sp 3 + +@author The GnuPG Project (@url{https://gnupg.org}) + +@page +@vskip 0pt plus 1filll +@insertcopying +@end titlepage + +@ifnothtml +@summarycontents +@contents +@page +@end ifnothtml + +@ifhtml +@center @image{gnupg-logo-tr,6cm,,The GnuPG Logo} +@end ifhtml + +@ifnottex +@node Top +@top +@insertcopying + +This manual documents how to use the GNU Privacy Guard system as well as +the administration and the architecture. +@end ifnottex + +@menu +* Installation:: A short installation guide. + +* Invoking GPG-AGENT:: How to launch the secret key daemon. +* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon. +* Invoking GPG:: Using the OpenPGP protocol. +* Invoking GPGSM:: Using the S/MIME protocol. +* Invoking SCDAEMON:: How to handle Smartcards. +* Specify a User ID:: How to Specify a User Id. +* Trust Values:: How GnuPG displays trust values. + +* Helper Tools:: Description of small helper tools +* Web Key Service:: Tools for the Web Key Service + +* Howtos:: How to do certain things. +* System Notes:: Notes pertaining to certain OSes. +* Debugging:: How to solve problems + +* Copying:: GNU General Public License says + how you can copy and share GnuPG +* Contributors:: People who have contributed to GnuPG. + +* Glossary:: Short description of terms used. +* Option Index:: Index to command line options. +* Environment Index:: Index to environment variables and files. +* Index:: Index of concepts and symbol names. +@end menu + + +@ifhtml +@page +@summarycontents +@contents +@end ifhtml + + +@include instguide.texi + +@include gpg-agent.texi +@include dirmngr.texi +@include gpg.texi +@include gpgsm.texi +@include scdaemon.texi + +@node Specify a User ID +@chapter How to Specify a User Id +@anchor{how-to-specify-a-user-id} +@include specify-user-id.texi + +@node Trust Values +@chapter Trust Values +@anchor{trust-values} +@cindex trust values +@include trust-values.texi + +@include tools.texi +@include wks.texi + +@include howtos.texi + +@include sysnotes.texi + +@include debugging.texi + +@include gpl.texi + +@include contrib.texi + +@c --------------------------------------------------------------------- +@c Indexes +@c --------------------------------------------------------------------- + +@include glossary.texi + +@node Option Index +@unnumbered Option Index + +@printindex op + +@node Environment Index +@unnumbered Environment Variable and File Index + +@printindex ef + +@node Index +@unnumbered Index + +@printindex cp + +@c --------------------------------------------------------------------- +@c Epilogue +@c --------------------------------------------------------------------- + +@c @node History +@c @unnumbered History +@c +@c Here are the notices from the old dirmngr manual: +@c +@c @itemize +@c @item Using DirMngr, 2002, Steffen Hansen, Klar"alvdalens Datakonsult AB. +@c @item Using DirMngr, 2004, 2005, 2006, 2008 Werner Koch, g10 Code GmbH. +@c @end itemize +@c + + +@bye + + diff --git a/doc/gnupg7.texi b/doc/gnupg7.texi new file mode 100644 index 0000000..c48dca9 --- /dev/null +++ b/doc/gnupg7.texi @@ -0,0 +1,31 @@ +@c @c -*-texinfo-*- +@c This is only used to create a man page, thus we don't need to care +@c about actual texinfo stuff. + +@manpage gnupg.7 +@ifset manverb +.B GnuPG +\- The GNU Privacy Guard suite of programs +@end ifset +@mansect description +@ifset isman +GnuPG is a set of programs for public key encryption and digital +signatures. The program most users will want to use is the OpenPGP +command line tool, named @command{gpg2}. @command{gpgv}is a stripped +down version of @command{gpg2} with no encryption functionality, used +only to verify signatures against a trusted keyring. @command{gpgsm} is +the X.509/CMS (for S/MIME) counterpart of +@command{gpg2}. @command{gpg-agent} is a passphrase and private key +daemon which may also emulate the @command{ssh-agent}. +@mansect see also +@command{gpg}(1), +@command{gpg2}(1), +@command{gpgv}(1), +@command{gpgsm}(1), +@command{gpg-agent}(1), +@command{dirmngr}(8), +@command{scdaemon}(1) +@include see-also-note.texi +@end ifset + +@bye diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi new file mode 100644 index 0000000..8766250 --- /dev/null +++ b/doc/gpg-agent.texi @@ -0,0 +1,1672 @@ +@c Copyright (C) 2002 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@include defs.inc + +@node Invoking GPG-AGENT +@chapter Invoking GPG-AGENT +@cindex GPG-AGENT command options +@cindex command options +@cindex options, GPG-AGENT command + +@manpage gpg-agent.1 +@ifset manverb +.B gpg-agent +\- Secret key management for GnuPG +@end ifset + +@mansect synopsis +@ifset manverb +.B gpg-agent +.RB [ \-\-homedir +.IR dir ] +.RB [ \-\-options +.IR file ] +.RI [ options ] +.br +.B gpg-agent +.RB [ \-\-homedir +.IR dir ] +.RB [ \-\-options +.IR file ] +.RI [ options ] +.B \-\-server +.br +.B gpg-agent +.RB [ \-\-homedir +.IR dir ] +.RB [ \-\-options +.IR file ] +.RI [ options ] +.B \-\-daemon +.RI [ command_line ] +@end ifset + +@mansect description +@command{gpg-agent} is a daemon to manage secret (private) keys +independently from any protocol. It is used as a backend for +@command{gpg} and @command{gpgsm} as well as for a couple of other +utilities. + +The agent is automatically started on demand by @command{gpg}, +@command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}. +Thus there is no reason to start it manually. In case you want to use +the included Secure Shell Agent you may start the agent using: + +@c From dkg on gnupg-devel on 2016-04-21: +@c +@c Here's an attempt at writing a short description of the goals of an +@c isolated cryptographic agent: +@c +@c A cryptographic agent should control access to secret key material. +@c The agent permits use of the secret key material by a supplicant +@c without providing a copy of the secret key material to the supplicant. +@c +@c An isolated cryptographic agent separates the request for use of +@c secret key material from permission for use of secret key material. +@c That is, the system or process requesting use of the key (the +@c "supplicant") can be denied use of the key by the owner/operator of +@c the agent (the "owner"), which the supplicant has no control over. +@c +@c One way of enforcing this split is a per-key or per-session +@c passphrase, known only by the owner, which must be supplied to the +@c agent to permit the use of the secret key material. Another way is +@c with an out-of-band permission mechanism (e.g. a button or GUI +@c interface that the owner has access to, but the supplicant does not). +@c +@c The rationale for this separation is that it allows access to the +@c secret key to be tightly controlled and audited, and it doesn't permit +@c the supplicant to either copy the key or to override the owner's +@c intentions. + +@example +gpg-connect-agent /bye +@end example + +@noindent +If you want to manually terminate the currently-running agent, you can +safely do so with: + +@example +gpgconf --kill gpg-agent +@end example + +@noindent +@efindex GPG_TTY +You should always add the following lines to your @code{.bashrc} or +whatever initialization file is used for all shell invocations: + +@smallexample +GPG_TTY=$(tty) +export GPG_TTY +@end smallexample + +@noindent +It is important that this environment variable always reflects the +output of the @code{tty} command. For W32 systems this option is not +required. + +Please make sure that a proper pinentry program has been installed +under the default filename (which is system dependent) or use the +option @option{pinentry-program} to specify the full name of that program. +It is often useful to install a symbolic link from the actual used +pinentry (e.g. @file{@value{BINDIR}/pinentry-gtk}) to the expected +one (e.g. @file{@value{BINDIR}/pinentry}). + +@manpause +@noindent +@xref{Option Index}, for an index to @command{GPG-AGENT}'s commands and options. +@mancont + +@menu +* Agent Commands:: List of all commands. +* Agent Options:: List of all options. +* Agent Configuration:: Configuration files. +* Agent Signals:: Use of some signals. +* Agent Examples:: Some usage examples. +* Agent Protocol:: The protocol the agent uses. +@end menu + +@mansect commands +@node Agent Commands +@section Commands + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +@table @gnupgtabopt +@item --version +@opindex version +Print the program version and licensing information. Note that you cannot +abbreviate this command. + +@item --help +@itemx -h +@opindex help +Print a usage message summarizing the most useful command-line options. +Note that you cannot abbreviate this command. + +@item --dump-options +@opindex dump-options +Print a list of all available options and commands. Note that you cannot +abbreviate this command. + +@item --server +@opindex server +Run in server mode and wait for commands on the @code{stdin}. The +default mode is to create a socket and listen for commands there. + +@item --daemon [@var{command line}] +@opindex daemon +Start the gpg-agent as a daemon; that is, detach it from the console +and run it in the background. + +As an alternative you may create a new process as a child of +gpg-agent: @code{gpg-agent --daemon /bin/sh}. This way you get a new +shell with the environment setup properly; after you exit from this +shell, gpg-agent terminates within a few seconds. + +@item --supervised +@opindex supervised +Run in the foreground, sending logs by default to stderr, and +listening on provided file descriptors, which must already be bound to +listening sockets. This command is useful when running under systemd +or other similar process supervision schemes. This option is not +supported on Windows. + +In --supervised mode, different file descriptors can be provided for +use as different socket types (e.g. ssh, extra) as long as they are +identified in the environment variable @code{LISTEN_FDNAMES} (see +sd_listen_fds(3) on some Linux distributions for more information on +this convention). +@end table + +@mansect options +@node Agent Options +@section Option Summary + +Options may either be used on the command line or, after stripping off +the two leading dashes, in the configuration file. + +@table @gnupgtabopt + +@anchor{option --options} +@item --options @var{file} +@opindex options +Reads configuration from @var{file} instead of from the default +per-user configuration file. The default configuration file is named +@file{gpg-agent.conf} and expected in the @file{.gnupg} directory +directly below the home directory of the user. This option is ignored +if used in an options file. + +@anchor{option --homedir} +@include opt-homedir.texi + + +@item -v +@itemx --verbose +@opindex verbose +Outputs additional information while running. +You can increase the verbosity by giving several +verbose commands to @command{gpg-agent}, such as @samp{-vv}. + +@item -q +@itemx --quiet +@opindex quiet +Try to be as quiet as possible. + +@item --batch +@opindex batch +Don't invoke a pinentry or do any other thing requiring human interaction. + +@item --faked-system-time @var{epoch} +@opindex faked-system-time +This option is only useful for testing; it sets the system time back or +forth to @var{epoch} which is the number of seconds elapsed since the year +1970. + +@item --debug-level @var{level} +@opindex debug-level +Select the debug level for investigating problems. @var{level} may be +a numeric value or a keyword: + +@table @code +@item none +No debugging at all. A value of less than 1 may be used instead of +the keyword. +@item basic +Some basic debug messages. A value between 1 and 2 may be used +instead of the keyword. +@item advanced +More verbose debug messages. A value between 3 and 5 may be used +instead of the keyword. +@item expert +Even more detailed messages. A value between 6 and 8 may be used +instead of the keyword. +@item guru +All of the debug messages you can get. A value greater than 8 may be +used instead of the keyword. The creation of hash tracing files is +only enabled if the keyword is used. +@end table + +How these messages are mapped to the actual debugging flags is not +specified and may change with newer releases of this program. They are +however carefully selected to best aid in debugging. + +@item --debug @var{flags} +@opindex debug +This option is only useful for debugging and the behavior may change at +any time without notice. FLAGS are bit encoded and may be given in +usual C-Syntax. The currently defined bits are: + +@table @code +@item 0 (1) +X.509 or OpenPGP protocol related data +@item 1 (2) +values of big number integers +@item 2 (4) +low level crypto operations +@item 5 (32) +memory allocation +@item 6 (64) +caching +@item 7 (128) +show memory statistics +@item 9 (512) +write hashed data to files named @code{dbgmd-000*} +@item 10 (1024) +trace Assuan protocol +@item 12 (4096) +bypass all certificate validation +@end table + +@item --debug-all +@opindex debug-all +Same as @code{--debug=0xffffffff} + +@item --debug-wait @var{n} +@opindex debug-wait +When running in server mode, wait @var{n} seconds before entering the +actual processing loop and print the pid. This gives time to attach a +debugger. + +@item --debug-quick-random +@opindex debug-quick-random +This option inhibits the use of the very secure random quality level +(Libgcrypt’s @code{GCRY_VERY_STRONG_RANDOM}) and degrades all request +down to standard random quality. It is only used for testing and +should not be used for any production quality keys. This option is +only effective when given on the command line. + +On GNU/Linux, another way to quickly generate insecure keys is to use +@command{rngd} to fill the kernel's entropy pool with lower quality +random data. @command{rngd} is typically provided by the +@command{rng-tools} package. It can be run as follows: @samp{sudo +rngd -f -r /dev/urandom}. + +@item --debug-pinentry +@opindex debug-pinentry +This option enables extra debug information pertaining to the +Pinentry. As of now it is only useful when used along with +@code{--debug 1024}. + +@item --no-detach +@opindex no-detach +Don't detach the process from the console. This is mainly useful for +debugging. + +@item --steal-socket +@opindex steal-socket +In @option{--daemon} mode, gpg-agent detects an already running +gpg-agent and does not allow to start a new instance. This option can +be used to override this check: the new gpg-agent process will try to +take over the communication sockets from the already running process +and start anyway. This option should in general not be used. + + +@item -s +@itemx --sh +@itemx -c +@itemx --csh +@opindex sh +@opindex csh +@efindex SHELL +Format the info output in daemon mode for use with the standard Bourne +shell or the C-shell respectively. The default is to guess it based on +the environment variable @code{SHELL} which is correct in almost all +cases. + + +@item --grab +@itemx --no-grab +@opindex grab +@opindex no-grab +Tell the pinentry to grab the keyboard and mouse. This option should +be used on X-Servers to avoid X-sniffing attacks. Any use of the +option @option{--grab} overrides an used option @option{--no-grab}. +The default is @option{--no-grab}. + +@anchor{option --log-file} +@item --log-file @var{file} +@opindex log-file +@efindex HKCU\Software\GNU\GnuPG:DefaultLogFile +Append all logging output to @var{file}. This is very helpful in +seeing what the agent actually does. Use @file{socket://} to log to +socket. If neither a log file nor a log file descriptor has been set +on a Windows platform, the Registry entry +@code{HKCU\Software\GNU\GnuPG:DefaultLogFile}, if set, is used to +specify the logging output. + + +@anchor{option --no-allow-mark-trusted} +@item --no-allow-mark-trusted +@opindex no-allow-mark-trusted +Do not allow clients to mark keys as trusted, i.e. put them into the +@file{trustlist.txt} file. This makes it harder for users to inadvertently +accept Root-CA keys. + + +@anchor{option --no-user-trustlist} +@item --no-user-trustlist +@opindex no-user-trustlist +Entirely ignore the user trust list and consider only the global +trustlist (@file{@value{SYSCONFDIR}/trustlist.txt}). This +implies the @ref{option --no-allow-mark-trusted}. + +@item --sys-trustlist-name @var{file} +@opindex sys-trustlist-name +Changes the default name for the global trustlist from "trustlist.txt" +to @var{file}. If @var{file} does not contain any slashes and does +not start with "~/" it is searched in the system configuration +directory (@file{@value{SYSCONFDIR}}). + +@anchor{option --allow-preset-passphrase} +@item --allow-preset-passphrase +@opindex allow-preset-passphrase +This option allows the use of @command{gpg-preset-passphrase} to seed the +internal cache of @command{gpg-agent} with passphrases. + +@anchor{option --no-allow-loopback-pinentry} +@item --no-allow-loopback-pinentry +@item --allow-loopback-pinentry +@opindex no-allow-loopback-pinentry +@opindex allow-loopback-pinentry +Disallow or allow clients to use the loopback pinentry features; see +the option @option{pinentry-mode} for details. Allow is the default. + +The @option{--force} option of the Assuan command @command{DELETE_KEY} +is also controlled by this option: The option is ignored if a loopback +pinentry is disallowed. + +@item --no-allow-external-cache +@opindex no-allow-external-cache +Tell Pinentry not to enable features which use an external cache for +passphrases. + +Some desktop environments prefer to unlock all +credentials with one master password and may have installed a Pinentry +which employs an additional external cache to implement such a policy. +By using this option the Pinentry is advised not to make use of such a +cache and instead always ask the user for the requested passphrase. + +@item --allow-emacs-pinentry +@opindex allow-emacs-pinentry +Tell Pinentry to allow features to divert the passphrase entry to a +running Emacs instance. How this is exactly handled depends on the +version of the used Pinentry. + +@item --ignore-cache-for-signing +@opindex ignore-cache-for-signing +This option will let @command{gpg-agent} bypass the passphrase cache for all +signing operation. Note that there is also a per-session option to +control this behavior but this command line option takes precedence. + +@item --default-cache-ttl @var{n} +@opindex default-cache-ttl +Set the time a cache entry is valid to @var{n} seconds. The default +is 600 seconds. Each time a cache entry is accessed, the entry's +timer is reset. To set an entry's maximum lifetime, use +@command{max-cache-ttl}. Note that a cached passphrase may not be +evicted immediately from memory if no client requests a cache +operation. This is due to an internal housekeeping function which is +only run every few seconds. + +@item --default-cache-ttl-ssh @var{n} +@opindex default-cache-ttl +Set the time a cache entry used for SSH keys is valid to @var{n} +seconds. The default is 1800 seconds. Each time a cache entry is +accessed, the entry's timer is reset. To set an entry's maximum +lifetime, use @command{max-cache-ttl-ssh}. + +@item --max-cache-ttl @var{n} +@opindex max-cache-ttl +Set the maximum time a cache entry is valid to @var{n} seconds. After +this time a cache entry will be expired even if it has been accessed +recently or has been set using @command{gpg-preset-passphrase}. The +default is 2 hours (7200 seconds). + +@item --max-cache-ttl-ssh @var{n} +@opindex max-cache-ttl-ssh +Set the maximum time a cache entry used for SSH keys is valid to +@var{n} seconds. After this time a cache entry will be expired even +if it has been accessed recently or has been set using +@command{gpg-preset-passphrase}. The default is 2 hours (7200 +seconds). + +@item --enforce-passphrase-constraints +@opindex enforce-passphrase-constraints +Enforce the passphrase constraints by not allowing the user to bypass +them using the ``Take it anyway'' button. + +@item --min-passphrase-len @var{n} +@opindex min-passphrase-len +Set the minimal length of a passphrase. When entering a new passphrase +shorter than this value a warning will be displayed. Defaults to 8. + +@item --min-passphrase-nonalpha @var{n} +@opindex min-passphrase-nonalpha +Set the minimal number of digits or special characters required in a +passphrase. When entering a new passphrase with less than this number +of digits or special characters a warning will be displayed. Defaults +to 1. + +@item --check-passphrase-pattern @var{file} +@itemx --check-sym-passphrase-pattern @var{file} +@opindex check-passphrase-pattern +@opindex check-sym-passphrase-pattern +Check the passphrase against the pattern given in @var{file}. When +entering a new passphrase matching one of these pattern a warning will +be displayed. If @var{file} does not contain any slashes and does not +start with "~/" it is searched in the system configuration directory +(@file{@value{SYSCONFDIR}}). The default is not to use any +pattern file. The second version of this option is only used when +creating a new symmetric key to allow the use of different patterns +for such passphrases. + +Security note: It is known that checking a passphrase against a list of +pattern or even against a complete dictionary is not very effective to +enforce good passphrases. Users will soon figure up ways to bypass such +a policy. A better policy is to educate users on good security +behavior and optionally to run a passphrase cracker regularly on all +users passphrases to catch the very simple ones. + +@item --max-passphrase-days @var{n} +@opindex max-passphrase-days +Ask the user to change the passphrase if @var{n} days have passed since +the last change. With @option{--enforce-passphrase-constraints} set the +user may not bypass this check. + +@item --enable-passphrase-history +@opindex enable-passphrase-history +This option does nothing yet. + +@item --pinentry-invisible-char @var{char} +@opindex pinentry-invisible-char +This option asks the Pinentry to use @var{char} for displaying hidden +characters. @var{char} must be one character UTF-8 string. A +Pinentry may or may not honor this request. + +@item --pinentry-timeout @var{n} +@opindex pinentry-timeout +This option asks the Pinentry to timeout after @var{n} seconds with no +user input. The default value of 0 does not ask the pinentry to +timeout, however a Pinentry may use its own default timeout value in +this case. A Pinentry may or may not honor this request. + +@item --pinentry-formatted-passphrase +@opindex pinentry-formatted-passphrase +This option asks the Pinentry to enable passphrase formatting when asking the +user for a new passphrase and masking of the passphrase is turned off. + +If passphrase formatting is enabled, then all non-breaking space characters +are stripped from the entered passphrase. Passphrase formatting is mostly +useful in combination with passphrases generated with the GENPIN +feature of some Pinentries. Note that such a generated +passphrase, if not modified by the user, skips all passphrase +constraints checking because such constraints would actually weaken +the generated passphrase. + +@item --pinentry-program @var{filename} +@opindex pinentry-program +Use program @var{filename} as the PIN entry. The default is +installation dependent. With the default configuration the name of +the default pinentry is @file{pinentry}; if that file does not exist +but a @file{pinentry-basic} exist the latter is used. + +On a Windows platform the default is to use the first existing program +from this list: +@file{bin\pinentry.exe}, +@file{..\Gpg4win\bin\pinentry.exe}, +@file{..\Gpg4win\pinentry.exe}, +@file{..\GNU\GnuPG\pinentry.exe}, +@file{..\GNU\bin\pinentry.exe}, +@file{bin\pinentry-basic.exe} +where the file names are relative to the GnuPG installation directory. + + +@item --pinentry-touch-file @var{filename} +@opindex pinentry-touch-file +By default the filename of the socket gpg-agent is listening for +requests is passed to Pinentry, so that it can touch that file before +exiting (it does this only in curses mode). This option changes the +file passed to Pinentry to @var{filename}. The special name +@code{/dev/null} may be used to completely disable this feature. Note +that Pinentry will not create that file, it will only change the +modification and access time. + + +@item --scdaemon-program @var{filename} +@opindex scdaemon-program +Use program @var{filename} as the Smartcard daemon. The default is +installation dependent and can be shown with the @command{gpgconf} +command. + +@item --disable-scdaemon +@opindex disable-scdaemon +Do not make use of the scdaemon tool. This option has the effect of +disabling the ability to do smartcard operations. Note, that enabling +this option at runtime does not kill an already forked scdaemon. + +@item --disable-check-own-socket +@opindex disable-check-own-socket +@command{gpg-agent} employs a periodic self-test to detect a stolen +socket. This usually means a second instance of @command{gpg-agent} +has taken over the socket and @command{gpg-agent} will then terminate +itself. This option may be used to disable this self-test for +debugging purposes. + +@item --use-standard-socket +@itemx --no-use-standard-socket +@itemx --use-standard-socket-p +@opindex use-standard-socket +@opindex no-use-standard-socket +@opindex use-standard-socket-p +Since GnuPG 2.1 the standard socket is always used. These options +have no more effect. The command @code{gpg-agent +--use-standard-socket-p} will thus always return success. + +@item --display @var{string} +@itemx --ttyname @var{string} +@itemx --ttytype @var{string} +@itemx --lc-ctype @var{string} +@itemx --lc-messages @var{string} +@itemx --xauthority @var{string} +@opindex display +@opindex ttyname +@opindex ttytype +@opindex lc-ctype +@opindex lc-messages +@opindex xauthority +These options are used with the server mode to pass localization +information. + +@item --keep-tty +@itemx --keep-display +@opindex keep-tty +@opindex keep-display +Ignore requests to change the current @code{tty} or X window system's +@code{DISPLAY} variable respectively. This is useful to lock the +pinentry to pop up at the @code{tty} or display you started the agent. + +@item --listen-backlog @var{n} +@opindex listen-backlog +Set the size of the queue for pending connections. The default is 64. + +@anchor{option --extra-socket} +@item --extra-socket @var{name} +@opindex extra-socket +The extra socket is created by default, you may use this option to +change the name of the socket. To disable the creation of the socket +use ``none'' or ``/dev/null'' for @var{name}. + +Also listen on native gpg-agent connections on the given socket. The +intended use for this extra socket is to setup a Unix domain socket +forwarding from a remote machine to this socket on the local machine. +A @command{gpg} running on the remote machine may then connect to the +local gpg-agent and use its private keys. This enables decrypting or +signing data on a remote machine without exposing the private keys to the +remote machine. + +@item --enable-extended-key-format +@itemx --disable-extended-key-format +@opindex enable-extended-key-format +@opindex disable-extended-key-format +Since version 2.2.22 keys are created in the extended private key +format by default. Changing the passphrase of a key will also convert +the key to that new format. This key format is supported since GnuPG +version 2.1.12 and thus there should be no need to disable it. +Anyway, the disable option still allows to revert to the old behavior +for new keys; be aware that keys are never migrated back to the old +format. If the enable option has been used the disable option won't +have an effect. The advantage of the extended private key format is +that it is text based and can carry additional meta data. In extended +key format the OCB mode is used for key protection. + +@anchor{option --enable-ssh-support} +@item --enable-ssh-support +@itemx --enable-putty-support +@opindex enable-ssh-support +@opindex enable-putty-support + +The OpenSSH Agent protocol is always enabled, but @command{gpg-agent} +will only set the @code{SSH_AUTH_SOCK} variable if this flag is given. + +In this mode of operation, the agent does not only implement the +gpg-agent protocol, but also the agent protocol used by OpenSSH +(through a separate socket). Consequently, it should be possible to use +the gpg-agent as a drop-in replacement for the well known ssh-agent. + +SSH Keys, which are to be used through the agent, need to be added to +the gpg-agent initially through the ssh-add utility. When a key is +added, ssh-add will ask for the password of the provided key file and +send the unprotected key material to the agent; this causes the +gpg-agent to ask for a passphrase, which is to be used for encrypting +the newly received key and storing it in a gpg-agent specific +directory. + +Once a key has been added to the gpg-agent this way, the gpg-agent +will be ready to use the key. + +Note: in case the gpg-agent receives a signature request, the user might +need to be prompted for a passphrase, which is necessary for decrypting +the stored key. Since the ssh-agent protocol does not contain a +mechanism for telling the agent on which display/terminal it is running, +gpg-agent's ssh-support will use the TTY or X display where gpg-agent +has been started. To switch this display to the current one, the +following command may be used: + +@smallexample +gpg-connect-agent updatestartuptty /bye +@end smallexample + +Although all GnuPG components try to start the gpg-agent as needed, this +is not possible for the ssh support because ssh does not know about it. +Thus if no GnuPG tool which accesses the agent has been run, there is no +guarantee that ssh is able to use gpg-agent for authentication. To fix +this you may start gpg-agent if needed using this simple command: + +@smallexample +gpg-connect-agent /bye +@end smallexample + +Adding the @option{--verbose} shows the progress of starting the agent. + +The @option{--enable-putty-support} is only available under Windows +and allows the use of gpg-agent with the ssh implementation +@command{putty}. This is similar to the regular ssh-agent support but +makes use of Windows message queue as required by @command{putty}. + +@anchor{option --ssh-fingerprint-digest} +@item --ssh-fingerprint-digest +@opindex ssh-fingerprint-digest + +Select the digest algorithm used to compute ssh fingerprints that are +communicated to the user, e.g. in pinentry dialogs. OpenSSH has +transitioned from using MD5 to the more secure SHA256. + + +@item --auto-expand-secmem @var{n} +@opindex auto-expand-secmem +Allow Libgcrypt to expand its secure memory area as required. The +optional value @var{n} is a non-negative integer with a suggested size +in bytes of each additionally allocated secure memory area. The value +is rounded up to the next 32 KiB; usual C style prefixes are allowed. +For an heavy loaded gpg-agent with many concurrent connection this +option avoids sign or decrypt errors due to out of secure memory error +returns. + +@item --s2k-calibration @var{milliseconds} +@opindex s2k-calibration +Change the default calibration time to @var{milliseconds}. The given +value is capped at 60 seconds; a value of 0 resets to the compiled-in +default. This option is re-read on a SIGHUP (or @code{gpgconf +--reload gpg-agent}) and the S2K count is then re-calibrated. + +@item --s2k-count @var{n} +@opindex s2k-count +Specify the iteration count used to protect the passphrase. This +option can be used to override the auto-calibration done by default. +The auto-calibration computes a count which requires by default 100ms +to mangle a given passphrase. See also @option{--s2k-calibration}. + +To view the actually used iteration count and the milliseconds +required for an S2K operation use: + +@example +gpg-connect-agent 'GETINFO s2k_count' /bye +gpg-connect-agent 'GETINFO s2k_time' /bye +@end example + +To view the auto-calibrated count use: + +@example +gpg-connect-agent 'GETINFO s2k_count_cal' /bye +@end example + + +@end table + + +@mansect files +@node Agent Configuration +@section Configuration + +There are a few configuration files needed for the operation of the +agent. By default they may all be found in the current home directory +(@pxref{option --homedir}). + +@table @file + +@item gpg-agent.conf +@efindex gpg-agent.conf + This is the standard configuration file read by @command{gpg-agent} on + startup. It may contain any valid long option; the leading + two dashes may not be entered and the option may not be abbreviated. + This file is also read after a @code{SIGHUP} however only a few + options will actually have an effect. This default name may be + changed on the command line (@pxref{option --options}). + You should backup this file. + +@item trustlist.txt +@efindex trustlist.txt + This is the list of trusted keys. You should backup this file. + + Comment lines, indicated by a leading hash mark, as well as empty + lines are ignored. To mark a key as trusted you need to enter its + fingerprint followed by a space and a capital letter @code{S}. Colons + may optionally be used to separate the bytes of a fingerprint; this + enables cutting and pasting the fingerprint from a key listing output. If + the line is prefixed with a @code{!} the key is explicitly marked as + not trusted. + + Here is an example where two keys are marked as ultimately trusted + and one as not trusted: + + @cartouche + @smallexample + # CN=Wurzel ZS 3,O=Intevation GmbH,C=DE + A6935DD34EF3087973C706FC311AA2CCF733765B S + + # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE + DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S + + # CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE + !14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S + @end smallexample + @end cartouche + +Before entering a key into this file, you need to ensure its +authenticity. How to do this depends on your organisation; your +administrator might have already entered those keys which are deemed +trustworthy enough into this file. Places where to look for the +fingerprint of a root certificate are letters received from the CA or +the website of the CA (after making 100% sure that this is indeed the +website of that CA). You may want to consider disallowing interactive +updates of this file by using the @ref{option --no-allow-mark-trusted}. +It might even be advisable to change the permissions to read-only so +that this file can't be changed inadvertently. + +As a special feature a line @code{include-default} will include a global +list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}). +This global list is also used if the local list is not available; +the @ref{option --no-user-trustlist} enforces the use of only +this global list. + +It is possible to add further flags after the @code{S} for use by the +caller: + +@table @code + +@item relax +@cindex relax +Relax checking of some root certificate requirements. As of now this +flag allows the use of root certificates with a missing basicConstraints +attribute (despite that it is a MUST for CA certificates) and disables +CRL checking for the root certificate. + +@item cm +If validation of a certificate finally issued by a CA with this flag set +fails, try again using the chain validation model. + +@end table + + +@item sshcontrol +@efindex sshcontrol +This file is used when support for the secure shell agent protocol has +been enabled (@pxref{option --enable-ssh-support}). Only keys present in +this file are used in the SSH protocol. You should backup this file. + +The @command{ssh-add} tool may be used to add new entries to this file; +you may also add them manually. Comment lines, indicated by a leading +hash mark, as well as empty lines are ignored. An entry starts with +optional whitespace, followed by the keygrip of the key given as 40 hex +digits, optionally followed by the caching TTL in seconds and another +optional field for arbitrary flags. A non-zero TTL overrides the global +default as set by @option{--default-cache-ttl-ssh}. + +The only flag support is @code{confirm}. If this flag is found for a +key, each use of the key will pop up a pinentry to confirm the use of +that key. The flag is automatically set if a new key was loaded into +@code{gpg-agent} using the option @option{-c} of the @code{ssh-add} +command. + +The keygrip may be prefixed with a @code{!} to disable an entry. + +The following example lists exactly one key. Note that keys available +through a OpenPGP smartcard in the active smartcard reader are +implicitly added to this list; i.e. there is no need to list them. + +@cartouche +@smallexample + # Key added on: 2011-07-20 20:38:46 + # Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81 + 34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm +@end smallexample +@end cartouche + +@item private-keys-v1.d/ +@efindex private-keys-v1.d + + This is the directory where gpg-agent stores the private keys. Each + key is stored in a file with the name made up of the keygrip and the + suffix @file{key}. You should backup all files in this directory + and take great care to keep this backup closed away. + + +@end table + +Note that on larger installations, it is useful to put predefined +files into the directory @file{@value{SYSCONFSKELDIR}} so that newly created +users start up with a working configuration. For existing users the +a small helper script is provided to create these files (@pxref{addgnupghome}). + + + +@c +@c Agent Signals +@c +@mansect signals +@node Agent Signals +@section Use of some signals +A running @command{gpg-agent} may be controlled by signals, i.e. using +the @command{kill} command to send a signal to the process. + +Here is a list of supported signals: + +@table @gnupgtabopt + +@item SIGHUP +@cpindex SIGHUP +This signal flushes all cached passphrases and if the program has been +started with a configuration file, the configuration file is read +again. Only certain options are honored: @code{quiet}, +@code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level}, +@code{debug-pinentry}, +@code{no-grab}, +@code{pinentry-program}, +@code{pinentry-invisible-char}, +@code{default-cache-ttl}, +@code{max-cache-ttl}, @code{ignore-cache-for-signing}, +@code{s2k-count}, +@code{no-allow-external-cache}, @code{allow-emacs-pinentry}, +@code{no-allow-mark-trusted}, @code{disable-scdaemon}, and +@code{disable-check-own-socket}. @code{scdaemon-program} is also +supported but due to the current implementation, which calls the +scdaemon only once, it is not of much use unless you manually kill the +scdaemon. + + +@item SIGTERM +@cpindex SIGTERM +Shuts down the process but waits until all current requests are +fulfilled. If the process has received 3 of these signals and requests +are still pending, a shutdown is forced. + +@item SIGINT +@cpindex SIGINT +Shuts down the process immediately. + +@item SIGUSR1 +@cpindex SIGUSR1 +Dump internal information to the log file. + +@item SIGUSR2 +@cpindex SIGUSR2 +This signal is used for internal purposes. + +@end table + +@c +@c Examples +@c +@mansect examples +@node Agent Examples +@section Examples + +It is important to set the environment variable @code{GPG_TTY} in +your login shell, for example in the @file{~/.bashrc} init script: + +@cartouche +@example + export GPG_TTY=$(tty) +@end example +@end cartouche + +If you enabled the Ssh Agent Support, you also need to tell ssh about +it by adding this to your init script: + +@cartouche +@example +unset SSH_AGENT_PID +if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then + export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" +fi +@end example +@end cartouche + + +@c +@c Assuan Protocol +@c +@manpause +@node Agent Protocol +@section Agent's Assuan Protocol + +Note: this section does only document the protocol, which is used by +GnuPG components; it does not deal with the ssh-agent protocol. To +see the full specification of each command, use + +@example + gpg-connect-agent 'help COMMAND' /bye +@end example + +@noindent +or just 'help' to list all available commands. + +@noindent +The @command{gpg-agent} daemon is started on demand by the GnuPG +components. + +To identify a key we use a thing called keygrip which is the SHA-1 hash +of an canonical encoded S-Expression of the public key as used in +Libgcrypt. For the purpose of this interface the keygrip is given as a +hex string. The advantage of using this and not the hash of a +certificate is that it will be possible to use the same keypair for +different protocols, thereby saving space on the token used to keep the +secret keys. + +The @command{gpg-agent} may send status messages during a command or when +returning from a command to inform a client about the progress or result of an +operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent +during a server inquire to inform the client of the maximum usable length of +the inquired data (which should not be exceeded). + +@menu +* Agent PKDECRYPT:: Decrypting a session key +* Agent PKSIGN:: Signing a Hash +* Agent GENKEY:: Generating a Key +* Agent IMPORT:: Importing a Secret Key +* Agent EXPORT:: Exporting a Secret Key +* Agent ISTRUSTED:: Importing a Root Certificate +* Agent GET_PASSPHRASE:: Ask for a passphrase +* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase +* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip +* Agent GET_CONFIRMATION:: Ask for confirmation +* Agent HAVEKEY:: Check whether a key is available +* Agent LEARN:: Register a smartcard +* Agent PASSWD:: Change a Passphrase +* Agent UPDATESTARTUPTTY:: Change the Standard Display +* Agent GETEVENTCOUNTER:: Get the Event Counters +* Agent GETINFO:: Return information about the process +* Agent OPTION:: Set options for the session +@end menu + +@node Agent PKDECRYPT +@subsection Decrypting a session key + +The client asks the server to decrypt a session key. The encrypted +session key should have all information needed to select the +appropriate secret key or to delegate it to a smartcard. + +@example + SETKEY <keyGrip> +@end example + +Tell the server about the key to be used for decryption. If this is +not used, @command{gpg-agent} may try to figure out the key by trying to +decrypt the message with each key available. + +@example + PKDECRYPT +@end example + +The agent checks whether this command is allowed and then does an +INQUIRY to get the ciphertext the client should then send the cipher +text. + +@example + S: INQUIRE CIPHERTEXT + C: D (xxxxxx + C: D xxxx) + C: END +@end example + +Please note that the server may send status info lines while reading the +data lines from the client. The data send is a SPKI like S-Exp with +this structure: + +@example + (enc-val + (<algo> + (<param_name1> <mpi>) + ... + (<param_namen> <mpi>))) +@end example + +Where algo is a string with the name of the algorithm; see the libgcrypt +documentation for a list of valid algorithms. The number and names of +the parameters depend on the algorithm. The agent does return an error +if there is an inconsistency. + +If the decryption was successful the decrypted data is returned by +means of "D" lines. + +Here is an example session: +@cartouche +@smallexample + C: PKDECRYPT + S: INQUIRE CIPHERTEXT + C: D (enc-val elg (a 349324324) + C: D (b 3F444677CA))) + C: END + S: # session key follows + S: S PADDING 0 + S: D (value 1234567890ABCDEF0) + S: OK decryption successful +@end smallexample +@end cartouche + +The “PADDING†status line is only send if gpg-agent can tell what kind +of padding is used. As of now only the value 0 is used to indicate +that the padding has been removed. + + +@node Agent PKSIGN +@subsection Signing a Hash + +The client asks the agent to sign a given hash value. A default key +will be chosen if no key has been set. To set a key a client first +uses: + +@example + SIGKEY <keyGrip> +@end example + +This can be used multiple times to create multiple signature, the list +of keys is reset with the next PKSIGN command or a RESET. The server +tests whether the key is a valid key to sign something and responds with +okay. + +@example + SETHASH --hash=<name>|<algo> <hexstring> +@end example + +The client can use this command to tell the server about the data <hexstring> +(which usually is a hash) to be signed. <algo> is the decimal encoded hash +algorithm number as used by Libgcrypt. Either <algo> or --hash=<name> +must be given. Valid names for <name> are: + +@table @code +@item sha1 +The SHA-1 hash algorithm +@item sha256 +The SHA-256 hash algorithm +@item rmd160 +The RIPE-MD160 hash algorithm +@item md5 +The old and broken MD5 hash algorithm +@item tls-md5sha1 +A combined hash algorithm as used by the TLS protocol. +@end table + +@noindent +The actual signing is done using + +@example + PKSIGN <options> +@end example + +Options are not yet defined, but may later be used to choose among +different algorithms. The agent does then some checks, asks for the +passphrase and as a result the server returns the signature as an SPKI +like S-expression in "D" lines: + +@example + (sig-val + (<algo> + (<param_name1> <mpi>) + ... + (<param_namen> <mpi>))) +@end example + + +The operation is affected by the option + +@example + OPTION use-cache-for-signing=0|1 +@end example + +The default of @code{1} uses the cache. Setting this option to @code{0} +will lead @command{gpg-agent} to ignore the passphrase cache. Note, that there is +also a global command line option for @command{gpg-agent} to globally disable the +caching. + + +Here is an example session: +@cartouche +@smallexample + C: SIGKEY <keyGrip> + S: OK key available + C: SIGKEY <keyGrip> + S: OK key available + C: PKSIGN + S: # I did ask the user whether he really wants to sign + S: # I did ask the user for the passphrase + S: INQUIRE HASHVAL + C: D ABCDEF012345678901234 + C: END + S: # signature follows + S: D (sig-val rsa (s 45435453654612121212)) + S: OK +@end smallexample +@end cartouche + +@node Agent GENKEY +@subsection Generating a Key + +This is used to create a new keypair and store the secret key inside the +active PSE --- which is in most cases a Soft-PSE. A not-yet-defined +option allows choosing the storage location. To get the secret key out +of the PSE, a special export tool has to be used. + +@example + GENKEY [--no-protection] [--preset] [<cache_nonce>] +@end example + +Invokes the key generation process and the server will then inquire +on the generation parameters, like: + +@example + S: INQUIRE KEYPARM + C: D (genkey (rsa (nbits 1024))) + C: END +@end example + +The format of the key parameters which depends on the algorithm is of +the form: + +@example + (genkey + (algo + (parameter_name_1 ....) + .... + (parameter_name_n ....))) +@end example + +If everything succeeds, the server returns the *public key* in a SPKI +like S-Expression like this: + +@example + (public-key + (rsa + (n <mpi>) + (e <mpi>))) +@end example + +Here is an example session: +@cartouche +@smallexample + C: GENKEY + S: INQUIRE KEYPARM + C: D (genkey (rsa (nbits 1024))) + C: END + S: D (public-key + S: D (rsa (n 326487324683264) (e 10001))) + S OK key created +@end smallexample +@end cartouche + +The @option{--no-protection} option may be used to prevent prompting for a +passphrase to protect the secret key while leaving the secret key unprotected. +The @option{--preset} option may be used to add the passphrase to the cache +using the default cache parameters. + +The @option{--inq-passwd} option may be used to create the key with a +supplied passphrase. When used the agent does an inquiry with the +keyword @code{NEWPASSWD} to retrieve that passphrase. This option +takes precedence over @option{--no-protection}; however if the client +sends a empty (zero-length) passphrase, this is identical to +@option{--no-protection}. + +@node Agent IMPORT +@subsection Importing a Secret Key + +This operation is not yet supported by GpgAgent. Specialized tools +are to be used for this. + +There is no actual need because we can expect that secret keys +created by a 3rd party are stored on a smartcard. If we have +generated the key ourselves, we do not need to import it. + +@node Agent EXPORT +@subsection Export a Secret Key + +Not implemented. + +Should be done by an extra tool. + +@node Agent ISTRUSTED +@subsection Importing a Root Certificate + +Actually we do not import a Root Cert but provide a way to validate +any piece of data by storing its Hash along with a description and +an identifier in the PSE. Here is the interface description: + +@example + ISTRUSTED <fingerprint> +@end example + +Check whether the OpenPGP primary key or the X.509 certificate with the +given fingerprint is an ultimately trusted key or a trusted Root CA +certificate. The fingerprint should be given as a hexstring (without +any blanks or colons or whatever in between) and may be left padded with +00 in case of an MD5 fingerprint. GPGAgent will answer with: + +@example + OK +@end example + +The key is in the table of trusted keys. + +@example + ERR 304 (Not Trusted) +@end example + +The key is not in this table. + +Gpg needs the entire list of trusted keys to maintain the web of +trust; the following command is therefore quite helpful: + +@example + LISTTRUSTED +@end example + +GpgAgent returns a list of trusted keys line by line: + +@example + S: D 000000001234454556565656677878AF2F1ECCFF P + S: D 340387563485634856435645634856438576457A P + S: D FEDC6532453745367FD83474357495743757435D S + S: OK +@end example + +The first item on a line is the hexified fingerprint where MD5 +fingerprints are @code{00} padded to the left and the second item is a +flag to indicate the type of key (so that gpg is able to only take care +of PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest +of the line, so that we can extend the format in the future. + +Finally a client should be able to mark a key as trusted: + +@example + MARKTRUSTED @var{fingerprint} "P"|"S" +@end example + +The server will then pop up a window to ask the user whether she +really trusts this key. For this it will probably ask for a text to +be displayed like this: + +@example + S: INQUIRE TRUSTDESC + C: D Do you trust the key with the fingerprint @@FPR@@ + C: D bla fasel blurb. + C: END + S: OK +@end example + +Known sequences with the pattern @@foo@@ are replaced according to this +table: + +@table @code +@item @@FPR16@@ +Format the fingerprint according to gpg rules for a v3 keys. +@item @@FPR20@@ +Format the fingerprint according to gpg rules for a v4 keys. +@item @@FPR@@ +Choose an appropriate format to format the fingerprint. +@item @@@@ +Replaced by a single @code{@@}. +@end table + +@node Agent GET_PASSPHRASE +@subsection Ask for a passphrase + +This function is usually used to ask for a passphrase to be used for +symmetric encryption, but may also be used by programs which need +special handling of passphrases. This command uses a syntax which helps +clients to use the agent with minimum effort. + +@example + GET_PASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]] \ + [--qualitybar] @var{cache_id} \ + [@var{error_message} @var{prompt} @var{description}] +@end example + +@var{cache_id} is expected to be a string used to identify a cached +passphrase. Use a @code{X} to bypass the cache. With no other +arguments the agent returns a cached passphrase or an error. By +convention either the hexified fingerprint of the key shall be used for +@var{cache_id} or an arbitrary string prefixed with the name of the +calling application and a colon: Like @code{gpg:somestring}. + +@var{error_message} is either a single @code{X} for no error message or +a string to be shown as an error message like (e.g. "invalid +passphrase"). Blanks must be percent escaped or replaced by @code{+}'. + +@var{prompt} is either a single @code{X} for a default prompt or the +text to be shown as the prompt. Blanks must be percent escaped or +replaced by @code{+}. + +@var{description} is a text shown above the entry field. Blanks must be +percent escaped or replaced by @code{+}. + +The agent either returns with an error or with a OK followed by the hex +encoded passphrase. Note that the length of the strings is implicitly +limited by the maximum length of a command. If the option +@option{--data} is used, the passphrase is not returned on the OK line +but by regular data lines; this is the preferred method. + +If the option @option{--check} is used, the standard passphrase +constraints checks are applied. A check is not done if the passphrase +has been found in the cache. + +If the option @option{--no-ask} is used and the passphrase is not in the +cache the user will not be asked to enter a passphrase but the error +code @code{GPG_ERR_NO_DATA} is returned. + +If the option @option{--qualitybar} is used and a minimum passphrase +length has been configured, a visual indication of the entered +passphrase quality is shown. + +@example + CLEAR_PASSPHRASE @var{cache_id} +@end example + +may be used to invalidate the cache entry for a passphrase. The +function returns with OK even when there is no cached passphrase. + + + +@node Agent CLEAR_PASSPHRASE +@subsection Remove a cached passphrase + +Use this command to remove a cached passphrase. + +@example + CLEAR_PASSPHRASE [--mode=normal] <cache_id> +@end example + +The @option{--mode=normal} option can be used to clear a @var{cache_id} that +was set by gpg-agent. + + +@node Agent PRESET_PASSPHRASE +@subsection Set a passphrase for a keygrip + +This command adds a passphrase to the cache for the specified @var{keygrip}. + +@example + PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>] +@end example + +The passphrase is a hexadecimal string when specified. When not specified, the +passphrase will be retrieved from the pinentry module unless the +@option{--inquire} option was specified in which case the passphrase will be +retrieved from the client. + +The @var{timeout} parameter keeps the passphrase cached for the specified +number of seconds. A value of @code{-1} means infinite while @code{0} means +the default (currently only a timeout of -1 is allowed, which means to never +expire it). + + +@node Agent GET_CONFIRMATION +@subsection Ask for confirmation + +This command may be used to ask for a simple confirmation by +presenting a text and 2 buttons: Okay and Cancel. + +@example + GET_CONFIRMATION @var{description} +@end example + +@var{description}is displayed along with a Okay and Cancel +button. Blanks must be percent escaped or replaced by @code{+}. A +@code{X} may be used to display confirmation dialog with a default +text. + +The agent either returns with an error or with a OK. Note, that the +length of @var{description} is implicitly limited by the maximum +length of a command. + + + +@node Agent HAVEKEY +@subsection Check whether a key is available + +This can be used to see whether a secret key is available. It does +not return any information on whether the key is somehow protected. + +@example + HAVEKEY @var{keygrips} +@end example + +The agent answers either with OK or @code{No_Secret_Key} (208). The +caller may want to check for other error codes as well. More than one +keygrip may be given. In this case the command returns success if at +least one of the keygrips corresponds to an available secret key. + + +@node Agent LEARN +@subsection Register a smartcard + +@example + LEARN [--send] +@end example + +This command is used to register a smartcard. With the @option{--send} +option given the certificates are sent back. + + +@node Agent PASSWD +@subsection Change a Passphrase + +@example + PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] @var{keygrip} +@end example + +This command is used to interactively change the passphrase of the key +identified by the hex string @var{keygrip}. The @option{--preset} +option may be used to add the new passphrase to the cache using the +default cache parameters. + + +@node Agent UPDATESTARTUPTTY +@subsection Change the standard display + +@example + UPDATESTARTUPTTY +@end example + +Set the startup TTY and X-DISPLAY variables to the values of this +session. This command is useful to direct future pinentry invocations +to another screen. It is only required because there is no way in the +ssh-agent protocol to convey this information. + + +@node Agent GETEVENTCOUNTER +@subsection Get the Event Counters + +@example + GETEVENTCOUNTER +@end example + +This function return one status line with the current values of the +event counters. The event counters are useful to avoid polling by +delaying a poll until something has changed. The values are decimal +numbers in the range @code{0} to @code{UINT_MAX} and wrapping around to +0. The actual values should not be relied upon; they shall only be used +to detect a change. + +The currently defined counters are: +@table @code +@item ANY +Incremented with any change of any of the other counters. +@item KEY +Incremented for added or removed private keys. +@item CARD +Incremented for changes of the card readers stati. +@end table + +@node Agent GETINFO +@subsection Return information about the process + +This is a multipurpose function to return a variety of information. + +@example +GETINFO @var{what} +@end example + +The value of @var{what} specifies the kind of information returned: +@table @code +@item version +Return the version of the program. +@item pid +Return the process id of the process. +@item socket_name +Return the name of the socket used to connect the agent. +@item ssh_socket_name +Return the name of the socket used for SSH connections. If SSH support +has not been enabled the error @code{GPG_ERR_NO_DATA} will be returned. +@end table + +@node Agent OPTION +@subsection Set options for the session + +Here is a list of session options which are not yet described with +other commands. The general syntax for an Assuan option is: + +@smallexample +OPTION @var{key}=@var{value} +@end smallexample + +@noindent +Supported @var{key}s are: + +@table @code +@item agent-awareness +This may be used to tell gpg-agent of which gpg-agent version the +client is aware of. gpg-agent uses this information to enable +features which might break older clients. + +@item putenv +Change the session's environment to be used for the +Pinentry. Valid values are: + + @table @code + @item @var{name} + Delete envvar @var{name} + @item @var{name}= + Set envvar @var{name} to the empty string + @item @var{name}=@var{value} + Set envvar @var{name} to the string @var{value}. + @end table + +@item use-cache-for-signing +See Assuan command @code{PKSIGN}. + +@item allow-pinentry-notify +This does not need any value. It is used to enable the +PINENTRY_LAUNCHED inquiry. + +@item pinentry-mode +This option is used to change the operation mode of the pinentry. The +following values are defined: + + @table @code + @item ask + This is the default mode which pops up a pinentry as needed. + + @item cancel + Instead of popping up a pinentry, return the error code + @code{GPG_ERR_CANCELED}. + + @item error + Instead of popping up a pinentry, return the error code + @code{GPG_ERR_NO_PIN_ENTRY}. + + @item loopback + Use a loopback pinentry. This fakes a pinentry by using inquiries + back to the caller to ask for a passphrase. This option may only be + set if the agent has been configured for that. + To disable this feature use @ref{option --no-allow-loopback-pinentry}. + @end table + +@item cache-ttl-opt-preset +This option sets the cache TTL for new entries created by GENKEY and +PASSWD commands when using the @option{--preset} option. It is not +used a default value is used. + +@item s2k-count +Instead of using the standard S2K count (which is computed on the +fly), the given S2K count is used for new keys or when changing the +passphrase of a key. Values below 65536 are considered to be 0. This +option is valid for the entire session or until reset to 0. This +option is useful if the key is later used on boxes which are either +much slower or faster than the actual box. + +@item pretend-request-origin +This option switches the connection into a restricted mode which +handles all further commands in the same way as they would be handled +when originating from the extra or browser socket. Note that this +option is not available in the restricted mode. Valid values for this +option are: + + @table @code + @item none + @itemx local + This is a NOP and leaves the connection in the standard way. + + @item remote + Pretend to come from a remote origin in the same way as connections + from the @option{--extra-socket}. + + @item browser + Pretend to come from a local web browser in the same way as connections + from the @option{--browser-socket}. + @end table + +@end table + + +@mansect see also +@ifset isman +@command{@gpgname}(1), +@command{gpgsm}(1), +@command{gpgconf}(1), +@command{gpg-connect-agent}(1), +@command{scdaemon}(1) +@end ifset +@include see-also-note.texi diff --git a/doc/gpg.texi b/doc/gpg.texi new file mode 100644 index 0000000..39c996b --- /dev/null +++ b/doc/gpg.texi @@ -0,0 +1,4436 @@ +@c Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, +@c 2008, 2009, 2010 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@include defs.inc + +@node Invoking GPG +@chapter Invoking GPG +@cindex GPG command options +@cindex command options +@cindex options, GPG command + + +@c Begin standard stuff +@ifclear gpgtwohack +@manpage gpg.1 +@ifset manverb +.B gpg +\- OpenPGP encryption and signing tool +@end ifset + +@mansect synopsis +@ifset manverb +.B gpg +.RB [ \-\-homedir +.IR dir ] +.RB [ \-\-options +.IR file ] +.RI [ options ] +.I command +.RI [ args ] +@end ifset +@end ifclear +@c End standard stuff + +@c Begin gpg2 hack stuff +@ifset gpgtwohack +@manpage gpg2.1 +@ifset manverb +.B gpg2 +\- OpenPGP encryption and signing tool +@end ifset + +@mansect synopsis +@ifset manverb +.B gpg2 +.RB [ \-\-homedir +.IR dir ] +.RB [ \-\-options +.IR file ] +.RI [ options ] +.I command +.RI [ args ] +@end ifset +@end ifset +@c End gpg2 hack stuff + + +@mansect description +@command{@gpgname} is the OpenPGP part of the GNU Privacy Guard (GnuPG). It +is a tool to provide digital encryption and signing services using the +OpenPGP standard. @command{@gpgname} features complete key management and +all the bells and whistles you would expect from a full OpenPGP +implementation. + +There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG +2.x supports modern encryption algorithms and thus should be preferred +over GnuPG 1.x. You only need to use GnuPG 1.x if your platform +doesn't support GnuPG 2.x, or you need support for some features that +GnuPG 2.x has deprecated, e.g., decrypting data created with PGP-2 +keys. + +@ifclear gpgtwohack +If you are looking for version 1 of GnuPG, you may find that version +installed under the name @command{gpg1}. +@end ifclear +@ifset gpgtwohack +In contrast to the standalone command @command{gpg} from GnuPG 1.x, +the 2.x version is commonly installed under the name +@command{@gpgname}. +@end ifset + +@manpause + +@xref{Option Index}, for an index to @command{@gpgname}'s commands and options. +@mancont + +@menu +* GPG Commands:: List of all commands. +* GPG Options:: List of all options. +* GPG Configuration:: Configuration files. +* GPG Examples:: Some usage examples. + +Developer information: +* Unattended Usage of GPG:: Using @command{gpg} from other programs. +@end menu + +@c * GPG Protocol:: The protocol the server mode uses. + + +@c ******************************************* +@c *************** **************** +@c *************** COMMANDS **************** +@c *************** **************** +@c ******************************************* +@mansect commands +@node GPG Commands +@section Commands + +Commands are not distinguished from options except for the fact that +only one command is allowed. Generally speaking, irrelevant options +are silently ignored, and may not be checked for correctness. + +@command{@gpgname} may be run with no commands. In this case it will +print a warning perform a reasonable action depending on the type of +file it is given as input (an encrypted message is decrypted, a +signature is verified, a file containing keys is listed, etc.). + +If you run into any problems, please add the option @option{--verbose} +to the invocation to see more diagnostics. + + +@menu +* General GPG Commands:: Commands not specific to the functionality. +* Operational GPG Commands:: Commands to select the type of operation. +* OpenPGP Key Management:: How to manage your keys. +@end menu + + +@c ******************************************* +@c ********** GENERAL COMMANDS ************* +@c ******************************************* +@node General GPG Commands +@subsection Commands not specific to the function + +@table @gnupgtabopt +@item --version +@opindex version +Print the program version and licensing information. Note that you +cannot abbreviate this command. + +@item --help +@itemx -h +@opindex help +Print a usage message summarizing the most useful command-line options. +Note that you cannot arbitrarily abbreviate this command +(though you can use its short form @option{-h}). + +@item --warranty +@opindex warranty +Print warranty information. + +@item --dump-options +@opindex dump-options +Print a list of all available options and commands. Note that you cannot +abbreviate this command. +@end table + + +@c ******************************************* +@c ******** OPERATIONAL COMMANDS *********** +@c ******************************************* +@node Operational GPG Commands +@subsection Commands to select the type of operation + + +@table @gnupgtabopt + +@item --sign +@itemx -s +@opindex sign +Sign a message. This command may be combined with @option{--encrypt} +(to sign and encrypt a message), @option{--symmetric} (to sign and +symmetrically encrypt a message), or both @option{--encrypt} and +@option{--symmetric} (to sign and encrypt a message that can be +decrypted using a secret key or a passphrase). The signing key is +chosen by default or can be set explicitly using the +@option{--local-user} and @option{--default-key} options. + +@item --clear-sign +@opindex clear-sign +@itemx --clearsign +@opindex clearsign +Make a cleartext signature. The content in a cleartext signature is +readable without any special software. OpenPGP software is only needed +to verify the signature. cleartext signatures may modify end-of-line +whitespace for platform independence and are not intended to be +reversible. The signing key is chosen by default or can be set +explicitly using the @option{--local-user} and @option{--default-key} +options. + + +@item --detach-sign +@itemx -b +@opindex detach-sign +Make a detached signature. + +@item --encrypt +@itemx -e +@opindex encrypt +Encrypt data to one or more public keys. This command may be combined +with @option{--sign} (to sign and encrypt a message), +@option{--symmetric} (to encrypt a message that can be decrypted using a +secret key or a passphrase), or @option{--sign} and +@option{--symmetric} together (for a signed message that can be +decrypted using a secret key or a passphrase). @option{--recipient} +and related options specify which public keys to use for encryption. + +@item --symmetric +@itemx -c +@opindex symmetric +Encrypt with a symmetric cipher using a passphrase. The default +symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the +@option{--cipher-algo} option. This command may be combined with +@option{--sign} (for a signed and symmetrically encrypted message), +@option{--encrypt} (for a message that may be decrypted via a secret key +or a passphrase), or @option{--sign} and @option{--encrypt} together +(for a signed message that may be decrypted via a secret key or a +passphrase). @command{@gpgname} caches the passphrase used for +symmetric encryption so that a decrypt operation may not require that +the user needs to enter the passphrase. The option +@option{--no-symkey-cache} can be used to disable this feature. + +@item --store +@opindex store +Store only (make a simple literal data packet). + +@item --decrypt +@itemx -d +@opindex decrypt +Decrypt the file given on the command line (or STDIN if no file +is specified) and write it to STDOUT (or the file specified with +@option{--output}). If the decrypted file is signed, the signature is also +verified. This command differs from the default operation, as it never +writes to the filename which is included in the file and it rejects +files that don't begin with an encrypted message. + +@item --verify +@opindex verify +Assume that the first argument is a signed file and verify it without +generating any output. With no arguments, the signature packet is +read from STDIN. If only one argument is given, the specified file is +expected to include a complete signature. + +With more than one argument, the first argument should specify a file +with a detached signature and the remaining files should contain the +signed data. To read the signed data from STDIN, use @samp{-} as the +second filename. For security reasons, a detached signature will not +read the signed material from STDIN if not explicitly specified. + +Note: If the option @option{--batch} is not used, @command{@gpgname} +may assume that a single argument is a file with a detached signature, +and it will try to find a matching data file by stripping certain +suffixes. Using this historical feature to verify a detached +signature is strongly discouraged; you should always specify the data file +explicitly. + +Note: When verifying a cleartext signature, @command{@gpgname} verifies +only what makes up the cleartext signed data and not any extra data +outside of the cleartext signature or the header lines directly following +the dash marker line. The option @code{--output} may be used to write +out the actual signed data, but there are other pitfalls with this +format as well. It is suggested to avoid cleartext signatures in +favor of detached signatures. + +Note: Sometimes the use of the @command{gpgv} tool is easier than +using the full-fledged @command{gpg} with this option. @command{gpgv} +is designed to compare signed data against a list of trusted keys and +returns with success only for a good signature. It has its own manual +page. + + +@item --multifile +@opindex multifile +This modifies certain other commands to accept multiple files for +processing on the command line or read from STDIN with each filename on +a separate line. This allows for many files to be processed at +once. @option{--multifile} may currently be used along with +@option{--verify}, @option{--encrypt}, and @option{--decrypt}. Note that +@option{--multifile --verify} may not be used with detached signatures. + +@item --verify-files +@opindex verify-files +Identical to @option{--multifile --verify}. + +@item --encrypt-files +@opindex encrypt-files +Identical to @option{--multifile --encrypt}. + +@item --decrypt-files +@opindex decrypt-files +Identical to @option{--multifile --decrypt}. + +@item --list-keys +@itemx -k +@itemx --list-public-keys +@opindex list-keys +List the specified keys. If no keys are specified, then all keys from +the configured public keyrings are listed. + +Never use the output of this command in scripts or other programs. +The output is intended only for humans and its format is likely to +change. The @option{--with-colons} option emits the output in a +stable, machine-parseable format, which is intended for use by scripts +and other programs. + +@item --list-secret-keys +@itemx -K +@opindex list-secret-keys +List the specified secret keys. If no keys are specified, then all +known secret keys are listed. A @code{#} after the initial tags +@code{sec} or @code{ssb} means that the secret key or subkey is +currently not usable. We also say that this key has been taken +offline (for example, a primary key can be taken offline by exporting +the key using the command @option{--export-secret-subkeys}). A +@code{>} after these tags indicate that the key is stored on a +smartcard. See also @option{--list-keys}. + +@item --check-signatures +@opindex check-signatures +@itemx --check-sigs +@opindex check-sigs +Same as @option{--list-keys}, but the key signatures are verified and +listed too. Note that for performance reasons the revocation status +of a signing key is not shown. This command has the same effect as +using @option{--list-keys} with @option{--with-sig-check}. + +The status of the verification is indicated by a flag directly +following the "sig" tag (and thus before the flags described below. A +"!" indicates that the signature has been successfully verified, a "-" +denotes a bad signature and a "%" is used if an error occurred while +checking the signature (e.g. a non supported algorithm). Signatures +where the public key is not available are not listed; to see their +keyids the command @option{--list-sigs} can be used. + +For each signature listed, there are several flags in between the +signature status flag and keyid. These flags give additional +information about each key signature. From left to right, they are +the numbers 1-3 for certificate check level (see +@option{--ask-cert-level}), "L" for a local or non-exportable +signature (see @option{--lsign-key}), "R" for a nonRevocable signature +(see the @option{--edit-key} command "nrsign"), "P" for a signature +that contains a policy URL (see @option{--cert-policy-url}), "N" for a +signature that contains a notation (see @option{--cert-notation}), "X" +for an eXpired signature (see @option{--ask-cert-expire}), and the +numbers 1-9 or "T" for 10 and above to indicate trust signature levels +(see the @option{--edit-key} command "tsign"). + + +@item --locate-keys +@itemx --locate-external-keys +@opindex locate-keys +@opindex locate-external-keys +Locate the keys given as arguments. This command basically uses the +same algorithm as used when locating keys for encryption and may thus +be used to see what keys @command{@gpgname} might use. In particular +external methods as defined by @option{--auto-key-locate} are used to +locate a key if the arguments comain valid mail addresses. Only +public keys are listed. + +The variant @option{--locate-external-keys} does not consider a +locally existing key and can thus be used to force the refresh of a +key via the defined external methods. If a fingerprint is given and +and the methods defined by --auto-key-locate define LDAP servers, the +key is fetched from these resources; defined non-LDAP keyservers are +skipped. + +@item --show-keys +@opindex show-keys +This commands takes OpenPGP keys as input and prints information about +them in the same way the command @option{--list-keys} does for locally +stored key. In addition the list options @code{show-unusable-uids}, +@code{show-unusable-subkeys}, @code{show-notations} and +@code{show-policy-urls} are also enabled. As usual for automated +processing, this command should be combined with the option +@option{--with-colons}. + +@item --fingerprint +@opindex fingerprint +List all keys (or the specified ones) along with their +fingerprints. This is the same output as @option{--list-keys} but with +the additional output of a line with the fingerprint. May also be +combined with @option{--check-signatures}. If this +command is given twice, the fingerprints of all secondary keys are +listed too. This command also forces pretty printing of fingerprints +if the keyid format has been set to "none". + +@item --list-packets +@opindex list-packets +List only the sequence of packets. This command is only useful for +debugging. When used with option @option{--verbose} the actual MPI +values are dumped and not only their lengths. Note that the output of +this command may change with new releases. + + +@item --edit-card +@opindex edit-card +@itemx --card-edit +@opindex card-edit +Present a menu to work with a smartcard. The subcommand "help" provides +an overview on available commands. For a detailed description, please +see the Card HOWTO at +https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO . + +@item --card-status +@opindex card-status +Show the content of the smart card. + +@item --change-pin +@opindex change-pin +Present a menu to allow changing the PIN of a smartcard. This +functionality is also available as the subcommand "passwd" with the +@option{--edit-card} command. + +@item --delete-keys @var{name} +@opindex delete-keys +Remove key from the public keyring. In batch mode either @option{--yes} is +required or the key must be specified by fingerprint. This is a +safeguard against accidental deletion of multiple keys. If the +exclamation mark syntax is used with the fingerprint of a subkey only +that subkey is deleted; if the exclamation mark is used with the +fingerprint of the primary key the entire public key is deleted. + +@item --delete-secret-keys @var{name} +@opindex delete-secret-keys +Remove key from the secret keyring. In batch mode the key must be +specified by fingerprint. The option @option{--yes} can be used to +advise gpg-agent not to request a confirmation. This extra +pre-caution is done because @command{@gpgname} can't be sure that the +secret key (as controlled by gpg-agent) is only used for the given +OpenPGP public key. If the exclamation mark syntax is used with the +fingerprint of a subkey only the secret part of that subkey is +deleted; if the exclamation mark is used with the fingerprint of the +primary key only the secret part of the primary key is deleted. + + +@item --delete-secret-and-public-key @var{name} +@opindex delete-secret-and-public-key +Same as @option{--delete-key}, but if a secret key exists, it will be +removed first. In batch mode the key must be specified by fingerprint. +The option @option{--yes} can be used to advise gpg-agent not to +request a confirmation. + +@item --export +@opindex export +Either export all keys from all keyrings (default keyring and those +registered via option @option{--keyring}), or if at least one name is given, +those of the given name. The exported keys are written to STDOUT or to the +file given with option @option{--output}. Use together with +@option{--armor} to mail those keys. + +@item --send-keys @var{keyIDs} +@opindex send-keys +Similar to @option{--export} but sends the keys to a keyserver. +Fingerprints may be used instead of key IDs. +Don't send your complete keyring to a keyserver --- select +only those keys which are new or changed by you. If no @var{keyIDs} +are given, @command{@gpgname} does nothing. + +Take care: Keyservers are by design write only systems and thus it is +not possible to ever delete keys once they have been send to a +keyserver. + + +@item --export-secret-keys +@itemx --export-secret-subkeys +@opindex export-secret-keys +@opindex export-secret-subkeys +Same as @option{--export}, but exports the secret keys instead. The +exported keys are written to STDOUT or to the file given with option +@option{--output}. This command is often used along with the option +@option{--armor} to allow for easy printing of the key for paper backup; +however the external tool @command{paperkey} does a better job of +creating backups on paper. Note that exporting a secret key can be a +security risk if the exported keys are sent over an insecure channel. + +The second form of the command has the special property to render the +secret part of the primary key useless; this is a GNU extension to +OpenPGP and other implementations can not be expected to successfully +import such a key. Its intended use is in generating a full key with +an additional signing subkey on a dedicated machine. This command +then exports the key without the primary key to the main machine. + +GnuPG may ask you to enter the passphrase for the key. This is +required, because the internal protection method of the secret key is +different from the one specified by the OpenPGP protocol. + +@item --export-ssh-key +@opindex export-ssh-key +This command is used to export a key in the OpenSSH public key format. +It requires the specification of one key by the usual means and +exports the latest valid subkey which has an authentication capability +to STDOUT or to the file given with option @option{--output}. That +output can directly be added to ssh's @file{authorized_key} file. + +By specifying the key to export using a key ID or a fingerprint +suffixed with an exclamation mark (!), a specific subkey or the +primary key can be exported. This does not even require that the key +has the authentication capability flag set. + +@item --import +@itemx --fast-import +@opindex import +Import/merge keys. This adds the given keys to the +keyring. The fast version is currently just a synonym. + +There are a few other options which control how this command works. +Most notable here is the @option{--import-options merge-only} option +which does not insert new keys but does only the merging of new +signatures, user-IDs and subkeys. + +@item --receive-keys @var{keyIDs} +@opindex receive-keys +@itemx --recv-keys @var{keyIDs} +@opindex recv-keys +Import the keys with the given @var{keyIDs} from a keyserver. + +@item --refresh-keys +@opindex refresh-keys +Request updates from a keyserver for keys that already exist on the +local keyring. This is useful for updating a key with the latest +signatures, user IDs, etc. Calling this with no arguments will refresh +the entire keyring. + +@item --search-keys @var{names} +@opindex search-keys +Search the keyserver for the given @var{names}. Multiple names given +here will be joined together to create the search string for the +keyserver. Note that keyservers search for @var{names} in a different +and simpler way than gpg does. The best choice is to use a mail +address. Due to data privacy reasons keyservers may even not even +allow searching by user id or mail address and thus may only return +results when being used with the @option{--recv-key} command to +search by key fingerprint or keyid. + +@item --fetch-keys @var{URIs} +@opindex fetch-keys +Retrieve keys located at the specified @var{URIs}. Note that different +installations of GnuPG may support different protocols (HTTP, FTP, +LDAP, etc.). When using HTTPS the system provided root certificates +are used by this command. + +@item --update-trustdb +@opindex update-trustdb +Do trust database maintenance. This command iterates over all keys and +builds the Web of Trust. This is an interactive command because it may +have to ask for the "ownertrust" values for keys. The user has to give +an estimation of how far she trusts the owner of the displayed key to +correctly certify (sign) other keys. GnuPG only asks for the ownertrust +value if it has not yet been assigned to a key. Using the +@option{--edit-key} menu, the assigned value can be changed at any time. + +@item --check-trustdb +@opindex check-trustdb +Do trust database maintenance without user interaction. From time to +time the trust database must be updated so that expired keys or +signatures and the resulting changes in the Web of Trust can be +tracked. Normally, GnuPG will calculate when this is required and do it +automatically unless @option{--no-auto-check-trustdb} is set. This +command can be used to force a trust database check at any time. The +processing is identical to that of @option{--update-trustdb} but it +skips keys with a not yet defined "ownertrust". + +For use with cron jobs, this command can be used together with +@option{--batch} in which case the trust database check is done only if +a check is needed. To force a run even in batch mode add the option +@option{--yes}. + +@anchor{option --export-ownertrust} +@item --export-ownertrust +@opindex export-ownertrust +Send the ownertrust values to STDOUT. This is useful for backup purposes +as these values are the only ones which can't be re-created from a +corrupted trustdb. Example: +@c man:.RS +@example + @gpgname{} --export-ownertrust > otrust.txt +@end example +@c man:.RE + + +@item --import-ownertrust +@opindex import-ownertrust +Update the trustdb with the ownertrust values stored in @code{files} (or +STDIN if not given); existing values will be overwritten. In case of a +severely damaged trustdb and if you have a recent backup of the +ownertrust values (e.g. in the file @file{otrust.txt}), you may re-create +the trustdb using these commands: +@c man:.RS +@example + cd ~/.gnupg + rm trustdb.gpg + @gpgname{} --import-ownertrust < otrust.txt +@end example +@c man:.RE + + +@item --rebuild-keydb-caches +@opindex rebuild-keydb-caches +When updating from version 1.0.6 to 1.0.7 this command should be used +to create signature caches in the keyring. It might be handy in other +situations too. + +@item --print-md @var{algo} +@itemx --print-mds +@opindex print-md +Print message digest of algorithm @var{algo} for all given files or STDIN. +With the second form (or a deprecated "*" for @var{algo}) digests for all +available algorithms are printed. + +@item --gen-random @var{0|1|2} @var{count} +@opindex gen-random +Emit @var{count} random bytes of the given quality level 0, 1 or 2. If +@var{count} is not given or zero, an endless sequence of random bytes +will be emitted. If used with @option{--armor} the output will be +base64 encoded. PLEASE, don't use this command unless you know what +you are doing; it may remove precious entropy from the system! + +@item --gen-prime @var{mode} @var{bits} +@opindex gen-prime +Use the source, Luke :-). The output format is subject to change +with ant release. + + +@item --enarmor +@itemx --dearmor +@opindex enarmor +@opindex dearmor +Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor. +This is a GnuPG extension to OpenPGP and in general not very useful. + +@item --tofu-policy @{auto|good|unknown|bad|ask@} @var{keys} +@opindex tofu-policy +Set the TOFU policy for all the bindings associated with the specified +@var{keys}. For more information about the meaning of the policies, +@pxref{trust-model-tofu}. The @var{keys} may be specified either by their +fingerprint (preferred) or their keyid. + +@c @item --server +@c @opindex server +@c Run gpg in server mode. This feature is not yet ready for use and +@c thus not documented. + +@end table + + +@c ******************************************* +@c ******* KEY MANGEMENT COMMANDS ********** +@c ******************************************* +@node OpenPGP Key Management +@subsection How to manage your keys + +This section explains the main commands for key management. + +@table @gnupgtabopt + +@item --quick-generate-key @var{user-id} [@var{algo} [@var{usage} [@var{expire}]]] +@itemx --quick-gen-key +@opindex quick-generate-key +@opindex quick-gen-key +This is a simple command to generate a standard key with one user id. +In contrast to @option{--generate-key} the key is generated directly +without the need to answer a bunch of prompts. Unless the option +@option{--yes} is given, the key creation will be canceled if the +given user id already exists in the keyring. + +If invoked directly on the console without any special options an +answer to a ``Continue?'' style confirmation prompt is required. In +case the user id already exists in the keyring a second prompt to +force the creation of the key will show up. + +If @var{algo} or @var{usage} are given, only the primary key is +created and no prompts are shown. To specify an expiration date but +still create a primary and subkey use ``default'' or +``future-default'' for @var{algo} and ``default'' for @var{usage}. +For a description of these optional arguments see the command +@code{--quick-add-key}. The @var{usage} accepts also the value +``cert'' which can be used to create a certification only primary key; +the default is to a create certification and signing key. + +The @var{expire} argument can be used to specify an expiration date +for the key. Several formats are supported; commonly the ISO formats +``YYYY-MM-DD'' or ``YYYYMMDDThhmmss'' are used. To make the key +expire in N seconds, N days, N weeks, N months, or N years use +``seconds=N'', ``Nd'', ``Nw'', ``Nm'', or ``Ny'' respectively. Not +specifying a value, or using ``-'' results in a key expiring in a +reasonable default interval. The values ``never'', ``none'' can be +used for no expiration date. + +If this command is used with @option{--batch}, +@option{--pinentry-mode} has been set to @code{loopback}, and one of +the passphrase options (@option{--passphrase}, +@option{--passphrase-fd}, or @option{--passphrase-file}) is used, the +supplied passphrase is used for the new key and the agent does not ask +for it. To create a key without any protection @code{--passphrase ''} +may be used. + +To create an OpenPGP key from the keys available on the currently +inserted smartcard, the special string ``card'' can be used for +@var{algo}. If the card features an encryption and a signing key, gpg +will figure them out and creates an OpenPGP key consisting of the +usual primary key and one subkey. This works only with certain +smartcards. Note that the interactive @option{--full-gen-key} command +allows to do the same but with greater flexibility in the selection of +the smartcard keys. + +Note that it is possible to create a primary key and a subkey using +non-default algorithms by using ``default'' and changing the default +parameters using the option @option{--default-new-key-algo}. + +@item --quick-set-expire @var{fpr} @var{expire} [*|@var{subfprs}] +@opindex quick-set-expire +With two arguments given, directly set the expiration time of the +primary key identified by @var{fpr} to @var{expire}. To remove the +expiration time @code{0} can be used. With three arguments and the +third given as an asterisk, the expiration time of all non-revoked and +not yet expired subkeys are set to @var{expire}. With more than two +arguments and a list of fingerprints given for @var{subfprs}, all +non-revoked subkeys matching these fingerprints are set to +@var{expire}. + + +@item --quick-add-key @var{fpr} [@var{algo} [@var{usage} [@var{expire}]]] +@opindex quick-add-key +Directly add a subkey to the key identified by the fingerprint +@var{fpr}. Without the optional arguments an encryption subkey is +added. If any of the arguments are given a more specific subkey is +added. + +@var{algo} may be any of the supported algorithms or curve names +given in the format as used by key listings. To use the default +algorithm the string ``default'' or ``-'' can be used. Supported +algorithms are ``rsa'', ``dsa'', ``elg'', ``ed25519'', ``cv25519'', +and other ECC curves. For example the string ``rsa'' adds an RSA key +with the default key length; a string ``rsa4096'' requests that the +key length is 4096 bits. The string ``future-default'' is an alias +for the algorithm which will likely be used as default algorithm in +future versions of gpg. To list the supported ECC curves the command +@code{gpg --with-colons --list-config curve} can be used. + +Depending on the given @var{algo} the subkey may either be an +encryption subkey or a signing subkey. If an algorithm is capable of +signing and encryption and such a subkey is desired, a @var{usage} +string must be given. This string is either ``default'' or ``-'' to +keep the default or a comma delimited list (or space delimited list) +of keywords: ``sign'' for a signing subkey, ``auth'' for an +authentication subkey, and ``encr'' for an encryption subkey +(``encrypt'' can be used as alias for ``encr''). The valid +combinations depend on the algorithm. + +The @var{expire} argument can be used to specify an expiration date +for the key. Several formats are supported; commonly the ISO formats +``YYYY-MM-DD'' or ``YYYYMMDDThhmmss'' are used. To make the key +expire in N seconds, N days, N weeks, N months, or N years use +``seconds=N'', ``Nd'', ``Nw'', ``Nm'', or ``Ny'' respectively. Not +specifying a value, or using ``-'' results in a key expiring in a +reasonable default interval. The values ``never'', ``none'' can be +used for no expiration date. + +@item --generate-key +@opindex generate-key +@itemx --gen-key +@opindex gen-key +Generate a new key pair using the current default parameters. This is +the standard command to create a new key. In addition to the key a +revocation certificate is created and stored in the +@file{openpgp-revocs.d} directory below the GnuPG home directory. + +@item --full-generate-key +@opindex full-generate-key +@itemx --full-gen-key +@opindex full-gen-key +Generate a new key pair with dialogs for all options. This is an +extended version of @option{--generate-key}. + +There is also a feature which allows you to create keys in batch +mode. See the manual section ``Unattended key generation'' on how +to use this. + + +@item --generate-revocation @var{name} +@opindex generate-revocation +@itemx --gen-revoke @var{name} +@opindex gen-revoke +Generate a revocation certificate for the complete key. To only revoke +a subkey or a key signature, use the @option{--edit} command. + +This command merely creates the revocation certificate so that it can +be used to revoke the key if that is ever needed. To actually revoke +a key the created revocation certificate needs to be merged with the +key to revoke. This is done by importing the revocation certificate +using the @option{--import} command. Then the revoked key needs to be +published, which is best done by sending the key to a keyserver +(command @option{--send-key}) and by exporting (@option{--export}) it +to a file which is then send to frequent communication partners. + + +@item --generate-designated-revocation @var{name} +@opindex generate-designated-revocation +@itemx --desig-revoke @var{name} +@opindex desig-revoke +Generate a designated revocation certificate for a key. This allows a +user (with the permission of the keyholder) to revoke someone else's +key. + + +@item --edit-key +@opindex edit-key +Present a menu which enables you to do most of the key management +related tasks. It expects the specification of a key on the command +line. + +@c ******** Begin Edit-key Options ********** +@table @asis + + @item uid @var{n} + @opindex keyedit:uid + Toggle selection of user ID or photographic user ID with index @var{n}. + Use @code{*} to select all and @code{0} to deselect all. + + @item key @var{n} + @opindex keyedit:key + Toggle selection of subkey with index @var{n} or key ID @var{n}. + Use @code{*} to select all and @code{0} to deselect all. + + @item sign + @opindex keyedit:sign + Make a signature on key of user @code{name}. If the key is not yet + signed by the default user (or the users given with @option{-u}), the program + displays the information of the key again, together with its + fingerprint and asks whether it should be signed. This question is + repeated for all users specified with + @option{-u}. + + @item lsign + @opindex keyedit:lsign + Same as "sign" but the signature is marked as non-exportable and will + therefore never be used by others. This may be used to make keys + valid only in the local environment. + + @item nrsign + @opindex keyedit:nrsign + Same as "sign" but the signature is marked as non-revocable and can + therefore never be revoked. + + @item tsign + @opindex keyedit:tsign + Make a trust signature. This is a signature that combines the notions + of certification (like a regular signature), and trust (like the + "trust" command). It is generally only useful in distinct communities + or groups. For more information please read the sections + ``Trust Signature'' and ``Regular Expression'' in RFC-4880. +@end table + +@c man:.RS +Note that "l" (for local / non-exportable), "nr" (for non-revocable, +and "t" (for trust) may be freely mixed and prefixed to "sign" to +create a signature of any type desired. +@c man:.RE + +If the option @option{--only-sign-text-ids} is specified, then any +non-text based user ids (e.g., photo IDs) will not be selected for +signing. + +@table @asis + + @item delsig + @opindex keyedit:delsig + Delete a signature. Note that it is not possible to retract a signature, + once it has been send to the public (i.e. to a keyserver). In that case + you better use @code{revsig}. + + @item revsig + @opindex keyedit:revsig + Revoke a signature. For every signature which has been generated by + one of the secret keys, GnuPG asks whether a revocation certificate + should be generated. + + @item check + @opindex keyedit:check + Check the signatures on all selected user IDs. With the extra + option @code{selfsig} only self-signatures are shown. + + @item adduid + @opindex keyedit:adduid + Create an additional user ID. + + @item addphoto + @opindex keyedit:addphoto + Create a photographic user ID. This will prompt for a JPEG file that + will be embedded into the user ID. Note that a very large JPEG will make + for a very large key. Also note that some programs will display your + JPEG unchanged (GnuPG), and some programs will scale it to fit in a + dialog box (PGP). + + @item showphoto + @opindex keyedit:showphoto + Display the selected photographic user ID. + + @item deluid + @opindex keyedit:deluid + Delete a user ID or photographic user ID. Note that it is not + possible to retract a user id, once it has been send to the public + (i.e. to a keyserver). In that case you better use @code{revuid}. + + @item revuid + @opindex keyedit:revuid + Revoke a user ID or photographic user ID. + + @item primary + @opindex keyedit:primary + Flag the current user id as the primary one, removes the primary user + id flag from all other user ids and sets the timestamp of all affected + self-signatures one second ahead. Note that setting a photo user ID + as primary makes it primary over other photo user IDs, and setting a + regular user ID as primary makes it primary over other regular user + IDs. + + @item keyserver + @opindex keyedit:keyserver + Set a preferred keyserver for the specified user ID(s). This allows + other users to know where you prefer they get your key from. See + @option{--keyserver-options honor-keyserver-url} for more on how this + works. Setting a value of "none" removes an existing preferred + keyserver. + + @item notation + @opindex keyedit:notation + Set a name=value notation for the specified user ID(s). See + @option{--cert-notation} for more on how this works. Setting a value of + "none" removes all notations, setting a notation prefixed with a minus + sign (-) removes that notation, and setting a notation name (without the + =value) prefixed with a minus sign removes all notations with that name. + + @item pref + @opindex keyedit:pref + List preferences from the selected user ID. This shows the actual + preferences, without including any implied preferences. + + @item showpref + @opindex keyedit:showpref + More verbose preferences listing for the selected user ID. This shows + the preferences in effect by including the implied preferences of 3DES + (cipher), SHA-1 (digest), and Uncompressed (compression) if they are + not already included in the preference list. In addition, the + preferred keyserver and signature notations (if any) are shown. + + @item setpref @var{string} + @opindex keyedit:setpref + Set the list of user ID preferences to @var{string} for all (or just + the selected) user IDs. Calling setpref with no arguments sets the + preference list to the default (either built-in or set via + @option{--default-preference-list}), and calling setpref with "none" + as the argument sets an empty preference list. Use @command{@gpgname + --version} to get a list of available algorithms. Note that while you + can change the preferences on an attribute user ID (aka "photo ID"), + GnuPG does not select keys via attribute user IDs so these preferences + will not be used by GnuPG. + + When setting preferences, you should list the algorithms in the order + which you'd like to see them used by someone else when encrypting a + message to your key. If you don't include 3DES, it will be + automatically added at the end. Note that there are many factors that + go into choosing an algorithm (for example, your key may not be the + only recipient), and so the remote OpenPGP application being used to + send to you may or may not follow your exact chosen order for a given + message. It will, however, only choose an algorithm that is present + on the preference list of every recipient key. See also the + INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below. + + @item addkey + @opindex keyedit:addkey + Add a subkey to this key. + + @item addcardkey + @opindex keyedit:addcardkey + Generate a subkey on a card and add it to this key. + + @item keytocard + @opindex keyedit:keytocard + Transfer the selected secret subkey (or the primary key if no subkey + has been selected) to a smartcard. The secret key in the keyring will + be replaced by a stub if the key could be stored successfully on the + card and you use the save command later. Only certain key types may be + transferred to the card. A sub menu allows you to select on what card + to store the key. Note that it is not possible to get that key back + from the card - if the card gets broken your secret key will be lost + unless you have a backup somewhere. + + @item bkuptocard @var{file} + @opindex keyedit:bkuptocard + Restore the given @var{file} to a card. This command may be used to restore a + backup key (as generated during card initialization) to a new card. In + almost all cases this will be the encryption key. You should use this + command only with the corresponding public key and make sure that the + file given as argument is indeed the backup to restore. You should then + select 2 to restore as encryption key. You will first be asked to enter + the passphrase of the backup key and then for the Admin PIN of the card. + + @item delkey + @opindex keyedit:delkey + Remove a subkey (secondary key). Note that it is not possible to retract + a subkey, once it has been send to the public (i.e. to a keyserver). In + that case you better use @code{revkey}. Also note that this only + deletes the public part of a key. + + @item revkey + @opindex keyedit:revkey + Revoke a subkey. + + @item expire + @opindex keyedit:expire + Change the key or subkey expiration time. If a subkey is selected, the + expiration time of this subkey will be changed. With no selection, the + key expiration of the primary key is changed. + + @item trust + @opindex keyedit:trust + Change the owner trust value for the key. This updates the trust-db + immediately and no save is required. + + @item disable + @itemx enable + @opindex keyedit:disable + @opindex keyedit:enable + Disable or enable an entire key. A disabled key can not normally be + used for encryption. + + @item addrevoker + @opindex keyedit:addrevoker + Add a designated revoker to the key. This takes one optional argument: + "sensitive". If a designated revoker is marked as sensitive, it will + not be exported by default (see export-options). + + @item passwd + @opindex keyedit:passwd + Change the passphrase of the secret key. + + @item toggle + @opindex keyedit:toggle + This is dummy command which exists only for backward compatibility. + + @item clean + @opindex keyedit:clean + Compact (by removing all signatures except the selfsig) any user ID + that is no longer usable (e.g. revoked, or expired). Then, remove any + signatures that are not usable by the trust calculations. + Specifically, this removes any signature that does not validate, any + signature that is superseded by a later signature, revoked signatures, + and signatures issued by keys that are not present on the keyring. + + @item minimize + @opindex keyedit:minimize + Make the key as small as possible. This removes all signatures from + each user ID except for the most recent self-signature. + + @item change-usage + @opindex keyedit:change-usage + Change the usage flags (capabilities) of the primary key or of + subkeys. These usage flags (e.g. Certify, Sign, Authenticate, + Encrypt) are set during key creation. Sometimes it is useful to + have the opportunity to change them (for example to add + Authenticate) after they have been created. Please take care when + doing this; the allowed usage flags depend on the key algorithm. + + @item cross-certify + @opindex keyedit:cross-certify + Add cross-certification signatures to signing subkeys that may not + currently have them. Cross-certification signatures protect against a + subtle attack against signing subkeys. See + @option{--require-cross-certification}. All new keys generated have + this signature by default, so this command is only useful to bring + older keys up to date. + + @item save + @opindex keyedit:save + Save all changes to the keyring and quit. + + @item quit + @opindex keyedit:quit + Quit the program without updating the + keyring. +@end table + +@c man:.RS +The listing shows you the key with its secondary keys and all user +IDs. The primary user ID is indicated by a dot, and selected keys or +user IDs are indicated by an asterisk. The trust +value is displayed with the primary key: "trust" is the assigned owner +trust and "validity" is the calculated validity of the key. Validity +values are also displayed for all user IDs. +For possible values of trust, @pxref{trust-values}. +@c man:.RE +@c ******** End Edit-key Options ********** + +@item --sign-key @var{name} +@opindex sign-key +Signs a public key with your secret key. This is a shortcut version of +the subcommand "sign" from @option{--edit}. + +@item --lsign-key @var{name} +@opindex lsign-key +Signs a public key with your secret key but marks it as +non-exportable. This is a shortcut version of the subcommand "lsign" +from @option{--edit-key}. + +@item --quick-sign-key @var{fpr} [@var{names}] +@itemx --quick-lsign-key @var{fpr} [@var{names}] +@opindex quick-sign-key +@opindex quick-lsign-key +Directly sign a key from the passphrase without any further user +interaction. The @var{fpr} must be the verified primary fingerprint +of a key in the local keyring. If no @var{names} are given, all +useful user ids are signed; with given [@var{names}] only useful user +ids matching one of theses names are signed. By default, or if a name +is prefixed with a '*', a case insensitive substring match is used. +If a name is prefixed with a '=' a case sensitive exact match is done. + +The command @option{--quick-lsign-key} marks the signatures as +non-exportable. If such a non-exportable signature already exists the +@option{--quick-sign-key} turns it into a exportable signature. If +you need to update an existing signature, for example to add or change +notation data, you need to use the option @option{--force-sign-key}. + +This command uses reasonable defaults and thus does not provide the +full flexibility of the "sign" subcommand from @option{--edit-key}. +Its intended use is to help unattended key signing by utilizing a list +of verified fingerprints. + +@item --quick-add-uid @var{user-id} @var{new-user-id} +@opindex quick-add-uid +This command adds a new user id to an existing key. In contrast to +the interactive sub-command @code{adduid} of @option{--edit-key} the +@var{new-user-id} is added verbatim with only leading and trailing +white space removed, it is expected to be UTF-8 encoded, and no checks +on its form are applied. + +@item --quick-revoke-uid @var{user-id} @var{user-id-to-revoke} +@opindex quick-revoke-uid +This command revokes a user ID on an existing key. It cannot be used +to revoke the last user ID on key (some non-revoked user ID must +remain), with revocation reason ``User ID is no longer valid''. If +you want to specify a different revocation reason, or to supply +supplementary revocation text, you should use the interactive +sub-command @code{revuid} of @option{--edit-key}. + +@item --quick-revoke-sig @var{fpr} @var{signing-fpr} [@var{names}] +@opindex quick-revoke-sig +This command revokes the key signatures made by @var{signing-fpr} from +the key specified by the fingerprint @var{fpr}. With @var{names} +given only the signatures on user ids of the key matching any of the +given names are affected (see @option{--quick-sign-key}). If a +revocation already exists a notice is printed instead of creating a +new revocation; no error is returned in this case. Note that key +signature revocations may be superseded by a newer key signature and +in turn again revoked. + +@item --quick-set-primary-uid @var{user-id} @var{primary-user-id} +@opindex quick-set-primary-uid +This command sets or updates the primary user ID flag on an existing +key. @var{user-id} specifies the key and @var{primary-user-id} the +user ID which shall be flagged as the primary user ID. The primary +user ID flag is removed from all other user ids and the timestamp of +all affected self-signatures is set one second ahead. + + +@item --change-passphrase @var{user-id} +@opindex change-passphrase +@itemx --passwd @var{user-id} +@opindex passwd +Change the passphrase of the secret key belonging to the certificate +specified as @var{user-id}. This is a shortcut for the sub-command +@code{passwd} of the edit key menu. When using together with the +option @option{--dry-run} this will not actually change the passphrase +but check that the current passphrase is correct. + +@end table + + +@c ******************************************* +@c *************** **************** +@c *************** OPTIONS **************** +@c *************** **************** +@c ******************************************* +@mansect options +@node GPG Options +@section Option Summary + +@command{@gpgname} features a bunch of options to control the exact +behaviour and to change the default configuration. + +@menu +* GPG Configuration Options:: How to change the configuration. +* GPG Key related Options:: Key related options. +* GPG Input and Output:: Input and Output. +* OpenPGP Options:: OpenPGP protocol specific options. +* Compliance Options:: Compliance options. +* GPG Esoteric Options:: Doing things one usually doesn't want to do. +* Deprecated Options:: Deprecated options. +@end menu + +Long options can be put in an options file (default +"~/.gnupg/gpg.conf"). Short option names will not work - for example, +"armor" is a valid option for the options file, while "a" is not. Do not +write the 2 dashes, but simply the name of the option and any required +arguments. Lines with a hash ('#') as the first non-white-space +character are ignored. Commands may be put in this file too, but that is +not generally useful as the command will execute automatically with +every execution of gpg. + +Please remember that option parsing stops as soon as a non-option is +encountered, you can explicitly stop parsing by using the special option +@option{--}. + +@c ******************************************* +@c ******** CONFIGURATION OPTIONS ********** +@c ******************************************* +@node GPG Configuration Options +@subsection How to change the configuration + +These options are used to change the configuration and most of them +are usually found in the option file. + +@table @gnupgtabopt + +@item --default-key @var{name} +@opindex default-key +Use @var{name} as the default key to sign with. If this option is not +used, the default key is the first key found in the secret keyring. +Note that @option{-u} or @option{--local-user} overrides this option. +This option may be given multiple times. In this case, the last key +for which a secret key is available is used. If there is no secret +key available for any of the specified values, GnuPG will not emit an +error message but continue as if this option wasn't given. + +@item --default-recipient @var{name} +@opindex default-recipient +Use @var{name} as default recipient if option @option{--recipient} is +not used and don't ask if this is a valid one. @var{name} must be +non-empty. + +@item --default-recipient-self +@opindex default-recipient-self +Use the default key as default recipient if option @option{--recipient} is not +used and don't ask if this is a valid one. The default key is the first +one from the secret keyring or the one set with @option{--default-key}. + +@item --no-default-recipient +@opindex no-default-recipient +Reset @option{--default-recipient} and @option{--default-recipient-self}. +Should not be used in an option file. + +@item -v, --verbose +@opindex verbose +Give more information during processing. If used +twice, the input data is listed in detail. + +@item --no-verbose +@opindex no-verbose +Reset verbose level to 0. Should not be used in an option file. + +@item -q, --quiet +@opindex quiet +Try to be as quiet as possible. Should not be used in an option file. + +@item --batch +@itemx --no-batch +@opindex batch +@opindex no-batch +Use batch mode. Never ask, do not allow interactive commands. +@option{--no-batch} disables this option. Note that even with a +filename given on the command line, gpg might still need to read from +STDIN (in particular if gpg figures that the input is a +detached signature and no data file has been specified). Thus if you +do not want to feed data via STDIN, you should connect STDIN to +@file{/dev/null}. + +It is highly recommended to use this option along with the options +@option{--status-fd} and @option{--with-colons} for any unattended use of +@command{gpg}. Should not be used in an option file. + +@item --no-tty +@opindex no-tty +Make sure that the TTY (terminal) is never used for any output. +This option is needed in some cases because GnuPG sometimes prints +warnings to the TTY even if @option{--batch} is used. + +@item --yes +@opindex yes +Assume "yes" on most questions. Should not be used in an option file. + +@item --no +@opindex no +Assume "no" on most questions. Should not be used in an option file. + + +@item --list-options @var{parameters} +@opindex list-options +This is a space or comma delimited string that gives options used when +listing keys and signatures (that is, @option{--list-keys}, +@option{--check-signatures}, @option{--list-public-keys}, +@option{--list-secret-keys}, and the @option{--edit-key} functions). +Options can be prepended with a @option{no-} (after the two dashes) to +give the opposite meaning. The options are: + +@table @asis + + @item show-photos + @opindex list-options:show-photos + Causes @option{--list-keys}, @option{--check-signatures}, + @option{--list-public-keys}, and @option{--list-secret-keys} to + display any photo IDs attached to the key. Defaults to no. See also + @option{--photo-viewer}. Does not work with @option{--with-colons}: + see @option{--attribute-fd} for the appropriate way to get photo data + for scripts and other frontends. + + @item show-usage + @opindex list-options:show-usage + Show usage information for keys and subkeys in the standard key + listing. This is a list of letters indicating the allowed usage for a + key (@code{E}=encryption, @code{S}=signing, @code{C}=certification, + @code{A}=authentication). Defaults to yes. + + @item show-policy-urls + @opindex list-options:show-policy-urls + Show policy URLs in the @option{--check-signatures} + listings. Defaults to no. + + @item show-notations + @itemx show-std-notations + @itemx show-user-notations + @opindex list-options:show-notations + @opindex list-options:show-std-notations + @opindex list-options:show-user-notations + Show all, IETF standard, or user-defined signature notations in the + @option{--check-signatures} listings. Defaults to no. + + @item show-keyserver-urls + @opindex list-options:show-keyserver-urls + Show any preferred keyserver URL in the + @option{--check-signatures} listings. Defaults to no. + + @item show-uid-validity + @opindex list-options:show-uid-validity + Display the calculated validity of user IDs during key listings. + Defaults to yes. + + @item show-unusable-uids + @opindex list-options:show-unusable-uids + Show revoked and expired user IDs in key listings. Defaults to no. + + @item show-unusable-subkeys + @opindex list-options:show-unusable-subkeys + Show revoked and expired subkeys in key listings. Defaults to no. + + @item show-keyring + @opindex list-options:show-keyring + Display the keyring name at the head of key listings to show which + keyring a given key resides on. Defaults to no. + + @item show-sig-expire + @opindex list-options:show-sig-expire + Show signature expiration dates (if any) during + @option{--check-signatures} listings. Defaults to no. + + @item show-sig-subpackets + @opindex list-options:show-sig-subpackets + Include signature subpackets in the key listing. This option can take an + optional argument list of the subpackets to list. If no argument is + passed, list all subpackets. Defaults to no. This option is only + meaningful when using @option{--with-colons} along with + @option{--check-signatures}. + + @item show-only-fpr-mbox + @opindex list-options:show-only-fpr-mbox + For each user-id which has a valid mail address print + only the fingerprint followed by the mail address. +@end table + +@item --verify-options @var{parameters} +@opindex verify-options +This is a space or comma delimited string that gives options used when +verifying signatures. Options can be prepended with a `no-' to give +the opposite meaning. The options are: + +@table @asis + + @item show-photos + @opindex verify-options:show-photos + Display any photo IDs present on the key that issued the signature. + Defaults to no. See also @option{--photo-viewer}. + + @item show-policy-urls + @opindex verify-options:show-policy-urls + Show policy URLs in the signature being verified. Defaults to yes. + + @item show-notations + @itemx show-std-notations + @itemx show-user-notations + @opindex verify-options:show-notations + @opindex verify-options:show-std-notations + @opindex verify-options:show-user-notations + Show all, IETF standard, or user-defined signature notations in the + signature being verified. Defaults to IETF standard. + + @item show-keyserver-urls + @opindex verify-options:show-keyserver-urls + Show any preferred keyserver URL in the signature being verified. + Defaults to yes. + + @item show-uid-validity + @opindex verify-options:show-uid-validity + Display the calculated validity of the user IDs on the key that issued + the signature. Defaults to yes. + + @item show-unusable-uids + @opindex verify-options:show-unusable-uids + Show revoked and expired user IDs during signature verification. + Defaults to no. + + @item show-primary-uid-only + @opindex verify-options:show-primary-uid-only + Show only the primary user ID during signature verification. That is + all the AKA lines as well as photo Ids are not shown with the signature + verification status. + + @item pka-lookups + @opindex verify-options:pka-lookups + Enable PKA lookups to verify sender addresses. Note that PKA is based + on DNS, and so enabling this option may disclose information on when + and what signatures are verified or to whom data is encrypted. This + is similar to the "web bug" described for the @option{--auto-key-retrieve} + option. + + @item pka-trust-increase + @opindex verify-options:pka-trust-increase + Raise the trust in a signature to full if the signature passes PKA + validation. This option is only meaningful if pka-lookups is set. +@end table + +@item --enable-large-rsa +@itemx --disable-large-rsa +@opindex enable-large-rsa +@opindex disable-large-rsa +With --generate-key and --batch, enable the creation of RSA secret keys as +large as 8192 bit. Note: 8192 bit is more than is generally +recommended. These large keys don't significantly improve security, +but they are more expensive to use, and their signatures and +certifications are larger. This option is only available if the +binary was build with large-secmem support. + +@item --enable-dsa2 +@itemx --disable-dsa2 +@opindex enable-dsa2 +@opindex disable-dsa2 +Enable hash truncation for all DSA keys even for old DSA Keys up to +1024 bit. This is also the default with @option{--openpgp}. Note +that older versions of GnuPG also required this flag to allow the +generation of DSA larger than 1024 bit. + +@item --photo-viewer @var{string} +@opindex photo-viewer +This is the command line that should be run to view a photo ID. "%i" +will be expanded to a filename containing the photo. "%I" does the +same, except the file will not be deleted once the viewer exits. +Other flags are "%k" for the key ID, "%K" for the long key ID, "%f" +for the key fingerprint, "%t" for the extension of the image type +(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"), +"%v" for the single-character calculated validity of the image being +viewed (e.g. "f"), "%V" for the calculated validity as a string (e.g. +"full"), "%U" for a base32 encoded hash of the user ID, +and "%%" for an actual percent sign. If neither %i or %I are present, +then the photo will be supplied to the viewer on standard input. + +On Unix the default viewer is +@code{xloadimage -fork -quiet -title 'KeyID 0x%k' STDIN} +with a fallback to +@code{display -title 'KeyID 0x%k' %i} +and finally to +@code{xdg-open %i}. +On Windows +@code{!ShellExecute 400 %i} is used; here the command is a meta +command to use that API call followed by a wait time in milliseconds +which is used to give the viewer time to read the temporary image file +before gpg deletes it again. Note that if your image viewer program +is not secure, then executing it from gpg does not make it secure. + +@item --exec-path @var{string} +@opindex exec-path +@efindex PATH +Sets a list of directories to search for photo viewers If not provided +photo viewers use the @code{PATH} environment variable. + +@item --keyring @var{file} +@opindex keyring +Add @var{file} to the current list of keyrings. If @var{file} begins +with a tilde and a slash, these are replaced by the $HOME directory. If +the filename does not contain a slash, it is assumed to be in the GnuPG +home directory ("~/.gnupg" unless @option{--homedir} or $GNUPGHOME is +used). + +Note that this adds a keyring to the current list. If the intent is to +use the specified keyring alone, use @option{--keyring} along with +@option{--no-default-keyring}. + +If the option @option{--no-keyring} has been used no keyrings will +be used at all. + +@item --primary-keyring @var{file} +@opindex primary-keyring +This is a varian of @option{--keyring} and designates @var{file} as +the primary public keyring. This means that newly imported keys (via +@option{--import} or keyserver @option{--recv-from}) will go to this +keyring. + + +@item --secret-keyring @var{file} +@opindex secret-keyring +This is an obsolete option and ignored. All secret keys are stored in +the @file{private-keys-v1.d} directory below the GnuPG home directory. + +@item --trustdb-name @var{file} +@opindex trustdb-name +Use @var{file} instead of the default trustdb. If @var{file} begins +with a tilde and a slash, these are replaced by the $HOME directory. If +the filename does not contain a slash, it is assumed to be in the GnuPG +home directory (@file{~/.gnupg} if @option{--homedir} or $GNUPGHOME is +not used). + +@include opt-homedir.texi + + +@item --display-charset @var{name} +@opindex display-charset +Set the name of the native character set. This is used to convert some +informational strings like user IDs to the proper UTF-8 encoding. +Note that this has nothing to do with the character set of data to be +encrypted or signed; GnuPG does not recode user-supplied data. If this +option is not used, the default character set is determined from the +current locale. A verbosity level of 3 shows the chosen set. This +option should not be used on Windows. Valid values for @var{name} +are: + +@table @asis + + @item iso-8859-1 + @opindex display-charset:iso-8859-1 + This is the Latin 1 set. + + @item iso-8859-2 + @opindex display-charset:iso-8859-2 + The Latin 2 set. + + @item iso-8859-15 + @opindex display-charset:iso-8859-15 + This is currently an alias for + the Latin 1 set. + + @item koi8-r + @opindex display-charset:koi8-r + The usual Russian set (RFC-1489). + + @item utf-8 + @opindex display-charset:utf-8 + Bypass all translations and assume + that the OS uses native UTF-8 encoding. +@end table + +@item --utf8-strings +@itemx --no-utf8-strings +@opindex utf8-strings +Assume that command line arguments are given as UTF-8 strings. The +default (@option{--no-utf8-strings}) is to assume that arguments are +encoded in the character set as specified by +@option{--display-charset}. These options affect all following +arguments. Both options may be used multiple times. +This option should not be used in an option file. + +This option has no effect on Windows. There the internal used UTF-8 +encoding is translated for console input and output. The command line +arguments are expected as Unicode and translated to UTF-8. Thus when +calling this program from another, make sure to use the Unicode +version of CreateProcess. + +@anchor{gpg-option --options} +@item --options @var{file} +@opindex options +Read options from @var{file} and do not try to read them from the +default options file in the homedir (see @option{--homedir}). This +option is ignored if used in an options file. + +@item --no-options +@opindex no-options +Shortcut for @option{--options /dev/null}. This option is detected +before an attempt to open an option file. Using this option will also +prevent the creation of a @file{~/.gnupg} homedir. + +@item -z @var{n} +@itemx --compress-level @var{n} +@itemx --bzip2-compress-level @var{n} +@opindex compress-level +@opindex bzip2-compress-level +Set compression level to @var{n} for the ZIP and ZLIB compression +algorithms. The default is to use the default compression level of zlib +(normally 6). @option{--bzip2-compress-level} sets the compression level +for the BZIP2 compression algorithm (defaulting to 6 as well). This is a +different option from @option{--compress-level} since BZIP2 uses a +significant amount of memory for each additional compression level. +@option{-z} sets both. A value of 0 for @var{n} disables compression. + +@item --bzip2-decompress-lowmem +@opindex bzip2-decompress-lowmem +Use a different decompression method for BZIP2 compressed files. This +alternate method uses a bit more than half the memory, but also runs +at half the speed. This is useful under extreme low memory +circumstances when the file was originally compressed at a high +@option{--bzip2-compress-level}. + + +@item --mangle-dos-filenames +@itemx --no-mangle-dos-filenames +@opindex mangle-dos-filenames +@opindex no-mangle-dos-filenames +Older version of Windows cannot handle filenames with more than one +dot. @option{--mangle-dos-filenames} causes GnuPG to replace (rather +than add to) the extension of an output filename to avoid this +problem. This option is off by default and has no effect on non-Windows +platforms. + +@item --ask-cert-level +@itemx --no-ask-cert-level +@opindex ask-cert-level +When making a key signature, prompt for a certification level. If this +option is not specified, the certification level used is set via +@option{--default-cert-level}. See @option{--default-cert-level} for +information on the specific levels and how they are +used. @option{--no-ask-cert-level} disables this option. This option +defaults to no. + +@item --default-cert-level @var{n} +@opindex default-cert-level +The default to use for the check level when signing a key. + +0 means you make no particular claim as to how carefully you verified +the key. + +1 means you believe the key is owned by the person who claims to own +it but you could not, or did not verify the key at all. This is +useful for a "persona" verification, where you sign the key of a +pseudonymous user. + +2 means you did casual verification of the key. For example, this +could mean that you verified the key fingerprint and checked the +user ID on the key against a photo ID. + +3 means you did extensive verification of the key. For example, this +could mean that you verified the key fingerprint with the owner of the +key in person, and that you checked, by means of a hard to forge +document with a photo ID (such as a passport) that the name of the key +owner matches the name in the user ID on the key, and finally that you +verified (by exchange of email) that the email address on the key +belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are just that: +examples. In the end, it is up to you to decide just what "casual" +and "extensive" mean to you. + +This option defaults to 0 (no particular claim). + +@item --min-cert-level +@opindex min-cert-level +When building the trust database, treat any signatures with a +certification level below this as invalid. Defaults to 2, which +disregards level 1 signatures. Note that level 0 "no particular +claim" signatures are always accepted. + +@item --trusted-key @var{long key ID or fingerprint} +@opindex trusted-key +Assume that the specified key (which should be given as fingerprint) +is as trustworthy as one of your own secret keys. This option is +useful if you don't want to keep your secret keys (or one of them) +online but still want to be able to check the validity of a given +recipient's or signator's key. If the given key is not locally +available but an LDAP keyserver is configured the missing key is +imported from that server. + +@item --trust-model @{pgp|classic|tofu|tofu+pgp|direct|always|auto@} +@opindex trust-model +Set what trust model GnuPG should follow. The models are: + +@table @asis + + @item pgp + @opindex trust-model:pgp + This is the Web of Trust combined with trust signatures as used in PGP + 5.x and later. This is the default trust model when creating a new + trust database. + + @item classic + @opindex trust-model:classic + This is the standard Web of Trust as introduced by PGP 2. + + @item tofu + @opindex trust-model:tofu + @anchor{trust-model-tofu} + TOFU stands for Trust On First Use. In this trust model, the first + time a key is seen, it is memorized. If later another key with a + user id with the same email address is seen, both keys are marked as + suspect. In that case, the next time either is used, a warning is + displayed describing the conflict, why it might have occurred + (either the user generated a new key and failed to cross sign the + old and new keys, the key is forgery, or a man-in-the-middle attack + is being attempted), and the user is prompted to manually confirm + the validity of the key in question. + + Because a potential attacker is able to control the email address + and thereby circumvent the conflict detection algorithm by using an + email address that is similar in appearance to a trusted email + address, whenever a message is verified, statistics about the number + of messages signed with the key are shown. In this way, a user can + easily identify attacks using fake keys for regular correspondents. + + When compared with the Web of Trust, TOFU offers significantly + weaker security guarantees. In particular, TOFU only helps ensure + consistency (that is, that the binding between a key and email + address doesn't change). A major advantage of TOFU is that it + requires little maintenance to use correctly. To use the web of + trust properly, you need to actively sign keys and mark users as + trusted introducers. This is a time-consuming process and anecdotal + evidence suggests that even security-conscious users rarely take the + time to do this thoroughly and instead rely on an ad-hoc TOFU + process. + + In the TOFU model, policies are associated with bindings between + keys and email addresses (which are extracted from user ids and + normalized). There are five policies, which can be set manually + using the @option{--tofu-policy} option. The default policy can be + set using the @option{--tofu-default-policy} option. + + The TOFU policies are: @code{auto}, @code{good}, @code{unknown}, + @code{bad} and @code{ask}. The @code{auto} policy is used by + default (unless overridden by @option{--tofu-default-policy}) and + marks a binding as marginally trusted. The @code{good}, + @code{unknown} and @code{bad} policies mark a binding as fully + trusted, as having unknown trust or as having trust never, + respectively. The @code{unknown} policy is useful for just using + TOFU to detect conflicts, but to never assign positive trust to a + binding. The final policy, @code{ask} prompts the user to indicate + the binding's trust. If batch mode is enabled (or input is + inappropriate in the context), then the user is not prompted and the + @code{undefined} trust level is returned. + + @item tofu+pgp + @opindex trust-model:tofu+pgp + This trust model combines TOFU with the Web of Trust. This is done + by computing the trust level for each model and then taking the + maximum trust level where the trust levels are ordered as follows: + @code{unknown < undefined < marginal < fully < ultimate < expired < + never}. + + By setting @option{--tofu-default-policy=unknown}, this model can be + used to implement the web of trust with TOFU's conflict detection + algorithm, but without its assignment of positive trust values, + which some security-conscious users don't like. + + @item direct + @opindex trust-model:direct + Key validity is set directly by the user and not calculated via the + Web of Trust. This model is solely based on the key and does + not distinguish user IDs. Note that when changing to another trust + model the trust values assigned to a key are transformed into + ownertrust values, which also indicate how you trust the owner of + the key to sign other keys. + + @item always + @opindex trust-model:always + Skip key validation and assume that used keys are always fully + valid. You generally won't use this unless you are using some + external validation scheme. This option also suppresses the + "[uncertain]" tag printed with signature checks when there is no + evidence that the user ID is bound to the key. Note that this + trust model still does not allow the use of expired, revoked, or + disabled keys. + + @item auto + @opindex trust-model:auto + Select the trust model depending on whatever the internal trust + database says. This is the default model if such a database already + exists. Note that a tofu trust model is not considered here and + must be enabled explicitly. +@end table + +@item --auto-key-locate @var{mechanisms} +@itemx --no-auto-key-locate +@opindex auto-key-locate +GnuPG can automatically locate and retrieve keys as needed using this +option. This happens when encrypting to an email address (in the +"user@@example.com" form), and there are no "user@@example.com" keys +on the local keyring. This option takes any number of the mechanisms +listed below, in the order they are to be tried. Instead of listing +the mechanisms as comma delimited arguments, the option may also be +given several times to add more mechanism. The option +@option{--no-auto-key-locate} or the mechanism "clear" resets the +list. The default is "local,wkd". + +@table @asis + + @item cert + Locate a key using DNS CERT, as specified in RFC-4398. + + @item pka + Locate a key using DNS PKA. + + @item dane + Locate a key using DANE, as specified + in draft-ietf-dane-openpgpkey-05.txt. + + @item wkd + Locate a key using the Web Key Directory protocol. + + @item ldap + Using DNS Service Discovery, check the domain in question for any LDAP + keyservers to use. If this fails, attempt to locate the key using the + PGP Universal method of checking @samp{ldap://keys.(thedomain)}. + + @item ntds + Locate the key using the Active Directory (Windows only). This + method also allows to search by fingerprint using the command + @option{--locate-external-key}. Note that this mechanism is + actually a shortcut for the mechanism @samp{keyserver} but using + "ldap:///" as the keyserver. + + @item keyserver + Locate a key using a keyserver. This method also allows to search + by fingerprint using the command @option{--locate-external-key} if + any of the configured keyservers is an LDAP server. + + @item keyserver-URL + In addition, a keyserver URL as used in the @command{dirmngr} + configuration may be used here to query that particular keyserver. + This method also allows to search by fingerprint using the command + @option{--locate-external-key} if the URL specifies an LDAP server. + + @item local + Locate the key using the local keyrings. This mechanism allows the user to + select the order a local key lookup is done. Thus using + @samp{--auto-key-locate local} is identical to + @option{--no-auto-key-locate}. + + @item nodefault + This flag disables the standard local key lookup, done before any of the + mechanisms defined by the @option{--auto-key-locate} are tried. The + position of this mechanism in the list does not matter. It is not + required if @code{local} is also used. + + @item clear + Clear all defined mechanisms. This is useful to override + mechanisms given in a config file. Note that a @code{nodefault} in + @var{mechanisms} will also be cleared unless it is given after the + @code{clear}. + +@end table + + +@item --auto-key-import +@itemx --no-auto-key-import +@opindex auto-key-import +@opindex no-auto-key-import +This is an offline mechanism to get a missing key for signature +verification and for later encryption to this key. If this option is +enabled and a signature includes an embedded key, that key is +used to verify the signature and on verification success that key is +imported. The default is @option{--no-auto-key-import}. + +On the sender (signing) site the option @option{--include-key-block} +needs to be used to put the public part of the signing key as “Key +Block subpacket†into the signature. + +@item --auto-key-retrieve +@itemx --no-auto-key-retrieve +@opindex auto-key-retrieve +@opindex no-auto-key-retrieve +These options enable or disable the automatic retrieving of keys from +a keyserver when verifying signatures made by keys that are not on the +local keyring. The default is @option{--no-auto-key-retrieve}. + +The order of methods tried to lookup the key is: + +1. If the option @option{--auto-key-import} is set and the signatures +includes an embedded key, that key is used to verify the +signature and on verification success that key is imported. + +2. If a preferred keyserver is specified in the signature and the +option @option{honor-keyserver-url} is active (which is not the +default), that keyserver is tried. Note that the creator of the +signature uses the option @option{--sig-keyserver-url} to specify the +preferred keyserver for data signatures. + +3. If the signature has the Signer's UID set (e.g. using +@option{--sender} while creating the signature) a Web Key Directory +(WKD) lookup is done. This is the default configuration but can be +disabled by removing WKD from the auto-key-locate list or by using the +option @option{--disable-signer-uid}. + +4. If the option @option{honor-pka-record} is active, the legacy PKA +method is used. + +5. If any keyserver is configured and the Issuer Fingerprint is part +of the signature (since GnuPG 2.1.16), the configured keyservers are +tried. + +Note that this option makes a "web bug" like behavior possible. +Keyserver or Web Key Directory operators can see which keys you +request, so by sending you a message signed by a brand new key (which +you naturally will not have on your local keyring), the operator can +tell both your IP address and the time when you verified the +signature. + +@item --keyid-format @{none|short|0xshort|long|0xlong@} +@opindex keyid-format +Select how to display key IDs. "none" does not show the key ID at all +but shows the fingerprint in a separate line. "short" is the +traditional 8-character key ID. "long" is the more accurate (but less +convenient) 16-character key ID. Add an "0x" to either to include an +"0x" at the beginning of the key ID, as in 0x99242560. Note that this +option is ignored if the option @option{--with-colons} is used. + +@item --keyserver @var{name} +@opindex keyserver +This option is deprecated - please use the @option{--keyserver} in +@file{dirmngr.conf} instead. + +Use @var{name} as your keyserver. This is the server that +@option{--receive-keys}, @option{--send-keys}, and @option{--search-keys} +will communicate with to receive keys from, send keys to, and search for +keys on. The format of the @var{name} is a URI: +`scheme:[//]keyservername[:port]' The scheme is the type of keyserver: +"hkp"/"hkps" for the HTTP (or compatible) keyservers or "ldap"/"ldaps" +for the LDAP keyservers. Note that your particular installation of +GnuPG may have other keyserver types available as well. Keyserver +schemes are case-insensitive. + +Most keyservers synchronize with each other, so there is generally no +need to send keys to more than one server. The keyserver +@code{hkp://keys.gnupg.net} uses round robin DNS to give a different +keyserver each time you use it. + +@item --keyserver-options @{@var{name}=@var{value}@} +@opindex keyserver-options +This is a space or comma delimited string that gives options for the +keyserver. Options can be prefixed with a `no-' to give the opposite +meaning. Valid import-options or export-options may be used here as +well to apply to importing (@option{--recv-key}) or exporting +(@option{--send-key}) a key from a keyserver. While not all options +are available for all keyserver types, some common options are: + +@table @asis + + @item include-revoked + When searching for a key with @option{--search-keys}, include keys that + are marked on the keyserver as revoked. Note that not all keyservers + differentiate between revoked and unrevoked keys, and for such + keyservers this option is meaningless. Note also that most keyservers do + not have cryptographic verification of key revocations, and so turning + this option off may result in skipping keys that are incorrectly marked + as revoked. + + @item include-disabled + When searching for a key with @option{--search-keys}, include keys that + are marked on the keyserver as disabled. Note that this option is not + used with HKP keyservers. + + @item auto-key-retrieve + This is an obsolete alias for the option @option{auto-key-retrieve}. + Please do not use it; it will be removed in future versions.. + + @item honor-keyserver-url + When using @option{--refresh-keys}, if the key in question has a preferred + keyserver URL, then use that preferred keyserver to refresh the key + from. In addition, if auto-key-retrieve is set, and the signature + being verified has a preferred keyserver URL, then use that preferred + keyserver to fetch the key from. Note that this option introduces a + "web bug": The creator of the key can see when the keys is + refreshed. Thus this option is not enabled by default. + + @item honor-pka-record + If @option{--auto-key-retrieve} is used, and the signature being + verified has a PKA record, then use the PKA information to fetch + the key. Defaults to "yes". + + @item include-subkeys + When receiving a key, include subkeys as potential targets. Note that + this option is not used with HKP keyservers, as they do not support + retrieving keys by subkey id. + + @item timeout + @itemx http-proxy=@var{value} + @itemx verbose + @itemx debug + @itemx check-cert + @item ca-cert-file + These options have no more function since GnuPG 2.1. Use the + @code{dirmngr} configuration options instead. + +@end table + +The default list of options is: "self-sigs-only, import-clean, +repair-keys, repair-pks-subkey-bug, export-attributes, +honor-pka-record". However, if +the actual used source is an LDAP server "no-self-sigs-only" is +assumed unless "self-sigs-only" has been explictly configured. + + +@item --completes-needed @var{n} +@opindex compliant-needed +Number of completely trusted users to introduce a new +key signer (defaults to 1). + +@item --marginals-needed @var{n} +@opindex marginals-needed +Number of marginally trusted users to introduce a new +key signer (defaults to 3) + +@item --tofu-default-policy @{auto|good|unknown|bad|ask@} +@opindex tofu-default-policy +The default TOFU policy (defaults to @code{auto}). For more +information about the meaning of this option, @pxref{trust-model-tofu}. + +@item --max-cert-depth @var{n} +@opindex max-cert-depth +Maximum depth of a certification chain (default is 5). + +@item --no-sig-cache +@opindex no-sig-cache +Do not cache the verification status of key signatures. +Caching gives a much better performance in key listings. However, if +you suspect that your public keyring is not safe against write +modifications, you can use this option to disable the caching. It +probably does not make sense to disable it because all kind of damage +can be done if someone else has write access to your public keyring. + +@item --auto-check-trustdb +@itemx --no-auto-check-trustdb +@opindex auto-check-trustdb +If GnuPG feels that its information about the Web of Trust has to be +updated, it automatically runs the @option{--check-trustdb} command +internally. This may be a time consuming +process. @option{--no-auto-check-trustdb} disables this option. + +@item --use-agent +@itemx --no-use-agent +@opindex use-agent +This is dummy option. @command{@gpgname} always requires the agent. + +@item --gpg-agent-info +@opindex gpg-agent-info +This is dummy option. It has no effect when used with @command{@gpgname}. + + +@item --agent-program @var{file} +@opindex agent-program +Specify an agent program to be used for secret key operations. The +default value is determined by running @command{gpgconf} with the +option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is +used for a regression test suite hack and may thus not be used in the +file name. + +@item --dirmngr-program @var{file} +@opindex dirmngr-program +Specify a dirmngr program to be used for keyserver access. The +default value is @file{@value{BINDIR}/dirmngr}. + +@item --disable-dirmngr +Entirely disable the use of the Dirmngr. + +@item --no-autostart +@opindex no-autostart +Do not start the gpg-agent or the dirmngr if it has not yet been +started and its service is required. This option is mostly useful on +machines where the connection to gpg-agent has been redirected to +another machines. If dirmngr is required on the remote machine, it +may be started manually using @command{gpgconf --launch dirmngr}. + +@item --lock-once +@opindex lock-once +Lock the databases the first time a lock is requested +and do not release the lock until the process +terminates. + +@item --lock-multiple +@opindex lock-multiple +Release the locks every time a lock is no longer +needed. Use this to override a previous @option{--lock-once} +from a config file. + +@item --lock-never +@opindex lock-never +Disable locking entirely. This option should be used only in very +special environments, where it can be assured that only one process +is accessing those files. A bootable floppy with a stand-alone +encryption system will probably use this. Improper usage of this +option may lead to data and key corruption. + +@item --exit-on-status-write-error +@opindex exit-on-status-write-error +This option will cause write errors on the status FD to immediately +terminate the process. That should in fact be the default but it never +worked this way and thus we need an option to enable this, so that the +change won't break applications which close their end of a status fd +connected pipe too early. Using this option along with +@option{--enable-progress-filter} may be used to cleanly cancel long +running gpg operations. + +@item --limit-card-insert-tries @var{n} +@opindex limit-card-insert-tries +With @var{n} greater than 0 the number of prompts asking to insert a +smartcard gets limited to N-1. Thus with a value of 1 gpg won't at +all ask to insert a card if none has been inserted at startup. This +option is useful in the configuration file in case an application does +not know about the smartcard support and waits ad infinitum for an +inserted card. + +@item --no-random-seed-file +@opindex no-random-seed-file +GnuPG uses a file to store its internal random pool over invocations. +This makes random generation faster; however sometimes write operations +are not desired. This option can be used to achieve that with the cost of +slower random generation. + +@item --no-greeting +@opindex no-greeting +Suppress the initial copyright message. + +@item --no-secmem-warning +@opindex no-secmem-warning +Suppress the warning about "using insecure memory". + +@item --no-permission-warning +@opindex permission-warning +Suppress the warning about unsafe file and home directory (@option{--homedir}) +permissions. Note that the permission checks that GnuPG performs are +not intended to be authoritative, but rather they simply warn about +certain common permission problems. Do not assume that the lack of a +warning means that your system is secure. + +Note that the warning for unsafe @option{--homedir} permissions cannot be +suppressed in the gpg.conf file, as this would allow an attacker to +place an unsafe gpg.conf file in place, and use this file to suppress +warnings about itself. The @option{--homedir} permissions warning may only be +suppressed on the command line. + +@item --require-secmem +@itemx --no-require-secmem +@opindex require-secmem +Refuse to run if GnuPG cannot get secure memory. Defaults to no +(i.e. run, but give a warning). + + +@item --require-cross-certification +@itemx --no-require-cross-certification +@opindex require-cross-certification +When verifying a signature made from a subkey, ensure that the cross +certification "back signature" on the subkey is present and valid. This +protects against a subtle attack against subkeys that can sign. +Defaults to @option{--require-cross-certification} for +@command{@gpgname}. + +@item --expert +@itemx --no-expert +@opindex expert +Allow the user to do certain nonsensical or "silly" things like +signing an expired or revoked key, or certain potentially incompatible +things like generating unusual key types. This also disables certain +warning messages about potentially incompatible actions. As the name +implies, this option is for experts only. If you don't fully +understand the implications of what it allows you to do, leave this +off. @option{--no-expert} disables this option. + +@end table + + +@c ******************************************* +@c ******** KEY RELATED OPTIONS ************ +@c ******************************************* +@node GPG Key related Options +@subsection Key related options + +@table @gnupgtabopt + +@item --recipient @var{name} +@itemx -r +@opindex recipient +Encrypt for user id @var{name}. If this option or +@option{--hidden-recipient} is not specified, GnuPG asks for the user-id +unless @option{--default-recipient} is given. + +@item --hidden-recipient @var{name} +@itemx -R +@opindex hidden-recipient +Encrypt for user ID @var{name}, but hide the key ID of this user's +key. This option helps to hide the receiver of the message and is a +limited countermeasure against traffic analysis. If this option or +@option{--recipient} is not specified, GnuPG asks for the user ID unless +@option{--default-recipient} is given. + +@item --recipient-file @var{file} +@itemx -f +@opindex recipient-file +This option is similar to @option{--recipient} except that it +encrypts to a key stored in the given file. @var{file} must be the +name of a file containing exactly one key. @command{@gpgname} assumes that +the key in this file is fully valid. + +@item --hidden-recipient-file @var{file} +@itemx -F +@opindex hidden-recipient-file +This option is similar to @option{--hidden-recipient} except that it +encrypts to a key stored in the given file. @var{file} must be the +name of a file containing exactly one key. @command{@gpgname} assumes that +the key in this file is fully valid. + +@item --encrypt-to @var{name} +@opindex encrypt-to +Same as @option{--recipient} but this one is intended for use in the +options file and may be used with your own user-id as an +"encrypt-to-self". These keys are only used when there are other +recipients given either by use of @option{--recipient} or by the asked +user id. No trust checking is performed for these user ids and even +disabled keys can be used. + +@item --hidden-encrypt-to @var{name} +@opindex hidden-encrypt-to +Same as @option{--hidden-recipient} but this one is intended for use in the +options file and may be used with your own user-id as a hidden +"encrypt-to-self". These keys are only used when there are other +recipients given either by use of @option{--recipient} or by the asked user id. +No trust checking is performed for these user ids and even disabled +keys can be used. + +@item --no-encrypt-to +@opindex no-encrypt-to +Disable the use of all @option{--encrypt-to} and +@option{--hidden-encrypt-to} keys. + +@item --group @{@var{name}=@var{value}@} +@opindex group +Sets up a named group, which is similar to aliases in email programs. +Any time the group name is a recipient (@option{-r} or +@option{--recipient}), it will be expanded to the values +specified. Multiple groups with the same name are automatically merged +into a single group. + +The values are @code{key IDs} or fingerprints, but any key description +is accepted. Note that a value with spaces in it will be treated as +two different values. Note also there is only one level of expansion +--- you cannot make an group that points to another group. When used +from the command line, it may be necessary to quote the argument to +this option to prevent the shell from treating it as multiple +arguments. + +@item --ungroup @var{name} +@opindex ungroup +Remove a given entry from the @option{--group} list. + +@item --no-groups +@opindex no-groups +Remove all entries from the @option{--group} list. + +@item --local-user @var{name} +@itemx -u +@opindex local-user +Use @var{name} as the key to sign with. Note that this option overrides +@option{--default-key}. + +@item --sender @var{mbox} +@opindex sender +This option has two purposes. @var{mbox} must either be a complete +user id with a proper mail address or just a mail address. When +creating a signature this option tells gpg the user id of a key used +to make a signature if the key was not directly specified by a user +id. When verifying a signature the @var{mbox} is used to restrict the +information printed by the TOFU code to matching user ids. + +@item --try-secret-key @var{name} +@opindex try-secret-key +For hidden recipients GPG needs to know the keys to use for trial +decryption. The key set with @option{--default-key} is always tried +first, but this is often not sufficient. This option allows setting more +keys to be used for trial decryption. Although any valid user-id +specification may be used for @var{name} it makes sense to use at least +the long keyid to avoid ambiguities. Note that gpg-agent might pop up a +pinentry for a lot keys to do the trial decryption. If you want to stop +all further trial decryption you may use close-window button instead of +the cancel button. + +@item --try-all-secrets +@opindex try-all-secrets +Don't look at the key ID as stored in the message but try all secret +keys in turn to find the right decryption key. This option forces the +behaviour as used by anonymous recipients (created by using +@option{--throw-keyids} or @option{--hidden-recipient}) and might come +handy in case where an encrypted message contains a bogus key ID. + +@item --skip-hidden-recipients +@itemx --no-skip-hidden-recipients +@opindex skip-hidden-recipients +@opindex no-skip-hidden-recipients +During decryption skip all anonymous recipients. This option helps in +the case that people use the hidden recipients feature to hide their +own encrypt-to key from others. If one has many secret keys this +may lead to a major annoyance because all keys are tried in turn to +decrypt something which was not really intended for it. The drawback +of this option is that it is currently not possible to decrypt a +message which includes real anonymous recipients. + + +@end table + +@c ******************************************* +@c ******** INPUT AND OUTPUT *************** +@c ******************************************* +@node GPG Input and Output +@subsection Input and Output + +@table @gnupgtabopt + +@item --armor +@itemx -a +@opindex armor +Create ASCII armored output. The default is to create the binary +OpenPGP format. + +@item --no-armor +@opindex no-armor +Assume the input data is not in ASCII armored format. + +@item --output @var{file} +@itemx -o @var{file} +@opindex output +Write output to @var{file}. To write to stdout use @code{-} as the +filename. + +@item --max-output @var{n} +@opindex max-output +This option sets a limit on the number of bytes that will be generated +when processing a file. Since OpenPGP supports various levels of +compression, it is possible that the plaintext of a given message may be +significantly larger than the original OpenPGP message. While GnuPG +works properly with such messages, there is often a desire to set a +maximum file size that will be generated before processing is forced to +stop by the OS limits. Defaults to 0, which means "no limit". + +@item --input-size-hint @var{n} +@opindex input-size-hint +This option can be used to tell GPG the size of the input data in +bytes. @var{n} must be a positive base-10 number. This option is +only useful if the input is not taken from a file. GPG may use this +hint to optimize its buffer allocation strategy. It is also used by +the @option{--status-fd} line ``PROGRESS'' to provide a value for +``total'' if that is not available by other means. + +@item --key-origin @var{string}[,@var{url}] +@opindex key-origin +gpg can track the origin of a key. Certain origins are implicitly +known (e.g. keyserver, web key directory) and set. For a standard +import the origin of the keys imported can be set with this option. +To list the possible values use "help" for @var{string}. Some origins +can store an optional @var{url} argument. That URL can appended to +@var{string} after a comma. + +@item --import-options @var{parameters} +@opindex import-options +This is a space or comma delimited string that gives options for +importing keys. Options can be prepended with a `no-' to give the +opposite meaning. The options are: + +@table @asis + + @item import-local-sigs + Allow importing key signatures marked as "local". This is not + generally useful unless a shared keyring scheme is being used. + Defaults to no. + + @item keep-ownertrust + Normally possible still existing ownertrust values of a key are + cleared if a key is imported. This is in general desirable so that + a formerly deleted key does not automatically gain an ownertrust + values merely due to import. On the other hand it is sometimes + necessary to re-import a trusted set of keys again but keeping + already assigned ownertrust values. This can be achieved by using + this option. + + @item repair-pks-subkey-bug + During import, attempt to repair the damage caused by the PKS keyserver + bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note + that this cannot completely repair the damaged key as some crucial data + is removed by the keyserver, but it does at least give you back one + subkey. Defaults to no for regular @option{--import} and to yes for + keyserver @option{--receive-keys}. + + @item import-show + @itemx show-only + Show a listing of the key as imported right before it is stored. + This can be combined with the option @option{--dry-run} to only look + at keys; the option @option{show-only} is a shortcut for this + combination. The command @option{--show-keys} is another shortcut + for this. Note that suffixes like '#' for "sec" and "sbb" lines + may or may not be printed. + + @item import-export + Run the entire import code but instead of storing the key to the + local keyring write it to the output. The export options + @option{export-pka} and @option{export-dane} affect the output. This + option can be used to remove all invalid parts from a key without the + need to store it. + + @item merge-only + During import, allow key updates to existing keys, but do not allow + any new keys to be imported. Defaults to no. + + @item import-clean + After import, compact (remove all signatures except the + self-signature) any user IDs from the new key that are not usable. + Then, remove any signatures from the new key that are not usable. + This includes signatures that were issued by keys that are not present + on the keyring. This option is the same as running the @option{--edit-key} + command "clean" after import. Defaults to no. + + @item self-sigs-only + Accept only self-signatures while importing a key. All other key + signatures are skipped at an early import stage. This option can be + used with @code{keyserver-options} to mitigate attempts to flood a + key with bogus signatures from a keyserver. The drawback is that + all other valid key signatures, as required by the Web of Trust are + also not imported. Note that when using this option along with + import-clean it suppresses the final clean step after merging the + imported key into the existing key. + + @item repair-keys + After import, fix various problems with the + keys. For example, this reorders signatures, and strips duplicate + signatures. Defaults to yes. + + @item import-minimal + Import the smallest key possible. This removes all signatures except + the most recent self-signature on each user ID. This option is the + same as running the @option{--edit-key} command "minimize" after import. + Defaults to no. + + @item restore + @itemx import-restore + Import in key restore mode. This imports all data which is usually + skipped during import; including all GnuPG specific data. All other + contradicting options are overridden. +@end table + +@item --import-filter @{@var{name}=@var{expr}@} +@itemx --export-filter @{@var{name}=@var{expr}@} +@opindex import-filter +@opindex export-filter +These options define an import/export filter which are applied to the +imported/exported keyblock right before it will be stored/written. +@var{name} defines the type of filter to use, @var{expr} the +expression to evaluate. The option can be used several times which +then appends more expression to the same @var{name}. + +@noindent +The available filter types are: + +@table @asis + + @item keep-uid + This filter will keep a user id packet and its dependent packets in + the keyblock if the expression evaluates to true. + + @item drop-subkey + This filter drops the selected subkeys. + Currently only implemented for --export-filter. + + @item drop-sig + This filter drops the selected key signatures on user ids. + Self-signatures are not considered. + Currently only implemented for --import-filter. + +@end table + +For the syntax of the expression see the chapter "FILTER EXPRESSIONS". +The property names for the expressions depend on the actual filter +type and are indicated in the following table. + +The available properties are: + +@table @asis + + @item uid + A string with the user id. (keep-uid) + + @item mbox + The addr-spec part of a user id with mailbox or the empty string. + (keep-uid) + + @item key_algo + A number with the public key algorithm of a key or subkey packet. + (drop-subkey) + + @item key_created + @itemx key_created_d + The first is the timestamp a public key or subkey packet was + created. The second is the same but given as an ISO string, + e.g. "2016-08-17". (drop-subkey) + + @item fpr + The hexified fingerprint of the current subkey or primary key. + (drop-subkey) + + @item primary + Boolean indicating whether the user id is the primary one. (keep-uid) + + @item expired + Boolean indicating whether a user id (keep-uid), a key (drop-subkey), or a + signature (drop-sig) expired. + + @item revoked + Boolean indicating whether a user id (keep-uid) or a key (drop-subkey) has + been revoked. + + @item disabled + Boolean indicating whether a primary key is disabled. (not used) + + @item secret + Boolean indicating whether a key or subkey is a secret one. + (drop-subkey) + + @item usage + A string indicating the usage flags for the subkey, from the + sequence ``ecsa?''. For example, a subkey capable of just signing + and authentication would be an exact match for ``sa''. (drop-subkey) + + @item sig_created + @itemx sig_created_d + The first is the timestamp a signature packet was created. The + second is the same but given as an ISO date string, + e.g. "2016-08-17". (drop-sig) + + @item sig_algo + A number with the public key algorithm of a signature packet. (drop-sig) + + @item sig_digest_algo + A number with the digest algorithm of a signature packet. (drop-sig) + +@end table + +@item --export-options @var{parameters} +@opindex export-options +This is a space or comma delimited string that gives options for +exporting keys. Options can be prepended with a `no-' to give the +opposite meaning. The options are: + +@table @asis + + @item export-local-sigs + Allow exporting key signatures marked as "local". This is not + generally useful unless a shared keyring scheme is being used. + Defaults to no. + + @item export-attributes + Include attribute user IDs (photo IDs) while exporting. Not + including attribute user IDs is useful to export keys that are going + to be used by an OpenPGP program that does not accept attribute user + IDs. Defaults to yes. + + @item export-sensitive-revkeys + Include designated revoker information that was marked as + "sensitive". Defaults to no. + + @c Since GnuPG 2.1 gpg-agent manages the secret key and thus the + @c export-reset-subkey-passwd hack is not anymore justified. Such use + @c cases may be implemented using a specialized secret key export + @c tool. + @c @item export-reset-subkey-passwd + @c When using the @option{--export-secret-subkeys} command, this option resets + @c the passphrases for all exported subkeys to empty. This is useful + @c when the exported subkey is to be used on an unattended machine where + @c a passphrase doesn't necessarily make sense. Defaults to no. + + @item backup + @itemx export-backup + Export for use as a backup. The exported data includes all data + which is needed to restore the key or keys later with GnuPG. The + format is basically the OpenPGP format but enhanced with GnuPG + specific data. All other contradicting options are overridden. + + @item export-clean + Compact (remove all signatures from) user IDs on the key being + exported if the user IDs are not usable. Also, do not export any + signatures that are not usable. This includes signatures that were + issued by keys that are not present on the keyring. This option is + the same as running the @option{--edit-key} command "clean" before export + except that the local copy of the key is not modified. Defaults to + no. + + @item export-minimal + Export the smallest key possible. This removes all signatures except the + most recent self-signature on each user ID. This option is the same as + running the @option{--edit-key} command "minimize" before export except + that the local copy of the key is not modified. Defaults to no. + + @item export-pka + Instead of outputting the key material output PKA records suitable + to put into DNS zone files. An ORIGIN line is printed before each + record to allow diverting the records to the corresponding zone file. + + @item export-dane + Instead of outputting the key material output OpenPGP DANE records + suitable to put into DNS zone files. An ORIGIN line is printed before + each record to allow diverting the records to the corresponding zone + file. + +@end table + +@item --with-colons +@opindex with-colons +Print key listings delimited by colons. Note that the output will be +encoded in UTF-8 regardless of any @option{--display-charset} setting. This +format is useful when GnuPG is called from scripts and other programs +as it is easily machine parsed. The details of this format are +documented in the file @file{doc/DETAILS}, which is included in the GnuPG +source distribution. + +@item --fixed-list-mode +@opindex fixed-list-mode +Do not merge primary user ID and primary key in @option{--with-colon} +listing mode and print all timestamps as seconds since 1970-01-01. +Since GnuPG 2.0.10, this mode is always used and thus this option is +obsolete; it does not harm to use it though. + +@item --legacy-list-mode +@opindex legacy-list-mode +Revert to the pre-2.1 public key list mode. This only affects the +human readable output and not the machine interface +(i.e. @code{--with-colons}). Note that the legacy format does not +convey suitable information for elliptic curves. + +@item --with-fingerprint +@opindex with-fingerprint +Same as the command @option{--fingerprint} but changes only the format +of the output and may be used together with another command. + +@item --with-subkey-fingerprint +@opindex with-subkey-fingerprint +If a fingerprint is printed for the primary key, this option forces +printing of the fingerprint for all subkeys. This could also be +achieved by using the @option{--with-fingerprint} twice but by using +this option along with keyid-format "none" a compact fingerprint is +printed. + +@item --with-icao-spelling +@opindex with-icao-spelling +Print the ICAO spelling of the fingerprint in addition to the hex digits. + +@item --with-keygrip +@opindex with-keygrip +Include the keygrip in the key listings. In @code{--with-colons} mode +this is implicitly enable for secret keys. + +@item --with-key-origin +@opindex with-key-origin +Include the locally held information on the origin and last update of +a key in a key listing. In @code{--with-colons} mode this is always +printed. This data is currently experimental and shall not be +considered part of the stable API. + +@item --with-wkd-hash +@opindex with-wkd-hash +Print a Web Key Directory identifier along with each user ID in key +listings. This is an experimental feature and semantics may change. + +@item --with-secret +@opindex with-secret +Include info about the presence of a secret key in public key listings +done with @code{--with-colons}. + +@end table + +@c ******************************************* +@c ******** OPENPGP OPTIONS **************** +@c ******************************************* +@node OpenPGP Options +@subsection OpenPGP protocol specific options + +@table @gnupgtabopt + +@item -t, --textmode +@itemx --no-textmode +@opindex textmode +Treat input files as text and store them in the OpenPGP canonical text +form with standard "CRLF" line endings. This also sets the necessary +flags to inform the recipient that the encrypted or signed data is text +and may need its line endings converted back to whatever the local +system uses. This option is useful when communicating between two +platforms that have different line ending conventions (UNIX-like to Mac, +Mac to Windows, etc). @option{--no-textmode} disables this option, and +is the default. + +@item --force-v3-sigs +@itemx --no-force-v3-sigs +@item --force-v4-certs +@itemx --no-force-v4-certs +These options are obsolete and have no effect since GnuPG 2.1. + +@item --force-mdc +@itemx --disable-mdc +@opindex force-mdc +@opindex disable-mdc +These options are obsolete and have no effect since GnuPG 2.2.8. The +MDC is always used. But note: If the creation of a legacy non-MDC +message is exceptionally required, the option @option{--rfc2440} +allows for this. + +@item --disable-signer-uid +@opindex disable-signer-uid +By default the user ID of the signing key is embedded in the data signature. +As of now this is only done if the signing key has been specified with +@option{local-user} using a mail address, or with @option{sender}. This +information can be helpful for verifier to locate the key; see option +@option{--auto-key-retrieve}. + +@item --include-key-block +@opindex include-key-block +This option is used to embed the actual signing key into a data +signature. The embedded key is stripped down to a single user id and +includes only the signing subkey used to create the signature as well +as as valid encryption subkeys. All other info is removed from the +key to keep it and thus the signature small. This option is the +OpenPGP counterpart to the @command{gpgsm} option +@option{--include-certs}. + +@item --personal-cipher-preferences @var{string} +@opindex personal-cipher-preferences +Set the list of personal cipher preferences to @var{string}. Use +@command{@gpgname --version} to get a list of available algorithms, +and use @code{none} to set no preference at all. This allows the user +to safely override the algorithm chosen by the recipient key +preferences, as GPG will only select an algorithm that is usable by +all recipients. The most highly ranked cipher in this list is also +used for the @option{--symmetric} encryption command. + +@item --personal-digest-preferences @var{string} +@opindex personal-digest-preferences +Set the list of personal digest preferences to @var{string}. Use +@command{@gpgname --version} to get a list of available algorithms, +and use @code{none} to set no preference at all. This allows the user +to safely override the algorithm chosen by the recipient key +preferences, as GPG will only select an algorithm that is usable by +all recipients. The most highly ranked digest algorithm in this list +is also used when signing without encryption +(e.g. @option{--clear-sign} or @option{--sign}). + +@item --personal-compress-preferences @var{string} +@opindex personal-compress-preferences +Set the list of personal compression preferences to @var{string}. +Use @command{@gpgname --version} to get a list of available +algorithms, and use @code{none} to set no preference at all. This +allows the user to safely override the algorithm chosen by the +recipient key preferences, as GPG will only select an algorithm that +is usable by all recipients. The most highly ranked compression +algorithm in this list is also used when there are no recipient keys +to consider (e.g. @option{--symmetric}). + +@item --s2k-cipher-algo @var{name} +@opindex s2k-cipher-algo +Use @var{name} as the cipher algorithm for symmetric encryption with +a passphrase if @option{--personal-cipher-preferences} and +@option{--cipher-algo} are not given. The default is @value{GPGSYMENCALGO}. + +@item --s2k-digest-algo @var{name} +@opindex s2k-digest-algo +Use @var{name} as the digest algorithm used to mangle the passphrases +for symmetric encryption. The default is SHA-1. + +@item --s2k-mode @var{n} +@opindex s2k-mode +Selects how passphrases for symmetric encryption are mangled. If +@var{n} is 0 a plain passphrase (which is in general not recommended) +will be used, a 1 adds a salt (which should not be used) to the +passphrase and a 3 (the default) iterates the whole process a number +of times (see @option{--s2k-count}). + +@item --s2k-count @var{n} +@opindex s2k-count +Specify how many times the passphrases mangling for symmetric +encryption is repeated. This value may range between 1024 and +65011712 inclusive. The default is inquired from gpg-agent. Note +that not all values in the 1024-65011712 range are legal and if an +illegal value is selected, GnuPG will round up to the nearest legal +value. This option is only meaningful if @option{--s2k-mode} is set +to the default of 3. + + +@end table + +@c *************************** +@c ******* Compliance ******** +@c *************************** +@node Compliance Options +@subsection Compliance options + +These options control what GnuPG is compliant to. Only one of these +options may be active at a time. Note that the default setting of +this is nearly always the correct one. See the INTEROPERABILITY WITH +OTHER OPENPGP PROGRAMS section below before using one of these +options. + +@table @gnupgtabopt + +@item --gnupg +@opindex gnupg +Use standard GnuPG behavior. This is essentially OpenPGP behavior +(see @option{--openpgp}), but with some additional workarounds for common +compatibility problems in different versions of PGP. This is the +default option, so it is not generally needed, but it may be useful to +override a different compliance option in the gpg.conf file. + +@item --openpgp +@opindex openpgp +Reset all packet, cipher and digest options to strict OpenPGP +behavior. Use this option to reset all previous options like +@option{--s2k-*}, @option{--cipher-algo}, @option{--digest-algo} and +@option{--compress-algo} to OpenPGP compliant values. All PGP +workarounds are disabled. + +@item --rfc4880 +@opindex rfc4880 +Reset all packet, cipher and digest options to strict RFC-4880 +behavior. Note that this is currently the same thing as +@option{--openpgp}. + +@item --rfc4880bis +@opindex rfc4880bis +Enable experimental features from proposed updates to RFC-4880. This +option can be used in addition to the other compliance options. +Warning: The behavior may change with any GnuPG release and created +keys or data may not be usable with future GnuPG versions. + +@item --rfc2440 +@opindex rfc2440 +Reset all packet, cipher and digest options to strict RFC-2440 +behavior. Note that by using this option encryption packets are +created in a legacy mode without MDC protection. This is dangerous +and should thus only be used for experiments. See also option +@option{--ignore-mdc-error}. + +@item --pgp6 +@opindex pgp6 +Set up all options to be as PGP 6 compliant as possible. This +restricts you to the ciphers IDEA (if the IDEA plugin is installed), +3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the +compression algorithms none and ZIP. This also disables +@option{--throw-keyids}, and making signatures with signing subkeys as PGP 6 +does not understand signatures made by signing subkeys. + +This option implies @option{--escape-from-lines}. + +@item --pgp7 +@opindex pgp7 +Set up all options to be as PGP 7 compliant as possible. This is +identical to @option{--pgp6} except that MDCs are not disabled, and the +list of allowable ciphers is expanded to add AES128, AES192, AES256, and +TWOFISH. + +@item --pgp8 +@opindex pgp8 +Set up all options to be as PGP 8 compliant as possible. PGP 8 is a lot +closer to the OpenPGP standard than previous versions of PGP, so all +this does is disable @option{--throw-keyids} and set +@option{--escape-from-lines}. All algorithms are allowed except for the +SHA224, SHA384, and SHA512 digests. + +@item --compliance @var{string} +@opindex compliance +This option can be used instead of one of the options above. Valid +values for @var{string} are the above option names (without the double +dash) and possibly others as shown when using "help" for @var{string}. + +@item --min-rsa-length @var{n} +@opindex min-rsa-length +This option adjusts the compliance mode "de-vs" for stricter key size +requirements. For example, a value of 3000 turns rsa2048 and dsa2048 +keys into non-VS-NfD compliant keys. + +@item --require-compliance +@opindex require-compliance +To check that data has been encrypted according to the rules of the +current compliance mode, a gpg user needs to evaluate the status +lines. This is allows frontends to handle compliance check in a more +flexible way. However, for scripted use the required evaluation of +the status-line requires quite some effort; this option can be used +instead to make sure that the gpg process exits with a failure if the +compliance rules are not fulfilled. Note that this option has +currently an effect only in "de-vs" mode. + +@end table + + +@c ******************************************* +@c ******** ESOTERIC OPTIONS *************** +@c ******************************************* +@node GPG Esoteric Options +@subsection Doing things one usually doesn't want to do + +@table @gnupgtabopt + +@item -n +@itemx --dry-run +@opindex dry-run +Don't make any changes (this is not completely implemented). + +@item --list-only +@opindex list-only +Changes the behaviour of some commands. This is like @option{--dry-run} but +different in some cases. The semantic of this option may be extended in +the future. Currently it only skips the actual decryption pass and +therefore enables a fast listing of the encryption keys. + +@item -i +@itemx --interactive +@opindex interactive +Prompt before overwriting any files. + +@item --debug-level @var{level} +@opindex debug-level +Select the debug level for investigating problems. @var{level} may be +a numeric value or by a keyword: + +@table @code + @item none + No debugging at all. A value of less than 1 may be used instead of + the keyword. + @item basic + Some basic debug messages. A value between 1 and 2 may be used + instead of the keyword. + @item advanced + More verbose debug messages. A value between 3 and 5 may be used + instead of the keyword. + @item expert + Even more detailed messages. A value between 6 and 8 may be used + instead of the keyword. + @item guru + All of the debug messages you can get. A value greater than 8 may be + used instead of the keyword. The creation of hash tracing files is + only enabled if the keyword is used. +@end table + +How these messages are mapped to the actual debugging flags is not +specified and may change with newer releases of this program. They are +however carefully selected to best aid in debugging. + +@item --debug @var{flags} +@opindex debug +Set debugging flags. All flags are or-ed and @var{flags} may be given +in C syntax (e.g. 0x0042) or as a comma separated list of flag names. +To get a list of all supported flags the single word "help" can be +used. + +@item --debug-all +@opindex debug-all +Set all useful debugging flags. + +@item --debug-iolbf +@opindex debug-iolbf +Set stdout into line buffered mode. This option is only honored when +given on the command line. + +@item --faked-system-time @var{epoch} +@opindex faked-system-time +This option is only useful for testing; it sets the system time back or +forth to @var{epoch} which is the number of seconds elapsed since the year +1970. Alternatively @var{epoch} may be given as a full ISO time string +(e.g. "20070924T154812"). + +If you suffix @var{epoch} with an exclamation mark (!), the system time +will appear to be frozen at the specified time. + +@item --enable-progress-filter +@opindex enable-progress-filter +Enable certain PROGRESS status outputs. This option allows frontends +to display a progress indicator while gpg is processing larger files. +There is a slight performance overhead using it. + +@item --status-fd @var{n} +@opindex status-fd +Write special status strings to the file descriptor @var{n}. +See the file DETAILS in the documentation for a listing of them. + +@item --status-file @var{file} +@opindex status-file +Same as @option{--status-fd}, except the status data is written to file +@var{file}. + +@item --logger-fd @var{n} +@opindex logger-fd +Write log output to file descriptor @var{n} and not to STDERR. + +@item --log-file @var{file} +@itemx --logger-file @var{file} +@opindex log-file +Same as @option{--logger-fd}, except the logger data is written to +file @var{file}. Use @file{socket://} to log to a socket. Note that +in this version of gpg the option has only an effect if +@option{--batch} is also used. + +@item --attribute-fd @var{n} +@opindex attribute-fd +Write attribute subpackets to the file descriptor @var{n}. This is most +useful for use with @option{--status-fd}, since the status messages are +needed to separate out the various subpackets from the stream delivered +to the file descriptor. + +@item --attribute-file @var{file} +@opindex attribute-file +Same as @option{--attribute-fd}, except the attribute data is written to +file @var{file}. + +@item --comment @var{string} +@itemx --no-comments +@opindex comment +Use @var{string} as a comment string in cleartext signatures and ASCII +armored messages or keys (see @option{--armor}). The default behavior is +not to use a comment string. @option{--comment} may be repeated multiple +times to get multiple comment strings. @option{--no-comments} removes +all comments. It is a good idea to keep the length of a single comment +below 60 characters to avoid problems with mail programs wrapping such +lines. Note that comment lines, like all other header lines, are not +protected by the signature. + +@item --emit-version +@itemx --no-emit-version +@opindex emit-version +Force inclusion of the version string in ASCII armored output. If +given once only the name of the program and the major number is +emitted, given twice the minor is also emitted, given thrice +the micro is added, and given four times an operating system identification +is also emitted. @option{--no-emit-version} (default) disables the version +line. + +@item --sig-notation @{@var{name}=@var{value}@} +@itemx --cert-notation @{@var{name}=@var{value}@} +@itemx -N, --set-notation @{@var{name}=@var{value}@} +@opindex sig-notation +@opindex cert-notation +@opindex set-notation +Put the name value pair into the signature as notation data. +@var{name} must consist only of printable characters or spaces, and +must contain a '@@' character in the form keyname@@domain.example.com +(substituting the appropriate keyname and domain name, of course). This +is to help prevent pollution of the IETF reserved notation +namespace. The @option{--expert} flag overrides the '@@' +check. @var{value} may be any printable string; it will be encoded in +UTF-8, so you should check that your @option{--display-charset} is set +correctly. If you prefix @var{name} with an exclamation mark (!), the +notation data will be flagged as critical +(rfc4880:5.2.3.16). @option{--sig-notation} sets a notation for data +signatures. @option{--cert-notation} sets a notation for key signatures +(certifications). @option{--set-notation} sets both. + +There are special codes that may be used in notation names. "%k" will +be expanded into the key ID of the key being signed, "%K" into the +long key ID of the key being signed, "%f" into the fingerprint of the +key being signed, "%s" into the key ID of the key making the +signature, "%S" into the long key ID of the key making the signature, +"%g" into the fingerprint of the key making the signature (which might +be a subkey), "%p" into the fingerprint of the primary key of the key +making the signature, "%c" into the signature count from the OpenPGP +smartcard, and "%%" results in a single "%". %k, %K, and %f are only +meaningful when making a key signature (certification), and %c is only +meaningful when using the OpenPGP smartcard. + +@item --known-notation @var{name} +@opindex known-notation +Adds @var{name} to a list of known critical signature notations. The +effect of this is that gpg will not mark a signature with a critical +signature notation of that name as bad. Note that gpg already knows +by default about a few critical signatures notation names. + +@item --sig-policy-url @var{string} +@itemx --cert-policy-url @var{string} +@itemx --set-policy-url @var{string} +@opindex sig-policy-url +@opindex cert-policy-url +@opindex set-policy-url +Use @var{string} as a Policy URL for signatures (rfc4880:5.2.3.20). If +you prefix it with an exclamation mark (!), the policy URL packet will +be flagged as critical. @option{--sig-policy-url} sets a policy url for +data signatures. @option{--cert-policy-url} sets a policy url for key +signatures (certifications). @option{--set-policy-url} sets both. + +The same %-expandos used for notation data are available here as well. + +@item --sig-keyserver-url @var{string} +@opindex sig-keyserver-url +Use @var{string} as a preferred keyserver URL for data signatures. If +you prefix it with an exclamation mark (!), the keyserver URL packet +will be flagged as critical. + +The same %-expandos used for notation data are available here as well. + +@item --set-filename @var{string} +@opindex set-filename +Use @var{string} as the filename which is stored inside messages. +This overrides the default, which is to use the actual filename of the +file being encrypted. Using the empty string for @var{string} +effectively removes the filename from the output. + +@item --for-your-eyes-only +@itemx --no-for-your-eyes-only +@opindex for-your-eyes-only +Set the `for your eyes only' flag in the message. This causes GnuPG to +refuse to save the file unless the @option{--output} option is given, +and PGP to use a "secure viewer" with a claimed Tempest-resistant font +to display the message. This option overrides @option{--set-filename}. +@option{--no-for-your-eyes-only} disables this option. + +@item --use-embedded-filename +@itemx --no-use-embedded-filename +@opindex use-embedded-filename +Try to create a file with a name as embedded in the data. This can be +a dangerous option as it enables overwriting files. Defaults to no. +Note that the option @option{--output} overrides this option. + +@item --cipher-algo @var{name} +@opindex cipher-algo +Use @var{name} as cipher algorithm. Running the program with the +command @option{--version} yields a list of supported algorithms. If +this is not used the cipher algorithm is selected from the preferences +stored with the key. In general, you do not want to use this option as +it allows you to violate the OpenPGP standard. +@option{--personal-cipher-preferences} is the safe way to accomplish the +same thing. + +@item --digest-algo @var{name} +@opindex digest-algo +Use @var{name} as the message digest algorithm. Running the program +with the command @option{--version} yields a list of supported algorithms. In +general, you do not want to use this option as it allows you to +violate the OpenPGP standard. @option{--personal-digest-preferences} is the +safe way to accomplish the same thing. + +@item --compress-algo @var{name} +@opindex compress-algo +Use compression algorithm @var{name}. "zlib" is RFC-1950 ZLIB +compression. "zip" is RFC-1951 ZIP compression which is used by PGP. +"bzip2" is a more modern compression scheme that can compress some +things better than zip or zlib, but at the cost of more memory used +during compression and decompression. "uncompressed" or "none" +disables compression. If this option is not used, the default +behavior is to examine the recipient key preferences to see which +algorithms the recipient supports. If all else fails, ZIP is used for +maximum compatibility. + +ZLIB may give better compression results than ZIP, as the compression +window size is not limited to 8k. BZIP2 may give even better +compression results than that, but will use a significantly larger +amount of memory while compressing and decompressing. This may be +significant in low memory situations. Note, however, that PGP (all +versions) only supports ZIP compression. Using any algorithm other +than ZIP or "none" will make the message unreadable with PGP. In +general, you do not want to use this option as it allows you to +violate the OpenPGP standard. @option{--personal-compress-preferences} is the +safe way to accomplish the same thing. + +@item --cert-digest-algo @var{name} +@opindex cert-digest-algo +Use @var{name} as the message digest algorithm used when signing a +key. Running the program with the command @option{--version} yields a +list of supported algorithms. Be aware that if you choose an algorithm +that GnuPG supports but other OpenPGP implementations do not, then some +users will not be able to use the key signatures you make, or quite +possibly your entire key. + +@item --disable-cipher-algo @var{name} +@opindex disable-cipher-algo +Never allow the use of @var{name} as cipher algorithm. +The given name will not be checked so that a later loaded algorithm +will still get disabled. + +@item --disable-pubkey-algo @var{name} +@opindex disable-pubkey-algo +Never allow the use of @var{name} as public key algorithm. +The given name will not be checked so that a later loaded algorithm +will still get disabled. + +@item --throw-keyids +@itemx --no-throw-keyids +@opindex throw-keyids +Do not put the recipient key IDs into encrypted messages. This helps to +hide the receivers of the message and is a limited countermeasure +against traffic analysis.@footnote{Using a little social engineering +anyone who is able to decrypt the message can check whether one of the +other recipients is the one he suspects.} On the receiving side, it may +slow down the decryption process because all available secret keys must +be tried. @option{--no-throw-keyids} disables this option. This option +is essentially the same as using @option{--hidden-recipient} for all +recipients. + +@item --not-dash-escaped +@opindex not-dash-escaped +This option changes the behavior of cleartext signatures +so that they can be used for patch files. You should not +send such an armored file via email because all spaces +and line endings are hashed too. You can not use this +option for data which has 5 dashes at the beginning of a +line, patch files don't have this. A special armor header +line tells GnuPG about this cleartext signature option. + +@item --escape-from-lines +@itemx --no-escape-from-lines +@opindex escape-from-lines +Because some mailers change lines starting with "From " to ">From " it +is good to handle such lines in a special way when creating cleartext +signatures to prevent the mail system from breaking the signature. Note +that all other PGP versions do it this way too. Enabled by +default. @option{--no-escape-from-lines} disables this option. + +@item --passphrase-repeat @var{n} +@opindex passphrase-repeat +Specify how many times @command{@gpgname} will request a new +passphrase be repeated. This is useful for helping memorize a +passphrase. Defaults to 1 repetition; can be set to 0 to disable any +passphrase repetition. Note that a @var{n} greater than 1 will pop up +the pinentry window @var{n}+1 times even if a modern pinentry with +two entry fields is used. + +@item --passphrase-fd @var{n} +@opindex passphrase-fd +Read the passphrase from file descriptor @var{n}. Only the first line +will be read from file descriptor @var{n}. If you use 0 for @var{n}, +the passphrase will be read from STDIN. This can only be used if only +one passphrase is supplied. + +Note that since Version 2.0 this passphrase is only used if the +option @option{--batch} has also been given. Since Version 2.1 +the @option{--pinentry-mode} also needs to be set to @code{loopback}. + +@item --passphrase-file @var{file} +@opindex passphrase-file +Read the passphrase from file @var{file}. Only the first line will +be read from file @var{file}. This can only be used if only one +passphrase is supplied. Obviously, a passphrase stored in a file is +of questionable security if other users can read this file. Don't use +this option if you can avoid it. + +Note that since Version 2.0 this passphrase is only used if the +option @option{--batch} has also been given. Since Version 2.1 +the @option{--pinentry-mode} also needs to be set to @code{loopback}. + +@item --passphrase @var{string} +@opindex passphrase +Use @var{string} as the passphrase. This can only be used if only one +passphrase is supplied. Obviously, this is of very questionable +security on a multi-user system. Don't use this option if you can +avoid it. + +Note that since Version 2.0 this passphrase is only used if the +option @option{--batch} has also been given. Since Version 2.1 +the @option{--pinentry-mode} also needs to be set to @code{loopback}. + +@item --pinentry-mode @var{mode} +@opindex pinentry-mode +Set the pinentry mode to @var{mode}. Allowed values for @var{mode} +are: +@table @asis + @item default + Use the default of the agent, which is @code{ask}. + @item ask + Force the use of the Pinentry. + @item cancel + Emulate use of Pinentry's cancel button. + @item error + Return a Pinentry error (``No Pinentry''). + @item loopback + Redirect Pinentry queries to the caller. Note that in contrast to + Pinentry the user is not prompted again if he enters a bad password. +@end table + +@item --no-symkey-cache +@opindex no-symkey-cache +Disable the passphrase cache used for symmetrical en- and decryption. +This cache is based on the message specific salt value +(cf. @option{--s2k-mode}). + +@item --request-origin @var{origin} +@opindex request-origin +Tell gpg to assume that the operation ultimately originated at +@var{origin}. Depending on the origin certain restrictions are applied +and the Pinentry may include an extra note on the origin. Supported +values for @var{origin} are: @code{local} which is the default, +@code{remote} to indicate a remote origin or @code{browser} for an +operation requested by a web browser. + +@item --command-fd @var{n} +@opindex command-fd +This is a replacement for the deprecated shared-memory IPC mode. +If this option is enabled, user input on questions is not expected +from the TTY but from the given file descriptor. It should be used +together with @option{--status-fd}. See the file doc/DETAILS in the source +distribution for details on how to use it. + +@item --command-file @var{file} +@opindex command-file +Same as @option{--command-fd}, except the commands are read out of file +@var{file} + +@item --allow-non-selfsigned-uid +@itemx --no-allow-non-selfsigned-uid +@opindex allow-non-selfsigned-uid +Allow the import and use of keys with user IDs which are not +self-signed. This is not recommended, as a non self-signed user ID is +trivial to forge. @option{--no-allow-non-selfsigned-uid} disables. + +@item --allow-freeform-uid +@opindex allow-freeform-uid +Disable all checks on the form of the user ID while generating a new +one. This option should only be used in very special environments as +it does not ensure the de-facto standard format of user IDs. + +@item --ignore-time-conflict +@opindex ignore-time-conflict +GnuPG normally checks that the timestamps associated with keys and +signatures have plausible values. However, sometimes a signature +seems to be older than the key due to clock problems. This option +makes these checks just a warning. See also @option{--ignore-valid-from} for +timestamp issues on subkeys. + +@item --ignore-valid-from +@opindex ignore-valid-from +GnuPG normally does not select and use subkeys created in the future. +This option allows the use of such keys and thus exhibits the +pre-1.0.7 behaviour. You should not use this option unless there +is some clock problem. See also @option{--ignore-time-conflict} for timestamp +issues with signatures. + +@item --ignore-crc-error +@opindex ignore-crc-error +The ASCII armor used by OpenPGP is protected by a CRC checksum against +transmission errors. Occasionally the CRC gets mangled somewhere on +the transmission channel but the actual content (which is protected by +the OpenPGP protocol anyway) is still okay. This option allows GnuPG +to ignore CRC errors. + +@item --ignore-mdc-error +@opindex ignore-mdc-error +This option changes a MDC integrity protection failure into a warning. +It is required to decrypt old messages which did not use an MDC. It +may also be useful if a message is partially garbled, but it is +necessary to get as much data as possible out of that garbled message. +Be aware that a missing or failed MDC can be an indication of an +attack. Use with great caution; see also option @option{--rfc2440}. + +@item --allow-weak-digest-algos +@opindex allow-weak-digest-algos +Signatures made with known-weak digest algorithms are normally +rejected with an ``invalid digest algorithm'' message. This option +allows the verification of signatures made with such weak algorithms. +MD5 is the only digest algorithm considered weak by default. See also +@option{--weak-digest} to reject other digest algorithms. + +@item --weak-digest @var{name} +@opindex weak-digest +Treat the specified digest algorithm as weak. Signatures made over +weak digests algorithms are normally rejected. This option can be +supplied multiple times if multiple algorithms should be considered +weak. See also @option{--allow-weak-digest-algos} to disable +rejection of weak digests. MD5 is always considered weak, and does +not need to be listed explicitly. + +@item --allow-weak-key-signatures +@opindex allow-weak-key-signatures +To avoid a minor risk of collision attacks on third-party key +signatures made using SHA-1, those key signatures are considered +invalid. This options allows to override this restriction. + +@item --override-compliance-check +@opindex --override-compliance-check +The signature verification only allows the use of keys suitable in the +current compliance mode. If the compliance mode has been forced by a +global option, there might be no way to check certain signature. This +option allows to override this and prints an extra warning in such a +case. This option is ignored in --batch mode so that no accidental +unattended verification may happen. + +@item --no-default-keyring +@opindex no-default-keyring +Do not add the default keyring to the list of keyrings. Note that +GnuPG needs for almost all operations a keyring. Thus if you use this +option and do not provide alternate keyrings via @option{--keyring}, +then GnuPG will still use the default keyring. + +@item --no-keyring +@opindex no-keyring +Do not use any keyring at all. This overrides the default and all +options which specify keyrings. + +@item --skip-verify +@opindex skip-verify +Skip the signature verification step. This may be +used to make the decryption faster if the signature +verification is not needed. + +@item --with-key-data +@opindex with-key-data +Print key listings delimited by colons (like @option{--with-colons}) and +print the public key data. + +@item --list-signatures +@opindex list-signatures +@itemx --list-sigs +@opindex list-sigs +Same as @option{--list-keys}, but the signatures are listed too. This +command has the same effect as using @option{--list-keys} with +@option{--with-sig-list}. Note that in contrast to +@option{--check-signatures} the key signatures are not verified. This +command can be used to create a list of signing keys missing in the +local keyring; for example: + +@example + gpg --list-sigs --with-colons USERID | \ + awk -F: '$1=="sig" && $2=="?" @{if($13)@{print $13@}else@{print $5@}@}' +@end example + +@item --fast-list-mode +@opindex fast-list-mode +Changes the output of the list commands to work faster; this is achieved +by leaving some parts empty. Some applications don't need the user ID +and the trust information given in the listings. By using this options +they can get a faster listing. The exact behaviour of this option may +change in future versions. If you are missing some information, don't +use this option. + +@item --no-literal +@opindex no-literal +This is not for normal use. Use the source to see for what it might be useful. + +@item --set-filesize +@opindex set-filesize +This is not for normal use. Use the source to see for what it might be useful. + +@item --show-session-key +@opindex show-session-key +Display the session key used for one message. See +@option{--override-session-key} for the counterpart of this option. + +We think that Key Escrow is a Bad Thing; however the user should have +the freedom to decide whether to go to prison or to reveal the content +of one specific message without compromising all messages ever +encrypted for one secret key. + +You can also use this option if you receive an encrypted message which +is abusive or offensive, to prove to the administrators of the +messaging system that the ciphertext transmitted corresponds to an +inappropriate plaintext so they can take action against the offending +user. + +@item --override-session-key @var{string} +@itemx --override-session-key-fd @var{fd} +@opindex override-session-key +Don't use the public key but the session key @var{string} respective +the session key taken from the first line read from file descriptor +@var{fd}. The format of this string is the same as the one printed by +@option{--show-session-key}. This option is normally not used but +comes handy in case someone forces you to reveal the content of an +encrypted message; using this option you can do this without handing +out the secret key. Note that using @option{--override-session-key} +may reveal the session key to all local users via the global process +table. Often it is useful to combine this option with +@option{--no-keyring}. + +@item --ask-sig-expire +@itemx --no-ask-sig-expire +@opindex ask-sig-expire +When making a data signature, prompt for an expiration time. If this +option is not specified, the expiration time set via +@option{--default-sig-expire} is used. @option{--no-ask-sig-expire} +disables this option. + +@item --default-sig-expire +@opindex default-sig-expire +The default expiration time to use for signature expiration. Valid +values are "0" for no expiration, a number followed by the letter d +(for days), w (for weeks), m (for months), or y (for years) (for +example "2m" for two months, or "5y" for five years), or an absolute +date in the form YYYY-MM-DD. Defaults to "0". + +@item --ask-cert-expire +@itemx --no-ask-cert-expire +@opindex ask-cert-expire +When making a key signature, prompt for an expiration time. If this +option is not specified, the expiration time set via +@option{--default-cert-expire} is used. @option{--no-ask-cert-expire} +disables this option. + +@item --default-cert-expire +@opindex default-cert-expire +The default expiration time to use for key signature expiration. +Valid values are "0" for no expiration, a number followed by the +letter d (for days), w (for weeks), m (for months), or y (for years) +(for example "2m" for two months, or "5y" for five years), or an +absolute date in the form YYYY-MM-DD. Defaults to "0". + +@item --default-new-key-algo @var{string} +@opindex default-new-key-algo @var{string} +This option can be used to change the default algorithms for key +generation. The @var{string} is similar to the arguments required for +the command @option{--quick-add-key} but slightly different. For +example the current default of @code{"rsa2048/cert,sign+rsa2048/encr"} +(or @code{"rsa3072"}) can be changed to the value of what we currently +call future default, which is @code{"ed25519/cert,sign+cv25519/encr"}. +You need to consult the source code to learn the details. Note that +the advanced key generation commands can always be used to specify a +key algorithm directly. + +@item --force-sign-key +@opindex force-sign-key +This option modifies the behaviour of the commands +@option{--quick-sign-key}, @option{--quick-lsign-key}, and the "sign" +sub-commands of @option{--edit-key} by forcing the creation of a key +signature, even if one already exists. + +@item --forbid-gen-key +@opindex forbid-gen-key +This option is intended for use in the global config file to disallow +the use of generate key commands. Those commands will then fail with +the error code for Not Enabled. + +@item --allow-secret-key-import +@opindex allow-secret-key-import +This is an obsolete option and is not used anywhere. + +@item --allow-multiple-messages +@item --no-allow-multiple-messages +@opindex allow-multiple-messages +Allow processing of multiple OpenPGP messages contained in a single file +or stream. Some programs that call GPG are not prepared to deal with +multiple messages being processed together, so this option defaults to +no. Note that versions of GPG prior to 1.4.7 always allowed multiple +messages. Future versions of GnUPG will remove this option. + +Warning: Do not use this option unless you need it as a temporary +workaround! + + +@item --enable-special-filenames +@opindex enable-special-filenames +This option enables a mode in which filenames of the form +@file{-&n}, where n is a non-negative decimal number, +refer to the file descriptor n and not to a file with that name. + +@item --no-expensive-trust-checks +@opindex no-expensive-trust-checks +Experimental use only. + +@item --preserve-permissions +@opindex preserve-permissions +Don't change the permissions of a secret keyring back to user +read/write only. Use this option only if you really know what you are doing. + +@item --default-preference-list @var{string} +@opindex default-preference-list +Set the list of default preferences to @var{string}. This preference +list is used for new keys and becomes the default for "setpref" in the +edit menu. + +@item --default-keyserver-url @var{name} +@opindex default-keyserver-url +Set the default keyserver URL to @var{name}. This keyserver will be +used as the keyserver URL when writing a new self-signature on a key, +which includes key generation and changing preferences. + +@item --list-config +@opindex list-config +Display various internal configuration parameters of GnuPG. This option +is intended for external programs that call GnuPG to perform tasks, and +is thus not generally useful. See the file @file{doc/DETAILS} in the +source distribution for the details of which configuration items may be +listed. @option{--list-config} is only usable with +@option{--with-colons} set. + +@item --list-gcrypt-config +@opindex list-gcrypt-config +Display various internal configuration parameters of Libgcrypt. + +@item --gpgconf-list +@opindex gpgconf-list +This command is similar to @option{--list-config} but in general only +internally used by the @command{gpgconf} tool. + +@item --gpgconf-test +@opindex gpgconf-test +This is more or less dummy action. However it parses the configuration +file and returns with failure if the configuration file would prevent +@command{@gpgname} from startup. Thus it may be used to run a syntax check +on the configuration file. + +@end table + +@c ******************************* +@c ******* Deprecated ************ +@c ******************************* +@node Deprecated Options +@subsection Deprecated options + +@table @gnupgtabopt + +@item --show-photos +@itemx --no-show-photos +@opindex show-photos +Causes @option{--list-keys}, @option{--list-signatures}, +@option{--list-public-keys}, @option{--list-secret-keys}, and verifying +a signature to also display the photo ID attached to the key, if +any. See also @option{--photo-viewer}. These options are deprecated. Use +@option{--list-options [no-]show-photos} and/or @option{--verify-options +[no-]show-photos} instead. + +@item --show-keyring +@opindex show-keyring +Display the keyring name at the head of key listings to show which +keyring a given key resides on. This option is deprecated: use +@option{--list-options [no-]show-keyring} instead. + +@item --always-trust +@opindex always-trust +Identical to @option{--trust-model always}. This option is deprecated. + +@item --show-notation +@itemx --no-show-notation +@opindex show-notation +Show signature notations in the @option{--list-signatures} or @option{--check-signatures} listings +as well as when verifying a signature with a notation in it. These +options are deprecated. Use @option{--list-options [no-]show-notation} +and/or @option{--verify-options [no-]show-notation} instead. + +@item --show-policy-url +@itemx --no-show-policy-url +@opindex show-policy-url +Show policy URLs in the @option{--list-signatures} or @option{--check-signatures} +listings as well as when verifying a signature with a policy URL in +it. These options are deprecated. Use @option{--list-options +[no-]show-policy-url} and/or @option{--verify-options +[no-]show-policy-url} instead. + + +@end table + + +@c ******************************************* +@c *************** **************** +@c *************** FILES **************** +@c *************** **************** +@c ******************************************* +@mansect files +@node GPG Configuration +@section Configuration files + +There are a few configuration files to control certain aspects of +@command{@gpgname}'s operation. Unless noted, they are expected in the +current home directory (@pxref{option --homedir}). + +@table @file + + @item gpg.conf + @efindex gpg.conf + This is the standard configuration file read by @command{@gpgname} on + startup. It may contain any valid long option; the leading two dashes + may not be entered and the option may not be abbreviated. This default + name may be changed on the command line (@pxref{gpg-option --options}). + You should backup this file. + +@end table + +Note that on larger installations, it is useful to put predefined files +into the directory @file{@value{SYSCONFSKELDIR}} so that +newly created users start up with a working configuration. +For existing users a small +helper script is provided to create these files (@pxref{addgnupghome}). + +For internal purposes @command{@gpgname} creates and maintains a few other +files; They all live in the current home directory (@pxref{option +--homedir}). Only the @command{@gpgname} program may modify these files. + + +@table @file + @item ~/.gnupg + @efindex ~/.gnupg + This is the default home directory which is used if neither the + environment variable @code{GNUPGHOME} nor the option + @option{--homedir} is given. + + @item ~/.gnupg/pubring.gpg + @efindex pubring.gpg + The public keyring using a legacy format. You should backup this file. + + If this file is not available, @command{gpg} defaults to the new + keybox format and creates a file @file{pubring.kbx} unless that file + already exists in which case that file will also be used for OpenPGP + keys. + + Note that in the case that both files, @file{pubring.gpg} and + @file{pubring.kbx} exists but the latter has no OpenPGP keys, the + legacy file @file{pubring.gpg} will be used. Take care: GnuPG + versions before 2.1 will always use the file @file{pubring.gpg} + because they do not know about the new keybox format. In the case + that you have to use GnuPG 1.4 to decrypt archived data you should + keep this file. + + @item ~/.gnupg/pubring.gpg.lock + The lock file for the public keyring. + + @item ~/.gnupg/pubring.kbx + @efindex pubring.kbx + The public keyring using the new keybox format. This file is shared + with @command{gpgsm}. You should backup this file. See above for + the relation between this file and it predecessor. + + To convert an existing @file{pubring.gpg} file to the keybox format, you + first backup the ownertrust values, then rename @file{pubring.gpg} to + @file{publickeys.backup}, so it won’t be recognized by any GnuPG version, + run import, and finally restore the ownertrust values: + + @example + $ cd ~/.gnupg + $ gpg --export-ownertrust >otrust.lst + $ mv pubring.gpg publickeys.backup + $ gpg --import-options restore --import publickeys.backups + $ gpg --import-ownertrust otrust.lst + @end example + + @item ~/.gnupg/pubring.kbx.lock + The lock file for @file{pubring.kbx}. + + @item ~/.gnupg/secring.gpg + @efindex secring.gpg + The legacy secret keyring as used by GnuPG versions before 2.1. It is not + used by GnuPG 2.1 and later. You may want to keep it in case you + have to use GnuPG 1.4 to decrypt archived data. + + @item ~/.gnupg/secring.gpg.lock + The lock file for the legacy secret keyring. + + @item ~/.gnupg/.gpg-v21-migrated + @efindex .gpg-v21-migrated + File indicating that a migration to GnuPG 2.1 has been done. + + @item ~/.gnupg/trustdb.gpg + @efindex trustdb.gpg + The trust database. There is no need to backup this file; it is better + to backup the ownertrust values (@pxref{option --export-ownertrust}). + + @item ~/.gnupg/trustdb.gpg.lock + The lock file for the trust database. + + @item ~/.gnupg/random_seed + @efindex random_seed + A file used to preserve the state of the internal random pool. + + @item ~/.gnupg/openpgp-revocs.d/ + @efindex openpgp-revocs.d + This is the directory where gpg stores pre-generated revocation + certificates. The file name corresponds to the OpenPGP fingerprint of + the respective key. It is suggested to backup those certificates and + if the primary private key is not stored on the disk to move them to + an external storage device. Anyone who can access theses files is + able to revoke the corresponding key. You may want to print them out. + You should backup all files in this directory and take care to keep + this backup closed away. + +@end table + +Operation is further controlled by a few environment variables: + +@table @asis + + @item HOME + @efindex HOME + Used to locate the default home directory. + + @item GNUPGHOME + @efindex GNUPGHOME + If set directory used instead of "~/.gnupg". + + @item GPG_AGENT_INFO + This variable is obsolete; it was used by GnuPG versions before 2.1. + + @item PINENTRY_USER_DATA + @efindex PINENTRY_USER_DATA + This value is passed via gpg-agent to pinentry. It is useful to convey + extra information to a custom pinentry. + + @item COLUMNS + @itemx LINES + @efindex COLUMNS + @efindex LINES + Used to size some displays to the full size of the screen. + + @item LANGUAGE + @efindex LANGUAGE + Apart from its use by GNU, it is used in the W32 version to override the + language selection done through the Registry. If used and set to a + valid and available language name (@var{langid}), the file with the + translation is loaded from + @code{@var{gpgdir}/gnupg.nls/@var{langid}.mo}. Here @var{gpgdir} is the + directory out of which the gpg binary has been loaded. If it can't be + loaded the Registry is tried and as last resort the native Windows + locale system is used. + + @item GNUPG_BUILD_ROOT + @efindex GNUPG_BUILD_ROOT + This variable is only used by the regression test suite as a helper + under operating systems without proper support to figure out the + name of a process' text file. + + @item GNUPG_EXEC_DEBUG_FLAGS + @efindex GNUPG_EXEC_DEBUG_FLAGS + This variable allows to enable diagnostics for process management. + A numeric decimal value is expected. Bit 0 enables general + diagnostics, bit 1 enables certain warnings on Windows. + +@end table + +When calling the gpg-agent component @command{@gpgname} sends a set of +environment variables to gpg-agent. The names of these variables can +be listed using the command: + +@example + gpg-connect-agent 'getinfo std_env_names' /bye | awk '$1=="D" @{print $2@}' +@end example + + + +@c ******************************************* +@c *************** **************** +@c *************** EXAMPLES **************** +@c *************** **************** +@c ******************************************* +@mansect examples +@node GPG Examples +@section Examples + +@table @asis + +@item gpg -se -r @code{Bob} @code{file} +sign and encrypt for user Bob + +@item gpg --clear-sign @code{file} +make a cleartext signature + +@item gpg -sb @code{file} +make a detached signature + +@item gpg -u 0x12345678 -sb @code{file} +make a detached signature with the key 0x12345678 + +@item gpg --list-keys @code{user_ID} +show keys + +@item gpg --fingerprint @code{user_ID} +show fingerprint + +@item gpg --verify @code{pgpfile} +@itemx gpg --verify @code{sigfile} [@code{datafile}] +Verify the signature of the file but do not output the data unless +requested. The second form is used for detached signatures, where +@code{sigfile} is the detached signature (either ASCII armored or +binary) and @code{datafile} are the signed data; if this is not given, the name of the +file holding the signed data is constructed by cutting off the +extension (".asc" or ".sig") of @code{sigfile} or by asking the user +for the filename. If the option @option{--output} is also used the +signed data is written to the file specified by that option; use +@code{-} to write the signed data to stdout. +@end table + + +@c ******************************************* +@c *************** **************** +@c *************** USER ID **************** +@c *************** **************** +@c ******************************************* +@mansect how to specify a user id +@ifset isman +@include specify-user-id.texi +@end ifset + +@mansect filter expressions +@chapheading FILTER EXPRESSIONS + +The options @option{--import-filter} and @option{--export-filter} use +expressions with this syntax (square brackets indicate an optional +part and curly braces a repetition, white space between the elements +are allowed): + +@c man:.RS +@example + [lc] @{[@{flag@}] PROPNAME op VALUE [lc]@} +@end example +@c man:.RE + +The name of a property (@var{PROPNAME}) may only consist of letters, +digits and underscores. The description for the filter type +describes which properties are defined. If an undefined property is +used it evaluates to the empty string. Unless otherwise noted, the +@var{VALUE} must always be given and may not be the empty string. No +quoting is defined for the value, thus the value may not contain the +strings @code{&&} or @code{||}, which are used as logical connection +operators. The flag @code{--} can be used to remove this restriction. + +Numerical values are computed as long int; standard C notation +applies. @var{lc} is the logical connection operator; either +@code{&&} for a conjunction or @code{||} for a disjunction. A +conjunction is assumed at the begin of an expression. Conjunctions +have higher precedence than disjunctions. If @var{VALUE} starts with +one of the characters used in any @var{op} a space after the +@var{op} is required. + +@noindent +The supported operators (@var{op}) are: + +@table @asis + + @item =~ + Substring must match. + + @item !~ + Substring must not match. + + @item = + The full string must match. + + @item <> + The full string must not match. + + @item == + The numerical value must match. + + @item != + The numerical value must not match. + + @item <= + The numerical value of the field must be LE than the value. + + @item < + The numerical value of the field must be LT than the value. + + @item > + The numerical value of the field must be GT than the value. + + @item >= + The numerical value of the field must be GE than the value. + + @item -le + The string value of the field must be less or equal than the value. + + @item -lt + The string value of the field must be less than the value. + + @item -gt + The string value of the field must be greater than the value. + + @item -ge + The string value of the field must be greater or equal than the value. + + @item -n + True if value is not empty (no value allowed). + + @item -z + True if value is empty (no value allowed). + + @item -t + Alias for "PROPNAME != 0" (no value allowed). + + @item -f + Alias for "PROPNAME == 0" (no value allowed). + +@end table + +@noindent +Values for @var{flag} must be space separated. The supported flags +are: + +@table @asis + @item -- + @var{VALUE} spans to the end of the expression. + @item -c + The string match in this part is done case-sensitive. + @item -t + Leading and trailing spaces are not removed from @var{VALUE}. + The optional single space after @var{op} is here required. +@end table + +The filter options concatenate several specifications for a filter of +the same type. For example the four options in this example: + +@c man:.RS +@example + --import-filter keep-uid="uid =~ Alfa" + --import-filter keep-uid="&& uid !~ Test" + --import-filter keep-uid="|| uid =~ Alpha" + --import-filter keep-uid="uid !~ Test" +@end example +@c man:.RE + +@noindent +which is equivalent to + +@c man:.RS +@example + --import-filter \ + keep-uid="uid =~ Alfa" && uid !~ Test" || uid =~ Alpha" && "uid !~ Test" +@end example +@c man:.RE + +imports only the user ids of a key containing the strings "Alfa" +or "Alpha" but not the string "test". + +@mansect trust values +@ifset isman +@include trust-values.texi +@end ifset + +@mansect return value +@chapheading RETURN VALUE + +The program returns 0 if there are no severe errors, 1 if at least a +signature was bad, and other error codes for fatal errors. + +Note that signature verification requires exact knowledge of what has +been signed and by whom it has beensigned. Using only the return code +is thus not an appropriate way to verify a signature by a script. +Either make proper use or the status codes or use the @command{gpgv} +tool which has been designed to make signature verification easy for +scripts. + +@mansect warnings +@chapheading WARNINGS + +Use a good password for your user account and make sure that all +security issues are always fixed on your machine. Also employ +diligent physical protection to your machine. Consider to use a good +passphrase as a last resort protection to your secret key in the case +your machine gets stolen. It is important that your secret key is +never leaked. Using an easy to carry around token or smartcard with +the secret key is often a advisable. + +If you are going to verify detached signatures, make sure that the +program knows about it; either give both filenames on the command line +or use @samp{-} to specify STDIN. + +For scripted or other unattended use of @command{gpg} make sure to use +the machine-parseable interface and not the default interface which is +intended for direct use by humans. The machine-parseable interface +provides a stable and well documented API independent of the locale or +future changes of @command{gpg}. To enable this interface use the +options @option{--with-colons} and @option{--status-fd}. For certain +operations the option @option{--command-fd} may come handy too. See +this man page and the file @file{DETAILS} for the specification of the +interface. Note that the GnuPG ``info'' pages as well as the PDF +version of the GnuPG manual features a chapter on unattended use of +GnuPG. As an alternative the library @command{GPGME} can be used as a +high-level abstraction on top of that interface. + +@mansect interoperability +@chapheading INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS + +GnuPG tries to be a very flexible implementation of the OpenPGP +standard. In particular, GnuPG implements many of the optional parts +of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2 +compression algorithms. It is important to be aware that not all +OpenPGP programs implement these optional algorithms and that by +forcing their use via the @option{--cipher-algo}, +@option{--digest-algo}, @option{--cert-digest-algo}, or +@option{--compress-algo} options in GnuPG, it is possible to create a +perfectly valid OpenPGP message, but one that cannot be read by the +intended recipient. + +There are dozens of variations of OpenPGP programs available, and each +supports a slightly different subset of these optional algorithms. +For example, until recently, no (unhacked) version of PGP supported +the BLOWFISH cipher algorithm. A message using BLOWFISH simply could +not be read by a PGP user. By default, GnuPG uses the standard +OpenPGP preferences system that will always do the right thing and +create messages that are usable by all recipients, regardless of which +OpenPGP program they use. Only override this safe default if you +really know what you are doing. + +If you absolutely must override the safe default, or if the preferences +on a given key are invalid for some reason, you are far better off using +the @option{--pgp6}, @option{--pgp7}, or @option{--pgp8} options. These +options are safe as they do not force any particular algorithms in +violation of OpenPGP, but rather reduce the available algorithms to a +"PGP-safe" list. + +@mansect bugs +@chapheading BUGS + +On older systems this program should be installed as setuid(root). This +is necessary to lock memory pages. Locking memory pages prevents the +operating system from writing memory pages (which may contain +passphrases or other sensitive material) to disk. If you get no +warning message about insecure memory your operating system supports +locking without being root. The program drops root privileges as soon +as locked memory is allocated. + +Note also that some systems (especially laptops) have the ability to +``suspend to disk'' (also known as ``safe sleep'' or ``hibernate''). +This writes all memory to disk before going into a low power or even +powered off mode. Unless measures are taken in the operating system +to protect the saved memory, passphrases or other sensitive material +may be recoverable from it later. + +Before you report a bug you should first search the mailing list +archives for similar problems and second check whether such a bug has +already been reported to our bug tracker at @url{https://bugs.gnupg.org}. + +@c ******************************************* +@c *************** ************** +@c *************** UNATTENDED ************** +@c *************** ************** +@c ******************************************* +@manpause +@node Unattended Usage of GPG +@section Unattended Usage + +@command{@gpgname} is often used as a backend engine by other software. To help +with this a machine interface has been defined to have an unambiguous +way to do this. The options @option{--status-fd} and @option{--batch} +are almost always required for this. + +@menu +* Programmatic use of GnuPG:: Programmatic use of GnuPG +* Ephemeral home directories:: Ephemeral home directories +* The quick key manipulation interface:: The quick key manipulation interface +* Unattended GPG key generation:: Unattended key generation +@end menu + + +@node Programmatic use of GnuPG +@subsection Programmatic use of GnuPG + +Please consider using GPGME instead of calling @command{@gpgname} +directly. GPGME offers a stable, backend-independent interface for +many cryptographic operations. It supports OpenPGP and S/MIME, and +also allows interaction with various GnuPG components. + +GPGME provides a C-API, and comes with bindings for C++, Qt, and +Python. Bindings for other languages are available. + +@node Ephemeral home directories +@subsection Ephemeral home directories + +Sometimes you want to contain effects of some operation, for example +you want to import a key to inspect it, but you do not want this key +to be added to your keyring. In earlier versions of GnuPG, it was +possible to specify alternate keyring files for both public and secret +keys. In modern GnuPG versions, however, we changed how secret keys +are stored in order to better protect secret key material, and it was +not possible to preserve this interface. + +The preferred way to do this is to use ephemeral home directories. +This technique works across all versions of GnuPG. + +Create a temporary directory, create (or copy) a configuration that +meets your needs, make @command{@gpgname} use this directory either +using the environment variable @var{GNUPGHOME}, or the option +@option{--homedir}. GPGME supports this too on a per-context basis, +by modifying the engine info of contexts. Now execute whatever +operation you like, import and export key material as necessary. Once +finished, you can delete the directory. All GnuPG backend services +that were started will detect this and shut down. + +@node The quick key manipulation interface +@subsection The quick key manipulation interface + +Recent versions of GnuPG have an interface to manipulate keys without +using the interactive command @option{--edit-key}. This interface was +added mainly for the benefit of GPGME (please consider using GPGME, +see the manual subsection ``Programmatic use of GnuPG''). This +interface is described in the subsection ``How to manage your keys''. + +@node Unattended GPG key generation +@subsection Unattended key generation + +The command @option{--generate-key} may be used along with the option +@option{--batch} for unattended key generation. This is the most +flexible way of generating keys, but it is also the most complex one. +Consider using the quick key manipulation interface described in the +previous subsection ``The quick key manipulation interface''. + +The parameters for the key are either read from stdin or given as a +file on the command line. The format of the parameter file is as +follows: + +@itemize @bullet + @item Text only, line length is limited to about 1000 characters. + @item UTF-8 encoding must be used to specify non-ASCII characters. + @item Empty lines are ignored. + @item Leading and trailing white space is ignored. + @item A hash sign as the first non white space character indicates + a comment line. + @item Control statements are indicated by a leading percent sign, the + arguments are separated by white space from the keyword. + @item Parameters are specified by a keyword, followed by a colon. Arguments + are separated by white space. + @item + The first parameter must be @samp{Key-Type}; control statements may be + placed anywhere. + @item + The order of the parameters does not matter except for @samp{Key-Type} + which must be the first parameter. The parameters are only used for + the generated keyblock (primary and subkeys); parameters from previous + sets are not used. Some syntactically checks may be performed. + @item + Key generation takes place when either the end of the parameter file + is reached, the next @samp{Key-Type} parameter is encountered or at the + control statement @samp{%commit} is encountered. +@end itemize + +@noindent +Control statements: + +@table @asis + +@item %echo @var{text} +Print @var{text} as diagnostic. + +@item %dry-run +Suppress actual key generation (useful for syntax checking). + +@item %commit +Perform the key generation. Note that an implicit commit is done at +the next @asis{Key-Type} parameter. + +@item %pubring @var{filename} +Do not write the key to the default or commandline given keyring but +to @var{filename}. This must be given before the first commit to take +place, duplicate specification of the same filename is ignored, the +last filename before a commit is used. The filename is used until a +new filename is used (at commit points) and all keys are written to +that file. If a new filename is given, this file is created (and +overwrites an existing one). + +See the previous subsection ``Ephemeral home directories'' for a more +robust way to contain side-effects. + +@item %secring @var{filename} +This option is a no-op for GnuPG 2.1 and later. + +See the previous subsection ``Ephemeral home directories''. + +@item %ask-passphrase +@itemx %no-ask-passphrase +This option is a no-op for GnuPG 2.1 and later. + +@item %no-protection +Using this option allows the creation of keys without any passphrase +protection. This option is mainly intended for regression tests. + +@item %transient-key +If given the keys are created using a faster and a somewhat less +secure random number generator. This option may be used for keys +which are only used for a short time and do not require full +cryptographic strength. It takes only effect if used together with +the control statement @samp{%no-protection}. + +@end table + +@noindent +General Parameters: + +@table @asis + +@item Key-Type: @var{algo} +Starts a new parameter block by giving the type of the primary +key. The algorithm must be capable of signing. This is a required +parameter. @var{algo} may either be an OpenPGP algorithm number or a +string with the algorithm name. The special value @samp{default} may +be used for @var{algo} to create the default key type; in this case a +@samp{Key-Usage} shall not be given and @samp{default} also be used +for @samp{Subkey-Type}. + +@item Key-Length: @var{nbits} +The requested length of the generated key in bits. The default is +returned by running the command @samp{@gpgname --gpgconf-list}. +For ECC keys this parameter is ignored. + +@item Key-Curve: @var{curve} +The requested elliptic curve of the generated key. This is a required +parameter for ECC keys. It is ignored for non-ECC keys. + +@item Key-Grip: @var{hexstring} +This is optional and used to generate a CSR or certificate for an +already existing key. Key-Length will be ignored when given. + +@item Key-Usage: @var{usage-list} +Space or comma delimited list of key usages. Allowed values are +@samp{encrypt}, @samp{sign}, and @samp{auth}. This is used to +generate the key flags. Please make sure that the algorithm is +capable of this usage. Note that OpenPGP requires that all primary +keys are capable of certification, so no matter what usage is given +here, the @samp{cert} flag will be on. If no @samp{Key-Usage} is +specified and the @samp{Key-Type} is not @samp{default}, all allowed +usages for that particular algorithm are used; if it is not given but +@samp{default} is used the usage will be @samp{sign}. + +@item Subkey-Type: @var{algo} +This generates a secondary key (subkey). Currently only one subkey +can be handled. See also @samp{Key-Type} above. + +@item Subkey-Length: @var{nbits} +Length of the secondary key (subkey) in bits. The default is returned +by running the command @samp{@gpgname --gpgconf-list}. + +@item Subkey-Curve: @var{curve} +Key curve for a subkey; similar to @samp{Key-Curve}. + +@item Subkey-Usage: @var{usage-list} +Key usage lists for a subkey; similar to @samp{Key-Usage}. + +@item Passphrase: @var{string} +If you want to specify a passphrase for the secret key, enter it here. +Default is to use the Pinentry dialog to ask for a passphrase. + +@item Name-Real: @var{name} +@itemx Name-Comment: @var{comment} +@itemx Name-Email: @var{email} +The three parts of a user name. Remember to use UTF-8 encoding here. +If you don't give any of them, no user ID is created. + +@item Expire-Date: @var{iso-date}|(@var{number}[d|w|m|y]) +Set the expiration date for the key (and the subkey). It may either +be entered in ISO date format (e.g. "20000815T145012") or as number of +days, weeks, month or years after the creation date. The special +notation "seconds=N" is also allowed to specify a number of seconds +since creation. Without a letter days are assumed. Note that there +is no check done on the overflow of the type used by OpenPGP for +timestamps. Thus you better make sure that the given value make +sense. Although OpenPGP works with time intervals, GnuPG uses an +absolute value internally and thus the last year we can represent is +2105. + +@item Creation-Date: @var{iso-date} +Set the creation date of the key as stored in the key information and +which is also part of the fingerprint calculation. Either a date like +"1986-04-26" or a full timestamp like "19860426T042640" may be used. +The time is considered to be UTC. The special notation "seconds=N" +may be used to directly specify a the number of seconds since Epoch +(Unix time). If it is not given the current time is used. + +@item Preferences: @var{string} +Set the cipher, hash, and compression preference values for this key. +This expects the same type of string as the sub-command @samp{setpref} +in the @option{--edit-key} menu. + +@item Revoker: @var{algo}:@var{fpr} [sensitive] +Add a designated revoker to the generated key. Algo is the public key +algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.) +@var{fpr} is the fingerprint of the designated revoker. The optional +@samp{sensitive} flag marks the designated revoker as sensitive +information. Only v4 keys may be designated revokers. + +@item Keyserver: @var{string} +This is an optional parameter that specifies the preferred keyserver +URL for the key. + +@item Handle: @var{string} +This is an optional parameter only used with the status lines +KEY_CREATED and KEY_NOT_CREATED. @var{string} may be up to 100 +characters and should not contain spaces. It is useful for batch key +generation to associate a key parameter block with a status line. + +@end table + +@noindent +Here is an example on how to create a key in an ephemeral home directory: +@smallexample +$ export GNUPGHOME="$(mktemp -d)" +$ cat >foo <<EOF + %echo Generating a basic OpenPGP key + Key-Type: DSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 1024 + Name-Real: Joe Tester + Name-Comment: with stupid passphrase + Name-Email: joe@@foo.bar + Expire-Date: 0 + Passphrase: abc + # Do a commit here, so that we can later print "done" :-) + %commit + %echo done +EOF +$ @gpgname --batch --generate-key foo + [...] +$ @gpgname --list-secret-keys +/tmp/tmp.0NQxB74PEf/pubring.kbx +------------------------------- +sec dsa1024 2016-12-16 [SCA] + 768E895903FC1C44045C8CB95EEBDB71E9E849D0 +uid [ultimate] Joe Tester (with stupid passphrase) <joe@@foo.bar> +ssb elg1024 2016-12-16 [E] +@end smallexample + +@noindent +If you want to create a key with the default algorithms you would use +these parameters: +@smallexample + %echo Generating a default key + Key-Type: default + Subkey-Type: default + Name-Real: Joe Tester + Name-Comment: with stupid passphrase + Name-Email: joe@@foo.bar + Expire-Date: 0 + Passphrase: abc + # Do a commit here, so that we can later print "done" :-) + %commit + %echo done +@end smallexample + + + + +@mansect see also +@ifset isman +@command{gpgv}(1), +@command{gpgsm}(1), +@command{gpg-agent}(1) +@end ifset +@include see-also-note.texi diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi new file mode 100644 index 0000000..ba91aed --- /dev/null +++ b/doc/gpgsm.texi @@ -0,0 +1,1696 @@ +@c Copyright (C) 2002 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@include defs.inc + +@node Invoking GPGSM +@chapter Invoking GPGSM +@cindex GPGSM command options +@cindex command options +@cindex options, GPGSM command + +@manpage gpgsm.1 +@ifset manverb +.B gpgsm +\- CMS encryption and signing tool +@end ifset + +@mansect synopsis +@ifset manverb +.B gpgsm +.RB [ \-\-homedir +.IR dir ] +.RB [ \-\-options +.IR file ] +.RI [ options ] +.I command +.RI [ args ] +@end ifset + + +@mansect description +@command{gpgsm} is a tool similar to @command{gpg} to provide digital +encryption and signing services on X.509 certificates and the CMS +protocol. It is mainly used as a backend for S/MIME mail processing. +@command{gpgsm} includes a full featured certificate management and +complies with all rules defined for the German Sphinx project. + +@manpause +@xref{Option Index}, for an index to @command{GPGSM}'s commands and options. +@mancont + +@menu +* GPGSM Commands:: List of all commands. +* GPGSM Options:: List of all options. +* GPGSM Configuration:: Configuration files. +* GPGSM Examples:: Some usage examples. + +Developer information: +* Unattended Usage:: Using @command{gpgsm} from other programs. +* GPGSM Protocol:: The protocol the server mode uses. +@end menu + +@c ******************************************* +@c *************** **************** +@c *************** COMMANDS **************** +@c *************** **************** +@c ******************************************* +@mansect commands +@node GPGSM Commands +@section Commands + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +@menu +* General GPGSM Commands:: Commands not specific to the functionality. +* Operational GPGSM Commands:: Commands to select the type of operation. +* Certificate Management:: How to manage certificates. +@end menu + + +@c ******************************************* +@c ********** GENERAL COMMANDS ************* +@c ******************************************* +@node General GPGSM Commands +@subsection Commands not specific to the function + +@table @gnupgtabopt +@item --version +@opindex version +Print the program version and licensing information. Note that you +cannot abbreviate this command. + +@item --help, -h +@opindex help +Print a usage message summarizing the most useful command-line options. +Note that you cannot abbreviate this command. + +@item --warranty +@opindex warranty +Print warranty information. Note that you cannot abbreviate this +command. + +@item --dump-options +@opindex dump-options +Print a list of all available options and commands. Note that you cannot +abbreviate this command. +@end table + + +@c ******************************************* +@c ******** OPERATIONAL COMMANDS *********** +@c ******************************************* +@node Operational GPGSM Commands +@subsection Commands to select the type of operation + +@table @gnupgtabopt +@item --encrypt +@opindex encrypt +Perform an encryption. The keys the data is encrypted to must be set +using the option @option{--recipient}. + +@item --decrypt +@opindex decrypt +Perform a decryption; the type of input is automatically determined. It +may either be in binary form or PEM encoded; automatic determination of +base-64 encoding is not done. + +@item --sign +@opindex sign +Create a digital signature. The key used is either the fist one found +in the keybox or those set with the @option{--local-user} option. + +@item --verify +@opindex verify +Check a signature file for validity. Depending on the arguments a +detached signature may also be checked. + +@item --server +@opindex server +Run in server mode and wait for commands on the @code{stdin}. + +@item --call-dirmngr @var{command} [@var{args}] +@opindex call-dirmngr +Behave as a Dirmngr client issuing the request @var{command} with the +optional list of @var{args}. The output of the Dirmngr is printed +stdout. Please note that file names given as arguments should have an +absolute file name (i.e. commencing with @code{/}) because they are +passed verbatim to the Dirmngr and the working directory of the +Dirmngr might not be the same as the one of this client. Currently it +is not possible to pass data via stdin to the Dirmngr. @var{command} +should not contain spaces. + +This is command is required for certain maintaining tasks of the dirmngr +where a dirmngr must be able to call back to @command{gpgsm}. See the Dirmngr +manual for details. + +@item --call-protect-tool @var{arguments} +@opindex call-protect-tool +Certain maintenance operations are done by an external program call +@command{gpg-protect-tool}; this is usually not installed in a directory +listed in the PATH variable. This command provides a simple wrapper to +access this tool. @var{arguments} are passed verbatim to this command; +use @samp{--help} to get a list of supported operations. + + +@end table + + +@c ******************************************* +@c ******* CERTIFICATE MANAGEMENT ********** +@c ******************************************* +@node Certificate Management +@subsection How to manage the certificates and keys + +@table @gnupgtabopt +@item --generate-key +@opindex generate-key +@itemx --gen-key +@opindex gen-key +This command allows the creation of a certificate signing request or a +self-signed certificate. It is commonly used along with the +@option{--output} option to save the created CSR or certificate into a +file. If used with the @option{--batch} a parameter file is used to +create the CSR or certificate and it is further possible to create +non-self-signed certificates. + +@item --list-keys +@itemx -k +@opindex list-keys +List all available certificates stored in the local key database. +Note that the displayed data might be reformatted for better human +readability and illegal characters are replaced by safe substitutes. + +@item --list-secret-keys +@itemx -K +@opindex list-secret-keys +List all available certificates for which a corresponding a secret key +is available. + +@item --list-external-keys @var{pattern} +@opindex list-keys +List certificates matching @var{pattern} using an external server. This +utilizes the @code{dirmngr} service. + +@item --list-chain +@opindex list-chain +Same as @option{--list-keys} but also prints all keys making up the chain. + + +@item --dump-cert +@itemx --dump-keys +@opindex dump-cert +@opindex dump-keys +List all available certificates stored in the local key database using a +format useful mainly for debugging. + +@item --dump-chain +@opindex dump-chain +Same as @option{--dump-keys} but also prints all keys making up the chain. + +@item --dump-secret-keys +@opindex dump-secret-keys +List all available certificates for which a corresponding a secret key +is available using a format useful mainly for debugging. + +@item --dump-external-keys @var{pattern} +@opindex dump-external-keys +List certificates matching @var{pattern} using an external server. +This utilizes the @code{dirmngr} service. It uses a format useful +mainly for debugging. + +@item --keydb-clear-some-cert-flags +@opindex keydb-clear-some-cert-flags +This is a debugging aid to reset certain flags in the key database +which are used to cache certain certificate stati. It is especially +useful if a bad CRL or a weird running OCSP responder did accidentally +revoke certificate. There is no security issue with this command +because @command{gpgsm} always make sure that the validity of a certificate is +checked right before it is used. + +@item --delete-keys @var{pattern} +@opindex delete-keys +Delete the keys matching @var{pattern}. Note that there is no command +to delete the secret part of the key directly. In case you need to do +this, you should run the command @code{gpgsm --dump-secret-keys KEYID} +before you delete the key, copy the string of hex-digits in the +``keygrip'' line and delete the file consisting of these hex-digits +and the suffix @code{.key} from the @file{private-keys-v1.d} directory +below our GnuPG home directory (usually @file{~/.gnupg}). + +@item --export [@var{pattern}] +@opindex export +Export all certificates stored in the Keybox or those specified by the +optional @var{pattern}. Those pattern consist of a list of user ids +(@pxref{how-to-specify-a-user-id}). When used along with the +@option{--armor} option a few informational lines are prepended before +each block. There is one limitation: As there is no commonly agreed +upon way to pack more than one certificate into an ASN.1 structure, +the binary export (i.e. without using @option{armor}) works only for +the export of one certificate. Thus it is required to specify a +@var{pattern} which yields exactly one certificate. Ephemeral +certificate are only exported if all @var{pattern} are given as +fingerprints or keygrips. + +@item --export-secret-key-p12 @var{key-id} +@opindex export-secret-key-p12 +Export the private key and the certificate identified by @var{key-id} +using the PKCS#12 format. When used with the @code{--armor} option a few +informational lines are prepended to the output. Note, that the PKCS#12 +format is not very secure and proper transport security should be used +to convey the exported key. (@xref{option --p12-charset}.) + +@item --export-secret-key-p8 @var{key-id} +@itemx --export-secret-key-raw @var{key-id} +@opindex export-secret-key-p8 +@opindex export-secret-key-raw +Export the private key of the certificate identified by @var{key-id} +with any encryption stripped. The @code{...-raw} command exports in +PKCS#1 format; the @code{...-p8} command exports in PKCS#8 format. +When used with the @code{--armor} option a few informational lines are +prepended to the output. These commands are useful to prepare a key +for use on a TLS server. + +@item --import [@var{files}] +@opindex import +Import the certificates from the PEM or binary encoded files as well as +from signed-only messages. This command may also be used to import a +secret key from a PKCS#12 file. + +@item --learn-card +@opindex learn-card +Read information about the private keys from the smartcard and import +the certificates from there. This command utilizes the @command{gpg-agent} +and in turn the @command{scdaemon}. + +@item --change-passphrase @var{user_id} +@opindex change-passphrase +@itemx --passwd @var{user_id} +@opindex passwd +Change the passphrase of the private key belonging to the certificate +specified as @var{user_id}. Note, that changing the passphrase/PIN of a +smartcard is not yet supported. + +@end table + + +@c ******************************************* +@c *************** **************** +@c *************** OPTIONS **************** +@c *************** **************** +@c ******************************************* +@mansect options +@node GPGSM Options +@section Option Summary + +@command{GPGSM} features a bunch of options to control the exact behaviour +and to change the default configuration. + +@menu +* Configuration Options:: How to change the configuration. +* Certificate Options:: Certificate related options. +* Input and Output:: Input and Output. +* CMS Options:: How to change how the CMS is created. +* Esoteric Options:: Doing things one usually do not want to do. +@end menu + + +@c ******************************************* +@c ******** CONFIGURATION OPTIONS ********** +@c ******************************************* +@node Configuration Options +@subsection How to change the configuration + +These options are used to change the configuration and are usually found +in the option file. + +@table @gnupgtabopt + +@anchor{gpgsm-option --options} +@item --options @var{file} +@opindex options +Reads configuration from @var{file} instead of from the default +per-user configuration file. The default configuration file is named +@file{gpgsm.conf} and expected in the @file{.gnupg} directory directly +below the home directory of the user. + +@include opt-homedir.texi + + +@item -v +@item --verbose +@opindex v +@opindex verbose +Outputs additional information while running. +You can increase the verbosity by giving several +verbose commands to @command{gpgsm}, such as @samp{-vv}. + +@item --keyserver @var{string} +@opindex keyserver +This is a deprecated option. It was used to add an LDAP server to use +for X.509 certificate and CRL lookup. The alias @option{--ldapserver} +existed from version 2.2.28 to 2.2.33 but is now entirely ignored. + +LDAP servers must be given in the configuration for @command{dirmngr}. + + +@item --policy-file @var{filename} +@opindex policy-file +Change the default name of the policy file to @var{filename}. + +@item --agent-program @var{file} +@opindex agent-program +Specify an agent program to be used for secret key operations. The +default value is determined by running the command @command{gpgconf}. +Note that the pipe symbol (@code{|}) is used for a regression test +suite hack and may thus not be used in the file name. + +@item --dirmngr-program @var{file} +@opindex dirmngr-program +Specify a dirmngr program to be used for @acronym{CRL} checks. The +default value is @file{@value{BINDIR}/dirmngr}. + +@item --prefer-system-dirmngr +@opindex prefer-system-dirmngr +This option is obsolete and ignored. + +@item --disable-dirmngr +Entirely disable the use of the Dirmngr. + +@item --no-autostart +@opindex no-autostart +Do not start the gpg-agent or the dirmngr if it has not yet been +started and its service is required. This option is mostly useful on +machines where the connection to gpg-agent has been redirected to +another machines. If dirmngr is required on the remote machine, it +may be started manually using @command{gpgconf --launch dirmngr}. + +@item --no-secmem-warning +@opindex no-secmem-warning +Do not print a warning when the so called "secure memory" cannot be used. + +@item --log-file @var{file} +@opindex log-file +When running in server mode, append all logging output to @var{file}. +Use @file{socket://} to log to socket. + +@end table + + +@c ******************************************* +@c ******** CERTIFICATE OPTIONS ************ +@c ******************************************* +@node Certificate Options +@subsection Certificate related options + +@table @gnupgtabopt + +@item --enable-policy-checks +@itemx --disable-policy-checks +@opindex enable-policy-checks +@opindex disable-policy-checks +By default policy checks are enabled. These options may be used to +change it. + +@item --enable-crl-checks +@itemx --disable-crl-checks +@opindex enable-crl-checks +@opindex disable-crl-checks +By default the @acronym{CRL} checks are enabled and the DirMngr is +used to check for revoked certificates. The disable option is most +useful with an off-line network connection to suppress this check and +also to avoid that new certificates introduce a web bug by including a +certificate specific CRL DP. The disable option also disables an +issuer certificate lookup via the authorityInfoAccess property of the +certificate; the @option{--enable-issuer-key-retrieve} can be used +to make use of that property anyway. + +@item --enable-trusted-cert-crl-check +@itemx --disable-trusted-cert-crl-check +@opindex enable-trusted-cert-crl-check +@opindex disable-trusted-cert-crl-check +By default the @acronym{CRL} for trusted root certificates are checked +like for any other certificates. This allows a CA to revoke its own +certificates voluntary without the need of putting all ever issued +certificates into a CRL. The disable option may be used to switch this +extra check off. Due to the caching done by the Dirmngr, there will not be +any noticeable performance gain. Note, that this also disables possible +OCSP checks for trusted root certificates. A more specific way of +disabling this check is by adding the ``relax'' keyword to the root CA +line of the @file{trustlist.txt} + + +@item --force-crl-refresh +@opindex force-crl-refresh +Tell the dirmngr to reload the CRL for each request. For better +performance, the dirmngr will actually optimize this by suppressing +the loading for short time intervals (e.g. 30 minutes). This option +is useful to make sure that a fresh CRL is available for certificates +hold in the keybox. The suggested way of doing this is by using it +along with the option @option{--with-validation} for a key listing +command. This option should not be used in a configuration file. + +@item --enable-issuer-based-crl-check +@opindex enable-issuer-based-crl-check +Run a CRL check even for certificates which do not have any CRL +distribution point. This requires that a suitable LDAP server has +been configured in Dirmngr and that the CRL can be found using the +issuer. This option reverts to what GnuPG did up to version 2.2.20. +This option is in general not useful. + +@item --enable-ocsp +@itemx --disable-ocsp +@opindex enable-ocsp +@opindex disable-ocsp +By default @acronym{OCSP} checks are disabled. The enable option may +be used to enable OCSP checks via Dirmngr. If @acronym{CRL} checks +are also enabled, CRLs will be used as a fallback if for some reason an +OCSP request will not succeed. Note, that you have to allow OCSP +requests in Dirmngr's configuration too (option +@option{--allow-ocsp}) and configure Dirmngr properly. If you do not do +so you will get the error code @samp{Not supported}. + +@item --auto-issuer-key-retrieve +@opindex auto-issuer-key-retrieve +If a required certificate is missing while validating the chain of +certificates, try to load that certificate from an external location. +This usually means that Dirmngr is employed to search for the +certificate. Note that this option makes a "web bug" like behavior +possible. LDAP server operators can see which keys you request, so by +sending you a message signed by a brand new key (which you naturally +will not have on your local keybox), the operator can tell both your IP +address and the time when you verified the signature. + + +@anchor{gpgsm-option --validation-model} +@item --validation-model @var{name} +@opindex validation-model +This option changes the default validation model. The only possible +values are "shell" (which is the default), "chain" which forces the +use of the chain model and "steed" for a new simplified model. The +chain model is also used if an option in the @file{trustlist.txt} or +an attribute of the certificate requests it. However the standard +model (shell) is in that case always tried first. + +@item --ignore-cert-extension @var{oid} +@opindex ignore-cert-extension +Add @var{oid} to the list of ignored certificate extensions. The +@var{oid} is expected to be in dotted decimal form, like +@code{2.5.29.3}. This option may be used more than once. Critical +flagged certificate extensions matching one of the OIDs in the list +are treated as if they are actually handled and thus the certificate +will not be rejected due to an unknown critical extension. Use this +option with care because extensions are usually flagged as critical +for a reason. + +@end table + +@c ******************************************* +@c *********** INPUT AND OUTPUT ************ +@c ******************************************* +@node Input and Output +@subsection Input and Output + +@table @gnupgtabopt +@item --armor +@itemx -a +@opindex armor +Create PEM encoded output. Default is binary output. + +@item --base64 +@opindex base64 +Create Base-64 encoded output; i.e. PEM without the header lines. + +@item --assume-armor +@opindex assume-armor +Assume the input data is PEM encoded. Default is to autodetect the +encoding but this is may fail. + +@item --assume-base64 +@opindex assume-base64 +Assume the input data is plain base-64 encoded. + +@item --assume-binary +@opindex assume-binary +Assume the input data is binary encoded. + +@anchor{option --p12-charset} +@item --p12-charset @var{name} +@opindex p12-charset +@command{gpgsm} uses the UTF-8 encoding when encoding passphrases for +PKCS#12 files. This option may be used to force the passphrase to be +encoded in the specified encoding @var{name}. This is useful if the +application used to import the key uses a different encoding and thus +will not be able to import a file generated by @command{gpgsm}. Commonly +used values for @var{name} are @code{Latin1} and @code{CP850}. Note +that @command{gpgsm} itself automagically imports any file with a +passphrase encoded to the most commonly used encodings. + + +@item --default-key @var{user_id} +@opindex default-key +Use @var{user_id} as the standard key for signing. This key is used if +no other key has been defined as a signing key. Note, that the first +@option{--local-users} option also sets this key if it has not yet been +set; however @option{--default-key} always overrides this. + + +@item --local-user @var{user_id} +@item -u @var{user_id} +@opindex local-user +Set the user(s) to be used for signing. The default is the first +secret key found in the database. + + +@item --recipient @var{name} +@itemx -r +@opindex recipient +Encrypt to the user id @var{name}. There are several ways a user id +may be given (@pxref{how-to-specify-a-user-id}). + + +@item --output @var{file} +@itemx -o @var{file} +@opindex output +Write output to @var{file}. The default is to write it to stdout. + + +@anchor{gpgsm-option --with-key-data} +@item --with-key-data +@opindex with-key-data +Displays extra information with the @code{--list-keys} commands. Especially +a line tagged @code{grp} is printed which tells you the keygrip of a +key. This string is for example used as the file name of the +secret key. Implies @code{--with-colons}. + +@anchor{gpgsm-option --with-validation} +@item --with-validation +@opindex with-validation +When doing a key listing, do a full validation check for each key and +print the result. This is usually a slow operation because it +requires a CRL lookup and other operations. + +When used along with @option{--import}, a validation of the certificate to +import is done and only imported if it succeeds the test. Note that +this does not affect an already available certificate in the DB. +This option is therefore useful to simply verify a certificate. + + +@item --with-md5-fingerprint +For standard key listings, also print the MD5 fingerprint of the +certificate. + +@item --with-keygrip +Include the keygrip in standard key listings. Note that the keygrip is +always listed in @option{--with-colons} mode. + +@item --with-secret +@opindex with-secret +Include info about the presence of a secret key in public key listings +done with @code{--with-colons}. + +@end table + +@c ******************************************* +@c ************* CMS OPTIONS *************** +@c ******************************************* +@node CMS Options +@subsection How to change how the CMS is created + +@table @gnupgtabopt +@item --include-certs @var{n} +@opindex include-certs +Using @var{n} of -2 includes all certificate except for the root cert, +-1 includes all certs, 0 does not include any certs, 1 includes only the +signers cert and all other positive values include up to @var{n} +certificates starting with the signer cert. The default is -2. + +@item --cipher-algo @var{oid} +@opindex cipher-algo +Use the cipher algorithm with the ASN.1 object identifier @var{oid} for +encryption. For convenience the strings @code{3DES}, @code{AES} and +@code{AES256} may be used instead of their OIDs. The default is +@code{AES} (2.16.840.1.101.3.4.1.2). + +@item --digest-algo @code{name} +Use @code{name} as the message digest algorithm. Usually this +algorithm is deduced from the respective signing certificate. This +option forces the use of the given algorithm and may lead to severe +interoperability problems. + +@end table + + + +@c ******************************************* +@c ******** ESOTERIC OPTIONS *************** +@c ******************************************* +@node Esoteric Options +@subsection Doing things one usually do not want to do + + +@table @gnupgtabopt + +@item --extra-digest-algo @var{name} +@opindex extra-digest-algo +Sometimes signatures are broken in that they announce a different digest +algorithm than actually used. @command{gpgsm} uses a one-pass data +processing model and thus needs to rely on the announced digest +algorithms to properly hash the data. As a workaround this option may +be used to tell @command{gpgsm} to also hash the data using the algorithm +@var{name}; this slows processing down a little bit but allows verification of +such broken signatures. If @command{gpgsm} prints an error like +``digest algo 8 has not been enabled'' you may want to try this option, +with @samp{SHA256} for @var{name}. + +@item --compliance @var{string} +@opindex compliance +Set the compliance mode. Valid values are shown when using "help" for +@var{string}. + +@item --min-rsa-length @var{n} +@opindex min-rsa-length +This option adjusts the compliance mode "de-vs" for stricter key size +requirements. For example, a value of 3000 turns rsa2048 and dsa2048 +keys into non-VS-NfD compliant keys. + +@item --require-compliance +@opindex require-compliance +To check that data has been encrypted according to the rules of the +current compliance mode, a gpgsm user needs to evaluate the status +lines. This is allows frontends to handle compliance check in a more +flexible way. However, for scripted use the required evaluation of +the status-line requires quite some effort; this option can be used +instead to make sure that the gpgsm process exits with a failure if +the compliance rules are not fulfilled. Note that this option has +currently an effect only in "de-vs" mode. + +@item --ignore-cert-with-oid @var{oid} +@opindex ignore-cert-with-oid +Add @var{oid} to the list of OIDs to be checked while reading +certificates from smartcards. The @var{oid} is expected to be in +dotted decimal form, like @code{2.5.29.3}. This option may be used +more than once. As of now certificates with an extended key usage +matching one of those OIDs are ignored during a @option{--learn-card} +operation and not imported. This option can help to keep the local +key database clear of unneeded certificates stored on smartcards. + +@item --faked-system-time @var{epoch} +@opindex faked-system-time +This option is only useful for testing; it sets the system time back or +forth to @var{epoch} which is the number of seconds elapsed since the year +1970. Alternatively @var{epoch} may be given as a full ISO time string +(e.g. "20070924T154812"). + +@item --with-ephemeral-keys +@opindex with-ephemeral-keys +Include ephemeral flagged keys in the output of key listings. Note +that they are included anyway if the key specification for a listing +is given as fingerprint or keygrip. + +@item --compatibility-flags @var{flags} +@opindex compatibility-flags +Set compatibility flags to work around problems due to non-compliant +certificates or data. The @var{flags} are given as a comma separated +list of flag names and are OR-ed together. The special flag "none" +clears the list and allows to start over with an empty list. To get a +list of available flags the sole word "help" can be used. + +@item --debug-level @var{level} +@opindex debug-level +Select the debug level for investigating problems. @var{level} may be +a numeric value or by a keyword: + +@table @code +@item none +No debugging at all. A value of less than 1 may be used instead of +the keyword. +@item basic +Some basic debug messages. A value between 1 and 2 may be used +instead of the keyword. +@item advanced +More verbose debug messages. A value between 3 and 5 may be used +instead of the keyword. +@item expert +Even more detailed messages. A value between 6 and 8 may be used +instead of the keyword. +@item guru +All of the debug messages you can get. A value greater than 8 may be +used instead of the keyword. The creation of hash tracing files is +only enabled if the keyword is used. +@end table + +How these messages are mapped to the actual debugging flags is not +specified and may change with newer releases of this program. They are +however carefully selected to best aid in debugging. + +@item --debug @var{flags} +@opindex debug +This option is only useful for debugging and the behaviour may change +at any time without notice; using @code{--debug-levels} is the +preferred method to select the debug verbosity. FLAGS are bit encoded +and may be given in usual C-Syntax. The currently defined bits are: + +@table @code +@item 0 (1) +X.509 or OpenPGP protocol related data +@item 1 (2) +values of big number integers +@item 2 (4) +low level crypto operations +@item 5 (32) +memory allocation +@item 6 (64) +caching +@item 7 (128) +show memory statistics +@item 9 (512) +write hashed data to files named @code{dbgmd-000*} +@item 10 (1024) +trace Assuan protocol +@end table + +Note, that all flags set using this option may get overridden by +@code{--debug-level}. + +@item --debug-all +@opindex debug-all +Same as @code{--debug=0xffffffff} + +@item --debug-allow-core-dump +@opindex debug-allow-core-dump +Usually @command{gpgsm} tries to avoid dumping core by well written code and by +disabling core dumps for security reasons. However, bugs are pretty +durable beasts and to squash them it is sometimes useful to have a core +dump. This option enables core dumps unless the Bad Thing happened +before the option parsing. + +@item --debug-no-chain-validation +@opindex debug-no-chain-validation +This is actually not a debugging option but only useful as such. It +lets @command{gpgsm} bypass all certificate chain validation checks. + +@item --debug-ignore-expiration +@opindex debug-ignore-expiration +This is actually not a debugging option but only useful as such. It +lets @command{gpgsm} ignore all notAfter dates, this is used by the regression +tests. + +@item --passphrase-fd @code{n} +@opindex passphrase-fd +Read the passphrase from file descriptor @code{n}. Only the first line +will be read from file descriptor @code{n}. If you use 0 for @code{n}, +the passphrase will be read from STDIN. This can only be used if only +one passphrase is supplied. + +Note that this passphrase is only used if the option @option{--batch} +has also been given. + +@item --pinentry-mode @code{mode} +@opindex pinentry-mode +Set the pinentry mode to @code{mode}. Allowed values for @code{mode} +are: +@table @asis + @item default + Use the default of the agent, which is @code{ask}. + @item ask + Force the use of the Pinentry. + @item cancel + Emulate use of Pinentry's cancel button. + @item error + Return a Pinentry error (``No Pinentry''). + @item loopback + Redirect Pinentry queries to the caller. Note that in contrast to + Pinentry the user is not prompted again if he enters a bad password. +@end table + +@item --request-origin @var{origin} +@opindex request-origin +Tell gpgsm to assume that the operation ultimately originated at +@var{origin}. Depending on the origin certain restrictions are applied +and the Pinentry may include an extra note on the origin. Supported +values for @var{origin} are: @code{local} which is the default, +@code{remote} to indicate a remote origin or @code{browser} for an +operation requested by a web browser. + +@item --no-common-certs-import +@opindex no-common-certs-import +Suppress the import of common certificates on keybox creation. + +@end table + +All the long options may also be given in the configuration file after +stripping off the two leading dashes. + +@c ******************************************* +@c *************** **************** +@c *************** USER ID **************** +@c *************** **************** +@c ******************************************* +@mansect how to specify a user id +@ifset isman +@include specify-user-id.texi +@end ifset + +@c ******************************************* +@c *************** **************** +@c *************** FILES **************** +@c *************** **************** +@c ******************************************* +@mansect files +@node GPGSM Configuration +@section Configuration files + +There are a few configuration files to control certain aspects of +@command{gpgsm}'s operation. Unless noted, they are expected in the +current home directory (@pxref{option --homedir}). + +@table @file + +@item gpgsm.conf +@efindex gpgsm.conf +This is the standard configuration file read by @command{gpgsm} on +startup. It may contain any valid long option; the leading two dashes +may not be entered and the option may not be abbreviated. This default +name may be changed on the command line (@pxref{gpgsm-option --options}). +You should backup this file. + + +@item policies.txt +@efindex policies.txt +This is a list of allowed CA policies. This file should list the +object identifiers of the policies line by line. Empty lines and +lines starting with a hash mark are ignored. Policies missing in this +file and not marked as critical in the certificate will print only a +warning; certificates with policies marked as critical and not listed +in this file will fail the signature verification. You should backup +this file. + +For example, to allow only the policy 2.289.9.9, the file should look +like this: + +@c man:.RS +@example +# Allowed policies +2.289.9.9 +@end example +@c man:.RE + +@item qualified.txt +@efindex qualified.txt +This is the list of root certificates used for qualified certificates. +They are defined as certificates capable of creating legally binding +signatures in the same way as handwritten signatures are. Comments +start with a hash mark and empty lines are ignored. Lines do have a +length limit but this is not a serious limitation as the format of the +entries is fixed and checked by @command{gpgsm}: A non-comment line starts with +optional whitespace, followed by exactly 40 hex characters, white space +and a lowercased 2 letter country code. Additional data delimited with +by a white space is current ignored but might late be used for other +purposes. + +Note that even if a certificate is listed in this file, this does not +mean that the certificate is trusted; in general the certificates listed +in this file need to be listed also in @file{trustlist.txt}. + +This is a global file an installed in the data directory +(e.g. @file{@value{DATADIR}/qualified.txt}). GnuPG installs a suitable +file with root certificates as used in Germany. As new Root-CA +certificates may be issued over time, these entries may need to be +updated; new distributions of this software should come with an updated +list but it is still the responsibility of the Administrator to check +that this list is correct. + +Every time @command{gpgsm} uses a certificate for signing or verification +this file will be consulted to check whether the certificate under +question has ultimately been issued by one of these CAs. If this is the +case the user will be informed that the verified signature represents a +legally binding (``qualified'') signature. When creating a signature +using such a certificate an extra prompt will be issued to let the user +confirm that such a legally binding signature shall really be created. + +Because this software has not yet been approved for use with such +certificates, appropriate notices will be shown to indicate this fact. + +@item help.txt +@efindex help.txt +This is plain text file with a few help entries used with +@command{pinentry} as well as a large list of help items for +@command{gpg} and @command{gpgsm}. The standard file has English help +texts; to install localized versions use filenames like @file{help.LL.txt} +with LL denoting the locale. GnuPG comes with a set of predefined help +files in the data directory (e.g. @file{@value{DATADIR}/gnupg/help.de.txt}) +and allows overriding of any help item by help files stored in the +system configuration directory (e.g. @file{@value{SYSCONFDIR}/help.de.txt}). +For a reference of the help file's syntax, please see the installed +@file{help.txt} file. + + +@item com-certs.pem +@efindex com-certs.pem +This file is a collection of common certificates used to populated a +newly created @file{pubring.kbx}. An administrator may replace this +file with a custom one. The format is a concatenation of PEM encoded +X.509 certificates. This global file is installed in the data directory +(e.g. @file{@value{DATADIR}/com-certs.pem}). + +@end table + +@c man:.RE +Note that on larger installations, it is useful to put predefined files +into the directory @file{/etc/skel/.gnupg/} so that newly created users +start up with a working configuration. For existing users a small +helper script is provided to create these files (@pxref{addgnupghome}). + +For internal purposes @command{gpgsm} creates and maintains a few other files; +they all live in the current home directory (@pxref{option +--homedir}). Only @command{gpgsm} may modify these files. + + +@table @file +@item pubring.kbx +@efindex pubring.kbx +This a database file storing the certificates as well as meta +information. For debugging purposes the tool @command{kbxutil} may be +used to show the internal structure of this file. You should backup +this file. + +@item random_seed +@efindex random_seed +This content of this file is used to maintain the internal state of the +random number generator across invocations. The same file is used by +other programs of this software too. + +@item S.gpg-agent +@efindex S.gpg-agent +If this file exists +@command{gpgsm} will first try to connect to this socket for +accessing @command{gpg-agent} before starting a new @command{gpg-agent} +instance. Under Windows this socket (which in reality be a plain file +describing a regular TCP listening port) is the standard way of +connecting the @command{gpg-agent}. + +@end table + + +@c ******************************************* +@c *************** **************** +@c *************** EXAMPLES **************** +@c *************** **************** +@c ******************************************* +@mansect examples +@node GPGSM Examples +@section Examples + +@example +$ gpgsm -er goo@@bar.net <plaintext >ciphertext +@end example + + +@c ******************************************* +@c *************** ************** +@c *************** UNATTENDED ************** +@c *************** ************** +@c ******************************************* +@manpause +@node Unattended Usage +@section Unattended Usage + +@command{gpgsm} is often used as a backend engine by other software. To help +with this a machine interface has been defined to have an unambiguous +way to do this. This is most likely used with the @code{--server} command +but may also be used in the standard operation mode by using the +@code{--status-fd} option. + +@menu +* Automated signature checking:: Automated signature checking. +* CSR and certificate creation:: CSR and certificate creation. +@end menu + +@node Automated signature checking +@subsection Automated signature checking + +It is very important to understand the semantics used with signature +verification. Checking a signature is not as simple as it may sound and +so the operation is a bit complicated. In most cases it is required +to look at several status lines. Here is a table of all cases a signed +message may have: + +@table @asis +@item The signature is valid +This does mean that the signature has been successfully verified, the +certificates are all sane. However there are two subcases with +important information: One of the certificates may have expired or a +signature of a message itself as expired. It is a sound practise to +consider such a signature still as valid but additional information +should be displayed. Depending on the subcase @command{gpgsm} will issue +these status codes: + @table @asis + @item signature valid and nothing did expire + @code{GOODSIG}, @code{VALIDSIG}, @code{TRUST_FULLY} + @item signature valid but at least one certificate has expired + @code{EXPKEYSIG}, @code{VALIDSIG}, @code{TRUST_FULLY} + @item signature valid but expired + @code{EXPSIG}, @code{VALIDSIG}, @code{TRUST_FULLY} + Note, that this case is currently not implemented. + @end table + +@item The signature is invalid +This means that the signature verification failed (this is an indication +of a transfer error, a program error or tampering with the message). +@command{gpgsm} issues one of these status codes sequences: + @table @code + @item @code{BADSIG} + @item @code{GOODSIG}, @code{VALIDSIG} @code{TRUST_NEVER} + @end table + +@item Error verifying a signature +For some reason the signature could not be verified, i.e. it cannot be +decided whether the signature is valid or invalid. A common reason for +this is a missing certificate. + +@end table + +@node CSR and certificate creation +@subsection CSR and certificate creation + +The command @option{--generate-key} may be used along with the option +@option{--batch} to either create a certificate signing request (CSR) +or an X.509 certificate. This is controlled by a parameter file; the +format of this file is as follows: + +@itemize @bullet +@item Text only, line length is limited to about 1000 characters. +@item UTF-8 encoding must be used to specify non-ASCII characters. +@item Empty lines are ignored. +@item Leading and trailing while space is ignored. +@item A hash sign as the first non white space character indicates +a comment line. +@item Control statements are indicated by a leading percent sign, the +arguments are separated by white space from the keyword. +@item Parameters are specified by a keyword, followed by a colon. Arguments +are separated by white space. +@item The first parameter must be @samp{Key-Type}, control statements +may be placed anywhere. +@item +The order of the parameters does not matter except for @samp{Key-Type} +which must be the first parameter. The parameters are only used for +the generated CSR/certificate; parameters from previous sets are not +used. Some syntactically checks may be performed. +@item +Key generation takes place when either the end of the parameter file +is reached, the next @samp{Key-Type} parameter is encountered or at the +control statement @samp{%commit} is encountered. +@end itemize + +@noindent +Control statements: + +@table @asis + +@item %echo @var{text} +Print @var{text} as diagnostic. + +@item %dry-run +Suppress actual key generation (useful for syntax checking). + +@item %commit +Perform the key generation. Note that an implicit commit is done at +the next @asis{Key-Type} parameter. + +@c %certfile <filename> +@c [Not yet implemented!] +@c Do not write the certificate to the keyDB but to <filename>. +@c This must be given before the first +@c commit to take place, duplicate specification of the same filename +@c is ignored, the last filename before a commit is used. +@c The filename is used until a new filename is used (at commit points) +@c and all keys are written to that file. If a new filename is given, +@c this file is created (and overwrites an existing one). +@c Both control statements must be given. +@end table + +@noindent +General Parameters: + +@table @asis + +@item Key-Type: @var{algo} +Starts a new parameter block by giving the type of the primary +key. The algorithm must be capable of signing. This is a required +parameter. The only supported value for @var{algo} is @samp{rsa}. + +@item Key-Length: @var{nbits} +The requested length of a generated key in bits. Defaults to 3072. + +@item Key-Grip: @var{hexstring} +This is optional and used to generate a CSR or certificate for an +already existing key. Key-Length will be ignored when given. + +@item Key-Usage: @var{usage-list} +Space or comma delimited list of key usage, allowed values are +@samp{encrypt}, @samp{sign} and @samp{cert}. This is used to generate +the keyUsage extension. Please make sure that the algorithm is +capable of this usage. Default is to allow encrypt and sign. + +@item Name-DN: @var{subject-name} +This is the Distinguished Name (DN) of the subject in RFC-2253 format. + +@item Name-Email: @var{string} +This is an email address for the altSubjectName. This parameter is +optional but may occur several times to add several email addresses to +a certificate. + +@item Name-DNS: @var{string} +The is an DNS name for the altSubjectName. This parameter is optional +but may occur several times to add several DNS names to a certificate. + +@item Name-URI: @var{string} +This is an URI for the altSubjectName. This parameter is optional but +may occur several times to add several URIs to a certificate. +@end table + +@noindent +Additional parameters used to create a certificate (in contrast to a +certificate signing request): + +@table @asis + +@item Serial: @var{sn} +If this parameter is given an X.509 certificate will be generated. +@var{sn} is expected to be a hex string representing an unsigned +integer of arbitrary length. The special value @samp{random} can be +used to create a 64 bit random serial number. + +@item Issuer-DN: @var{issuer-name} +This is the DN name of the issuer in RFC-2253 format. If it is not set +it will default to the subject DN and a special GnuPG extension will +be included in the certificate to mark it as a standalone certificate. + +@item Creation-Date: @var{iso-date} +@itemx Not-Before: @var{iso-date} +Set the notBefore date of the certificate. Either a date like +@samp{1986-04-26} or @samp{1986-04-26 12:00} or a standard ISO +timestamp like @samp{19860426T042640} may be used. The time is +considered to be UTC. If it is not given the current date is used. + +@item Expire-Date: @var{iso-date} +@itemx Not-After: @var{iso-date} +Set the notAfter date of the certificate. Either a date like +@samp{2063-04-05} or @samp{2063-04-05 17:00} or a standard ISO +timestamp like @samp{20630405T170000} may be used. The time is +considered to be UTC. If it is not given a default value in the not +too far future is used. + +@item Signing-Key: @var{keygrip} +This gives the keygrip of the key used to sign the certificate. If it +is not given a self-signed certificate will be created. For +compatibility with future versions, it is suggested to prefix the +keygrip with a @samp{&}. + +@item Hash-Algo: @var{hash-algo} +Use @var{hash-algo} for this CSR or certificate. The supported hash +algorithms are: @samp{sha1}, @samp{sha256}, @samp{sha384} and +@samp{sha512}; they may also be specified with uppercase letters. The +default is @samp{sha256}. + +@end table + +@c ******************************************* +@c *************** ***************** +@c *************** ASSSUAN ***************** +@c *************** ***************** +@c ******************************************* +@node GPGSM Protocol +@section The Protocol the Server Mode Uses + +Description of the protocol used to access @command{GPGSM}. +@command{GPGSM} does implement the Assuan protocol and in addition +provides a regular command line interface which exhibits a full client +to this protocol (but uses internal linking). To start +@command{gpgsm} as a server the command line the option +@code{--server} must be used. Additional options are provided to +select the communication method (i.e. the name of the socket). + +We assume that the connection has already been established; see the +Assuan manual for details. + +@menu +* GPGSM ENCRYPT:: Encrypting a message. +* GPGSM DECRYPT:: Decrypting a message. +* GPGSM SIGN:: Signing a message. +* GPGSM VERIFY:: Verifying a message. +* GPGSM GENKEY:: Generating a key. +* GPGSM LISTKEYS:: List available keys. +* GPGSM EXPORT:: Export certificates. +* GPGSM IMPORT:: Import certificates. +* GPGSM DELETE:: Delete certificates. +* GPGSM GETAUDITLOG:: Retrieve an audit log. +* GPGSM GETINFO:: Information about the process +* GPGSM OPTION:: Session options. +@end menu + + +@node GPGSM ENCRYPT +@subsection Encrypting a Message + +Before encryption can be done the recipient must be set using the +command: + +@example + RECIPIENT @var{userID} +@end example + +Set the recipient for the encryption. @var{userID} should be the +internal representation of the key; the server may accept any other way +of specification. If this is a valid and trusted recipient the server +does respond with OK, otherwise the return is an ERR with the reason why +the recipient cannot be used, the encryption will then not be done for +this recipient. If the policy is not to encrypt at all if not all +recipients are valid, the client has to take care of this. All +@code{RECIPIENT} commands are cumulative until a @code{RESET} or an +successful @code{ENCRYPT} command. + +@example + INPUT FD[=@var{n}] [--armor|--base64|--binary] +@end example + +Set the file descriptor for the message to be encrypted to @var{n}. +Obviously the pipe must be open at that point, the server establishes +its own end. If the server returns an error the client should consider +this session failed. If @var{n} is not given, this commands uses the +last file descriptor passed to the application. +@xref{fun-assuan_sendfd, ,the assuan_sendfd function,assuan,the Libassuan +manual}, on how to do descriptor passing. + +The @code{--armor} option may be used to advise the server that the +input data is in @acronym{PEM} format, @code{--base64} advises that a +raw base-64 encoding is used, @code{--binary} advises of raw binary +input (@acronym{BER}). If none of these options is used, the server +tries to figure out the used encoding, but this may not always be +correct. + +@example + OUTPUT FD[=@var{n}] [--armor|--base64] +@end example + +Set the file descriptor to be used for the output (i.e. the encrypted +message). Obviously the pipe must be open at that point, the server +establishes its own end. If the server returns an error the client +should consider this session failed. + +The option @option{--armor} encodes the output in @acronym{PEM} format, the +@option{--base64} option applies just a base-64 encoding. No option +creates binary output (@acronym{BER}). + +The actual encryption is done using the command + +@example + ENCRYPT +@end example + +It takes the plaintext from the @code{INPUT} command, writes to the +ciphertext to the file descriptor set with the @code{OUTPUT} command, +take the recipients from all the recipients set so far. If this command +fails the clients should try to delete all output currently done or +otherwise mark it as invalid. @command{GPGSM} does ensure that there +will not be any +security problem with leftover data on the output in this case. + +This command should in general not fail, as all necessary checks have +been done while setting the recipients. The input and output pipes are +closed. + + +@node GPGSM DECRYPT +@subsection Decrypting a message + +Input and output FDs are set the same way as in encryption, but +@code{INPUT} refers to the ciphertext and @code{OUTPUT} to the plaintext. There +is no need to set recipients. @command{GPGSM} automatically strips any +@acronym{S/MIME} headers from the input, so it is valid to pass an +entire MIME part to the INPUT pipe. + +The decryption is done by using the command + +@example + DECRYPT +@end example + +It performs the decrypt operation after doing some check on the internal +state (e.g. that all needed data has been set). Because it utilizes +the GPG-Agent for the session key decryption, there is no need to ask +the client for a protecting passphrase - GpgAgent takes care of this by +requesting this from the user. + + +@node GPGSM SIGN +@subsection Signing a Message + +Signing is usually done with these commands: + +@example + INPUT FD[=@var{n}] [--armor|--base64|--binary] +@end example + +This tells @command{GPGSM} to read the data to sign from file descriptor @var{n}. + +@example + OUTPUT FD[=@var{m}] [--armor|--base64] +@end example + +Write the output to file descriptor @var{m}. If a detached signature is +requested, only the signature is written. + +@example + SIGN [--detached] +@end example + +Sign the data set with the @code{INPUT} command and write it to the sink set by +@code{OUTPUT}. With @code{--detached}, a detached signature is created +(surprise). + +The key used for signing is the default one or the one specified in +the configuration file. To get finer control over the keys, it is +possible to use the command + +@example + SIGNER @var{userID} +@end example + +to set the signer's key. @var{userID} should be the +internal representation of the key; the server may accept any other way +of specification. If this is a valid and trusted recipient the server +does respond with OK, otherwise the return is an ERR with the reason why +the key cannot be used, the signature will then not be created using +this key. If the policy is not to sign at all if not all +keys are valid, the client has to take care of this. All +@code{SIGNER} commands are cumulative until a @code{RESET} is done. +Note that a @code{SIGN} does not reset this list of signers which is in +contrast to the @code{RECIPIENT} command. + + +@node GPGSM VERIFY +@subsection Verifying a Message + +To verify a message the command: + +@example + VERIFY +@end example + +is used. It does a verify operation on the message send to the input FD. +The result is written out using status lines. If an output FD was +given, the signed text will be written to that. If the signature is a +detached one, the server will inquire about the signed material and the +client must provide it. + +@node GPGSM GENKEY +@subsection Generating a Key + +This is used to generate a new keypair, store the secret part in the +@acronym{PSE} and the public key in the key database. We will probably +add optional commands to allow the client to select whether a hardware +token is used to store the key. Configuration options to +@command{GPGSM} can be used to restrict the use of this command. + +@example + GENKEY +@end example + +@command{GPGSM} checks whether this command is allowed and then does an +INQUIRY to get the key parameters, the client should then send the +key parameters in the native format: + +@example + S: INQUIRE KEY_PARAM native + C: D foo:fgfgfg + C: D bar + C: END +@end example + +Please note that the server may send Status info lines while reading the +data lines from the client. After this the key generation takes place +and the server eventually does send an ERR or OK response. Status lines +may be issued as a progress indicator. + + +@node GPGSM LISTKEYS +@subsection List available keys +@anchor{gpgsm-cmd listkeys} + +To list the keys in the internal database or using an external key +provider, the command: + +@example + LISTKEYS @var{pattern} +@end example + +is used. To allow multiple patterns (which are ORed during the search) +quoting is required: Spaces are to be translated into "+" or into "%20"; +in turn this requires that the usual escape quoting rules are done. + +@example + LISTSECRETKEYS @var{pattern} +@end example + +Lists only the keys where a secret key is available. + +The list commands are affected by the option + +@example + OPTION list-mode=@var{mode} +@end example + +where mode may be: +@table @code +@item 0 +Use default (which is usually the same as 1). +@item 1 +List only the internal keys. +@item 2 +List only the external keys. +@item 3 +List internal and external keys. +@end table + +Note that options are valid for the entire session. + + +@node GPGSM EXPORT +@subsection Export certificates + +To export certificate from the internal key database the command: + +@example + EXPORT [--data [--armor] [--base64]] [--] @var{pattern} +@end example + +is used. To allow multiple patterns (which are ORed) quoting is +required: Spaces are to be translated into "+" or into "%20"; in turn +this requires that the usual escape quoting rules are done. + +If the @option{--data} option has not been given, the format of the +output depends on what was set with the @code{OUTPUT} command. When using +@acronym{PEM} encoding a few informational lines are prepended. + +If the @option{--data} has been given, a target set via @code{OUTPUT} is +ignored and the data is returned inline using standard +@code{D}-lines. This avoids the need for an extra file descriptor. In +this case the options @option{--armor} and @option{--base64} may be used +in the same way as with the @code{OUTPUT} command. + + +@node GPGSM IMPORT +@subsection Import certificates + +To import certificates into the internal key database, the command + +@example + IMPORT [--re-import] +@end example + +is used. The data is expected on the file descriptor set with the +@code{INPUT} command. Certain checks are performed on the +certificate. Note that the code will also handle PKCS#12 files and +import private keys; a helper program is used for that. + +With the option @option{--re-import} the input data is expected to a be +a linefeed separated list of fingerprints. The command will re-import +the corresponding certificates; that is they are made permanent by +removing their ephemeral flag. + + +@node GPGSM DELETE +@subsection Delete certificates + +To delete a certificate the command + +@example + DELKEYS @var{pattern} +@end example + +is used. To allow multiple patterns (which are ORed) quoting is +required: Spaces are to be translated into "+" or into "%20"; in turn +this requires that the usual escape quoting rules are done. + +The certificates must be specified unambiguously otherwise an error is +returned. + +@node GPGSM GETAUDITLOG +@subsection Retrieve an audit log +@anchor{gpgsm-cmd getauditlog} + +This command is used to retrieve an audit log. + +@example +GETAUDITLOG [--data] [--html] +@end example + +If @option{--data} is used, the audit log is send using D-lines +instead of being sent to the file descriptor given by an @code{OUTPUT} +command. If @option{--html} is used, the output is formatted as an +XHTML block. This is designed to be incorporated into a HTML +document. + + +@node GPGSM GETINFO +@subsection Return information about the process + +This is a multipurpose function to return a variety of information. + +@example +GETINFO @var{what} +@end example + +The value of @var{what} specifies the kind of information returned: +@table @code +@item version +Return the version of the program. +@item pid +Return the process id of the process. +@item agent-check +Return OK if the agent is running. +@item cmd_has_option @var{cmd} @var{opt} +Return OK if the command @var{cmd} implements the option @var{opt}. +The leading two dashes usually used with @var{opt} shall not be given. +@item offline +Return OK if the connection is in offline mode. This may be either +due to a @code{OPTION offline=1} or due to @command{gpgsm} being +started with option @option{--disable-dirmngr}. +@end table + +@node GPGSM OPTION +@subsection Session options + +The standard Assuan option handler supports these options. + +@example +OPTION @var{name}[=@var{value}] +@end example + +These @var{name}s are recognized: + +@table @code + +@item putenv +Change the session's environment to be passed via gpg-agent to +Pinentry. @var{value} is a string of the form +@code{<KEY>[=[<STRING>]]}. If only @code{<KEY>} is given the +environment variable @code{<KEY>} is removed from the session +environment, if @code{<KEY>=} is given that environment variable is +set to the empty string, and if @code{<STRING>} is given it is set to +that string. + +@item display +@efindex DISPLAY +Set the session environment variable @code{DISPLAY} is set to @var{value}. +@item ttyname +@efindex GPG_TTY +Set the session environment variable @code{GPG_TTY} is set to @var{value}. +@item ttytype +@efindex TERM +Set the session environment variable @code{TERM} is set to @var{value}. +@item lc-ctype +@efindex LC_CTYPE +Set the session environment variable @code{LC_CTYPE} is set to @var{value}. +@item lc-messages +@efindex LC_MESSAGES +Set the session environment variable @code{LC_MESSAGES} is set to @var{value}. +@item xauthority +@efindex XAUTHORITY +Set the session environment variable @code{XAUTHORITY} is set to @var{value}. +@item pinentry-user-data +@efindex PINENTRY_USER_DATA +Set the session environment variable @code{PINENTRY_USER_DATA} is set +to @var{value}. + +@item include-certs +This option overrides the command line option +@option{--include-certs}. A @var{value} of -2 includes all +certificates except for the root certificate, -1 includes all +certificates, 0 does not include any certificates, 1 includes only the +signers certificate and all other positive values include up to +@var{value} certificates starting with the signer cert. + +@item list-mode +@xref{gpgsm-cmd listkeys}. + +@item list-to-output +If @var{value} is true the output of the list commands +(@pxref{gpgsm-cmd listkeys}) is written to the file descriptor set +with the last @code{OUTPUT} command. If @var{value} is false the output is +written via data lines; this is the default. + +@item with-validation +If @var{value} is true for each listed certificate the validation +status is printed. This may result in the download of a CRL or the +user being asked about the trustworthiness of a root certificate. The +default is given by a command line option (@pxref{gpgsm-option +--with-validation}). + + +@item with-secret +If @var{value} is true certificates with a corresponding private key +are marked by the list commands. + +@item validation-model +This option overrides the command line option +@option{validation-model} for the session. +(@xref{gpgsm-option --validation-model}.) + +@item with-key-data +This option globally enables the command line option +@option{--with-key-data}. (@xref{gpgsm-option --with-key-data}.) + +@item enable-audit-log +If @var{value} is true data to write an audit log is gathered. +(@xref{gpgsm-cmd getauditlog}.) + +@item allow-pinentry-notify +If this option is used notifications about the launch of a Pinentry +are passed back to the client. + +@item with-ephemeral-keys +If @var{value} is true ephemeral certificates are included in the +output of the list commands. + +@item no-encrypt-to +If this option is used all keys set by the command line option +@option{--encrypt-to} are ignored. + +@item offline +If @var{value} is true or @var{value} is not given all network access +is disabled for this session. This is the same as the command line +option @option{--disable-dirmngr}. + +@end table + +@mansect see also +@ifset isman +@command{gpg2}(1), +@command{gpg-agent}(1) +@end ifset +@include see-also-note.texi diff --git a/doc/gpgv.texi b/doc/gpgv.texi new file mode 100644 index 0000000..2dd9576 --- /dev/null +++ b/doc/gpgv.texi @@ -0,0 +1,193 @@ +@c Copyright (C) 2004 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file GnuPG.texi. + +@c +@c This is included by tools.texi. +@c + +@include defs.inc + +@c Begin standard stuff +@ifclear gpgtwohack +@manpage gpgv.1 +@node gpgv +@section Verify OpenPGP signatures +@ifset manverb +.B gpgv +\- Verify OpenPGP signatures +@end ifset + +@mansect synopsis +@ifset manverb +.B gpgv +.RI [ options ] +.I signed_files +@end ifset +@end ifclear +@c End standard stuff + +@c Begin gpg2 hack stuff +@ifset gpgtwohack +@manpage gpgv2.1 +@node gpgv +@section Verify OpenPGP signatures +@ifset manverb +.B gpgv2 +\- Verify OpenPGP signatures +@end ifset + +@mansect synopsis +@ifset manverb +.B gpgv2 +.RI [ options ] +.I signed_files +@end ifset +@end ifset +@c End gpg2 hack stuff + +@mansect description +@code{@gpgvname} is an OpenPGP signature verification tool. + +This program is actually a stripped-down version of @code{gpg} which is +only able to check signatures. It is somewhat smaller than the fully-blown +@code{gpg} and uses a different (and simpler) way to check that +the public keys used to make the signature are valid. There are +no configuration files and only a few options are implemented. + +@code{@gpgvname} assumes that all keys in the keyring are trustworthy. +That does also mean that it does not check for expired or revoked +keys. + +If no @code{--keyring} option is given, @code{gpgv} looks for a +``default'' keyring named @file{trustedkeys.kbx} (preferred) or +@file{trustedkeys.gpg} in the home directory of GnuPG, either the +default home directory or the one set by the @code{--homedir} option +or the @code{GNUPGHOME} environment variable. If any @code{--keyring} +option is used, @code{gpgv} will not look for the default keyring. The +@code{--keyring} option may be used multiple times and all specified +keyrings will be used together. + +@noindent +@mansect options +@code{@gpgvname} recognizes these options: + +@table @gnupgtabopt + +@item --verbose +@itemx -v +@opindex verbose +Gives more information during processing. If used +twice, the input data is listed in detail. + +@item --quiet +@itemx -q +@opindex quiet +Try to be as quiet as possible. + +@item --keyring @var{file} +@opindex keyring +Add @var{file} to the list of keyrings. +If @var{file} begins with a tilde and a slash, these +are replaced by the HOME directory. If the filename +does not contain a slash, it is assumed to be in the +home-directory ("~/.gnupg" if --homedir is not used). + +@item --output @var{file} +@itemx -o @var{file} +@opindex output +Write output to @var{file}; to write to stdout use @code{-}. This +option can be used to get the signed text from a cleartext or binary +signature; it also works for detached signatures, but in that case +this option is in general not useful. Note that an existing file will +be overwritten. + + +@item --status-fd @var{n} +@opindex status-fd +Write special status strings to the file descriptor @var{n}. See the +file DETAILS in the documentation for a listing of them. + +@item --logger-fd @code{n} +@opindex logger-fd +Write log output to file descriptor @code{n} and not to stderr. + +@item --log-file @code{file} +@opindex log-file +Same as @option{--logger-fd}, except the logger data is written to +file @code{file}. Use @file{socket://} to log to socket. + +@item --ignore-time-conflict +@opindex ignore-time-conflict +GnuPG normally checks that the timestamps associated with keys and +signatures have plausible values. However, sometimes a signature seems to +be older than the key due to clock problems. This option turns these +checks into warnings. + +@include opt-homedir.texi + +@item --weak-digest @code{name} +@opindex weak-digest +Treat the specified digest algorithm as weak. Signatures made over +weak digests algorithms are normally rejected. This option can be +supplied multiple times if multiple algorithms should be considered +weak. MD5 is always considered weak, and does not need to be listed +explicitly. + +@item --enable-special-filenames +@opindex enable-special-filenames +This option enables a mode in which filenames of the form +@file{-&n}, where n is a non-negative decimal number, +refer to the file descriptor n and not to a file with that name. + +@end table + +@mansect return value + +The program returns 0 if everything is fine, 1 if at least +one signature was bad, and other error codes for fatal errors. + +@mansect examples +@subsection Examples + +@table @asis + +@item @gpgvname @code{pgpfile} +@itemx @gpgvname @code{sigfile} [@code{datafile}] +Verify the signature of the file. The second form is used for detached +signatures, where @code{sigfile} is the detached signature (either +ASCII-armored or binary) and @code{datafile} contains the signed data; +if @code{datafile} is "-" the signed data is expected on +@code{stdin}; if @code{datafile} is not given the name of the file +holding the signed data is constructed by cutting off the extension +(".asc", ".sig" or ".sign") from @code{sigfile}. + +@end table + +@mansect environment +@subsection Environment + +@table @asis + +@item HOME +Used to locate the default home directory. + +@item GNUPGHOME +If set directory used instead of "~/.gnupg". + +@end table + +@mansect files +@subsection FILES + +@table @asis + +@item ~/.gnupg/trustedkeys.gpg +The default keyring with the allowed keys. + +@end table + +@mansect see also +@command{gpg}(1) +@include see-also-note.texi + diff --git a/doc/gpl.texi b/doc/gpl.texi new file mode 100644 index 0000000..931a93d --- /dev/null +++ b/doc/gpl.texi @@ -0,0 +1,732 @@ +@node Copying + +@unnumbered GNU General Public License +@center Version 3, 29 June 2007 + +@c This file is intended to be included in another file. + +@display +Copyright @copyright{} 2007 Free Software Foundation, Inc. @url{https://fsf.org/} + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. +@end display + +@unnumberedsec Preamble + +The GNU General Public License is a free, copyleft license for +software and other kinds of works. + +The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom +to share and change all versions of a program--to make sure it remains +free software for all its users. We, the Free Software Foundation, +use the GNU General Public License for most of our software; it +applies also to any other work released this way by its authors. You +can apply it to your programs, too. + +When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + +To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you +have certain responsibilities if you distribute copies of the +software, or if you modify it: responsibilities to respect the freedom +of others. + +For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, +receive or can get the source code. And you must show them these +terms so they know their rights. + +Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + +For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + +Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the +manufacturer can do so. This is fundamentally incompatible with the +aim of protecting users' freedom to change the software. The +systematic pattern of such abuse occurs in the area of products for +individuals to use, which is precisely where it is most unacceptable. +Therefore, we have designed this version of the GPL to prohibit the +practice for those products. If such problems arise substantially in +other domains, we stand ready to extend this provision to those +domains in future versions of the GPL, as needed to protect the +freedom of users. + +Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish +to avoid the special danger that patents applied to a free program +could make it effectively proprietary. To prevent this, the GPL +assures that patents cannot be used to render the program non-free. + +The precise terms and conditions for copying, distribution and +modification follow. + +@iftex +@unnumberedsec TERMS AND CONDITIONS +@end iftex +@ifinfo +@center TERMS AND CONDITIONS +@end ifinfo + +@enumerate 0 +@item Definitions. + +``This License'' refers to version 3 of the GNU General Public License. + +``Copyright'' also means copyright-like laws that apply to other kinds +of works, such as semiconductor masks. + +``The Program'' refers to any copyrightable work licensed under this +License. Each licensee is addressed as ``you''. ``Licensees'' and +``recipients'' may be individuals or organizations. + +To ``modify'' a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of +an exact copy. The resulting work is called a ``modified version'' of +the earlier work or a work ``based on'' the earlier work. + +A ``covered work'' means either the unmodified Program or a work based +on the Program. + +To ``propagate'' a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + +To ``convey'' a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user +through a computer network, with no transfer of a copy, is not +conveying. + +An interactive user interface displays ``Appropriate Legal Notices'' to +the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + +@item Source Code. + +The ``source code'' for a work means the preferred form of the work for +making modifications to it. ``Object code'' means any non-source form +of a work. + +A ``Standard Interface'' means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + +The ``System Libraries'' of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +``Major Component'', in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + +The ``Corresponding Source'' for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + +The Corresponding Source need not include anything that users can +regenerate automatically from other parts of the Corresponding Source. + +The Corresponding Source for a work in source code form is that same +work. + +@item Basic Permissions. + +All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + +You may make, run and propagate covered works that you do not convey, +without conditions so long as your license otherwise remains in force. +You may convey covered works to others for the sole purpose of having +them make modifications exclusively for you, or provide you with +facilities for running those works, provided that you comply with the +terms of this License in conveying all material for which you do not +control copyright. Those thus making or running the covered works for +you must do so exclusively on your behalf, under your direction and +control, on terms that prohibit them from making any copies of your +copyrighted material outside their relationship with you. + +Conveying under any other circumstances is permitted solely under the +conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + +@item Protecting Users' Legal Rights From Anti-Circumvention Law. + +No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + +When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such +circumvention is effected by exercising rights under this License with +respect to the covered work, and you disclaim any intention to limit +operation or modification of the work as a means of enforcing, against +the work's users, your or third parties' legal rights to forbid +circumvention of technological measures. + +@item Conveying Verbatim Copies. + +You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + +You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + +@item Conveying Modified Source Versions. + +You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these +conditions: + +@enumerate a +@item +The work must carry prominent notices stating that you modified it, +and giving a relevant date. + +@item +The work must carry prominent notices stating that it is released +under this License and any conditions added under section 7. This +requirement modifies the requirement in section 4 to ``keep intact all +notices''. + +@item +You must license the entire work, as a whole, under this License to +anyone who comes into possession of a copy. This License will +therefore apply, along with any applicable section 7 additional terms, +to the whole of the work, and all its parts, regardless of how they +are packaged. This License gives no permission to license the work in +any other way, but it does not invalidate such permission if you have +separately received it. + +@item +If the work has interactive user interfaces, each must display +Appropriate Legal Notices; however, if the Program has interactive +interfaces that do not display Appropriate Legal Notices, your work +need not make them do so. +@end enumerate + +A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +``aggregate'' if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + +@item Conveying Non-Source Forms. + +You may convey a covered work in object code form under the terms of +sections 4 and 5, provided that you also convey the machine-readable +Corresponding Source under the terms of this License, in one of these +ways: + +@enumerate a +@item +Convey the object code in, or embodied in, a physical product +(including a physical distribution medium), accompanied by the +Corresponding Source fixed on a durable physical medium customarily +used for software interchange. + +@item +Convey the object code in, or embodied in, a physical product +(including a physical distribution medium), accompanied by a written +offer, valid for at least three years and valid for as long as you +offer spare parts or customer support for that product model, to give +anyone who possesses the object code either (1) a copy of the +Corresponding Source for all the software in the product that is +covered by this License, on a durable physical medium customarily used +for software interchange, for a price no more than your reasonable +cost of physically performing this conveying of source, or (2) access +to copy the Corresponding Source from a network server at no charge. + +@item +Convey individual copies of the object code with a copy of the written +offer to provide the Corresponding Source. This alternative is +allowed only occasionally and noncommercially, and only if you +received the object code with such an offer, in accord with subsection +6b. + +@item +Convey the object code by offering access from a designated place +(gratis or for a charge), and offer equivalent access to the +Corresponding Source in the same way through the same place at no +further charge. You need not require recipients to copy the +Corresponding Source along with the object code. If the place to copy +the object code is a network server, the Corresponding Source may be +on a different server (operated by you or a third party) that supports +equivalent copying facilities, provided you maintain clear directions +next to the object code saying where to find the Corresponding Source. +Regardless of what server hosts the Corresponding Source, you remain +obligated to ensure that it is available for as long as needed to +satisfy these requirements. + +@item +Convey the object code using peer-to-peer transmission, provided you +inform other peers where the object code and Corresponding Source of +the work are being offered to the general public at no charge under +subsection 6d. + +@end enumerate + +A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + +A ``User Product'' is either (1) a ``consumer product'', which means any +tangible personal property which is normally used for personal, +family, or household purposes, or (2) anything designed or sold for +incorporation into a dwelling. In determining whether a product is a +consumer product, doubtful cases shall be resolved in favor of +coverage. For a particular product received by a particular user, +``normally used'' refers to a typical or common use of that class of +product, regardless of the status of the particular user or of the way +in which the particular user actually uses, or expects or is expected +to use, the product. A product is a consumer product regardless of +whether the product has substantial commercial, industrial or +non-consumer uses, unless such uses represent the only significant +mode of use of the product. + +``Installation Information'' for a User Product means any methods, +procedures, authorization keys, or other information required to +install and execute modified versions of a covered work in that User +Product from a modified version of its Corresponding Source. The +information must suffice to ensure that the continued functioning of +the modified object code is in no case prevented or interfered with +solely because modification has been made. + +If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + +The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or +updates for a work that has been modified or installed by the +recipient, or for the User Product in which it has been modified or +installed. Access to a network may be denied when the modification +itself materially and adversely affects the operation of the network +or violates the rules and protocols for communication across the +network. + +Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + +@item Additional Terms. + +``Additional permissions'' are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + +When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + +Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders +of that material) supplement the terms of this License with terms: + +@enumerate a +@item +Disclaiming warranty or limiting liability differently from the terms +of sections 15 and 16 of this License; or + +@item +Requiring preservation of specified reasonable legal notices or author +attributions in that material or in the Appropriate Legal Notices +displayed by works containing it; or + +@item +Prohibiting misrepresentation of the origin of that material, or +requiring that modified versions of such material be marked in +reasonable ways as different from the original version; or + +@item +Limiting the use for publicity purposes of names of licensors or +authors of the material; or + +@item +Declining to grant rights under trademark law for use of some trade +names, trademarks, or service marks; or + +@item +Requiring indemnification of licensors and authors of that material by +anyone who conveys the material (or modified versions of it) with +contractual assumptions of liability to the recipient, for any +liability that these contractual assumptions directly impose on those +licensors and authors. +@end enumerate + +All other non-permissive additional terms are considered ``further +restrictions'' within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + +If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + +Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; the +above requirements apply either way. + +@item Termination. + +You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + +However, if you cease all violation of this License, then your license +from a particular copyright holder is reinstated (a) provisionally, +unless and until the copyright holder explicitly and finally +terminates your license, and (b) permanently, if the copyright holder +fails to notify you of the violation by some reasonable means prior to +60 days after the cessation. + +Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + +Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + +@item Acceptance Not Required for Having Copies. + +You are not required to accept this License in order to receive or run +a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + +@item Automatic Licensing of Downstream Recipients. + +Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + +An ``entity transaction'' is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + +You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + +@item Patents. + +A ``contributor'' is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's ``contributor version''. + +A contributor's ``essential patent claims'' are all patent claims owned +or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, ``control'' includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + +Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + +In the following three paragraphs, a ``patent license'' is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To ``grant'' such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + +If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. ``Knowingly relying'' means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + +If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + +A patent license is ``discriminatory'' if it does not include within the +scope of its coverage, prohibits the exercise of, or is conditioned on +the non-exercise of one or more of the rights that are specifically +granted under this License. You may not convey a covered work if you +are a party to an arrangement with a third party that is in the +business of distributing software, under which you make payment to the +third party based on the extent of your activity of conveying the +work, and under which the third party grants, to any of the parties +who would receive the covered work from you, a discriminatory patent +license (a) in connection with copies of the covered work conveyed by +you (or copies made from those copies), or (b) primarily for and in +connection with specific products or compilations that contain the +covered work, unless you entered into that arrangement, or that patent +license was granted, prior to 28 March 2007. + +Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + +@item No Surrender of Others' Freedom. + +If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey +a covered work so as to satisfy simultaneously your obligations under +this License and any other pertinent obligations, then as a +consequence you may not convey it at all. For example, if you agree +to terms that obligate you to collect a royalty for further conveying +from those to whom you convey the Program, the only way you could +satisfy both those terms and this License would be to refrain entirely +from conveying the Program. + +@item Use with the GNU Affero General Public License. + +Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + +@item Revised Versions of this License. + +The Free Software Foundation may publish revised and/or new versions +of the GNU General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies that a certain numbered version of the GNU General Public +License ``or any later version'' applies to it, you have the option of +following the terms and conditions either of that numbered version or +of any later version published by the Free Software Foundation. If +the Program does not specify a version number of the GNU General +Public License, you may choose any version ever published by the Free +Software Foundation. + +If the Program specifies that a proxy can decide which future versions +of the GNU General Public License can be used, that proxy's public +statement of acceptance of a version permanently authorizes you to +choose that version for the Program. + +Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + +@item Disclaimer of Warranty. + +THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM ``AS IS'' WITHOUT +WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND +PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE +DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR +CORRECTION. + +@item Limitation of Liability. + +IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR +CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES +ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT +NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR +LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM +TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER +PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +@item Interpretation of Sections 15 and 16. + +If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + +@end enumerate + +@iftex +@heading END OF TERMS AND CONDITIONS +@end iftex +@ifinfo +@center END OF TERMS AND CONDITIONS +@end ifinfo + +@unnumberedsec How to Apply These Terms to Your New Programs + +If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these +terms. + +To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the ``copyright'' line and a pointer to where the full notice is +found. + +@example +@var{one line to give the program's name and a brief idea of what it does.} +Copyright (C) @var{year} @var{name of author} + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, either version 3 of the License, or (at +your option) any later version. + +This program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see @url{https://www.gnu.org/licenses/}. +@end example + +@noindent +Also add information on how to contact you by electronic and paper mail. + +@noindent +If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + +@smallexample +@var{program} Copyright (C) @var{year} @var{name of author} +This program comes with ABSOLUTELY NO WARRANTY; for details +type @samp{show w}. This is free software, and you are +welcome to redistribute it under certain conditions; +type @samp{show c} for details. +@end smallexample + +The hypothetical commands @samp{show w} and @samp{show c} should show +the appropriate parts of the General Public License. Of course, your +program's commands might be different; for a GUI interface, you would +use an ``about box''. + +You should also get your employer (if you work as a programmer) or school, +if any, to sign a ``copyright disclaimer'' for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +@url{https://www.gnu.org/licenses/}. + +The GNU General Public License does not permit incorporating your +program into proprietary programs. If your program is a subroutine +library, you may consider it more useful to permit linking proprietary +applications with the library. If this is what you want to do, use +the GNU Lesser General Public License instead of this License. But +first, please read @url{https://www.gnu.org/philosophy/why-not-lgpl.html}. diff --git a/doc/help.be.txt b/doc/help.be.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.be.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.ca.txt b/doc/help.ca.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.ca.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.cs.txt b/doc/help.cs.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.cs.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.da.txt b/doc/help.da.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.da.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.de.txt b/doc/help.de.txt new file mode 100644 index 0000000..ce0ce14 --- /dev/null +++ b/doc/help.de.txt @@ -0,0 +1,279 @@ +# help.de.txt - German GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +# Die Datei help.txt beschreibt das verwendete Format. +# Diese Datei muß UTF-8 kodiert sein. + + +.#pinentry.qualitybar.tooltip +# Dies ist lediglich eine kommentiertes Beispiel. Es ist am sinnvolssten +# einen individuellen Text in /etc/gnupg/help.de.txt zu erstellen. +Die Qualität der Passphrase, die Sie oben eingegeben haben. Bitte +fragen sie Ihren Systembeauftragten nach den Kriterien für die Messung +der Qualität. +. + + + + +.gpg.edit_ownertrust.value +Sie müssen selbst entscheiden, welchen Wert Sie hier eintragen; dieser Wert +wird niemals an eine dritte Seite weitergegeben. Wir brauchen diesen Wert, +um das "Netz des Vertrauens" aufzubauen. Dieses hat nichts mit dem +(implizit erzeugten) "Netz der Zertifikate" zu tun. +. + +.gpg.edit_ownertrust.set_ultimate.okay +Um das Web-of-Trust aufzubauen muß GnuPG wissen, welchen Schlüsseln +ultimativ vertraut wird. Das sind üblicherweise die Schlüssel +auf deren geheimen Schlüssel Sie Zugruff haben. +Antworten Sie mit "yes" um diesen Schlüssel ultimativ zu vertrauen + +. + +.gpg.untrusted_key.override +Wenn Sie diesen nicht vertrauenswürdigen Schlüssel trotzdem benutzen wollen, +so antworten Sie mit "ja". +. + +.gpg.pklist.user_id.enter +Geben Sie die User-ID dessen ein, dem Sie die Botschaft senden wollen. +. + +.gpg.keygen.algo +Wählen Sie das zu verwendene Verfahren. + +DSA (alias DSS) ist der "Digital Signature Algorithm" und kann nur für +Unterschriften genutzt werden. + +Elgamal ist ein Verfahren nur für Verschlüsselung. + +RSA kann sowohl für Unterschriften als auch für Verschlüsselung genutzt +werden. + +Der erste Schlüssel (Hauptschlüssel) muß immer ein Schlüssel sein, mit dem +unterschrieben werden kann. +. + +.gpg.keygen.algo.rsa_se +Normalerweise ist es nicht gut, denselben Schlüssel zum unterschreiben +und verschlüsseln zu nutzen. Dieses Verfahren sollte in speziellen +Anwendungsgebiten benutzt werden. Bitte lassen Sie sich zuerst von +einem Sicherheistexperten beraten. +. + +.gpg.keygen.size +Wählen Sie die gewünschte Schlüssellänge +. + +.gpg.keygen.size.huge.okay +Geben Sie "ja" oder "nein" ein +. + +.gpg.keygen.size.large.okay +Geben Sie "ja" oder "nein" ein +. + +.gpg.keygen.valid +Geben Sie den benötigten Wert so an, wie er im Prompt erscheint. +Es ist zwar möglich ein "ISO"-Datum (JJJJ-MM-DD) einzugeben, aber man +erhält dann ggfs. keine brauchbaren Fehlermeldungen - stattdessen versucht +der Rechner den Wert als Intervall (von-bis) zu deuten. +. + +.gpg.keygen.valid.okay +Geben Sie "ja" oder "nein" ein +. + +.gpg.keygen.name +Geben Sie den Namen des Schlüsselinhabers ein. +Beispiel: Heinrich Heine. +. + +.gpg.keygen.email +Geben Sie eine Email-Adresse ein. Dies ist zwar nicht unbedingt notwendig, +aber sehr empfehlenswert. +Beispiel: heinrichh@duesseldorf.de +. + +.gpg.keygen.comment +Geben Sie - bei Bedarf - einen Kommentar ein. +. + +.gpg.keygen.userid.cmd +N um den Namen zu ändern. +K um den Kommentar zu ändern. +E um die Email-Adresse zu ändern. +F um mit der Schlüsselerzeugung fortzusetzen. +B um die Schlüsselerzeugung abbrechen. +. + +.gpg.keygen.sub.okay +Geben Sie "ja" (oder nur "j") ein, um den Unterschlüssel zu erzeugen. +. + +.gpg.sign_uid.okay +Geben Sie "ja" oder "nein" ein +. + +.gpg.sign_uid.class +Wenn Sie die User-ID eines Schlüssels beglaubigen wollen, sollten Sie zunächst +sicherstellen, daß der Schlüssel demjenigen gehört, der in der User-ID genannt +ist. Für Dritte ist es hilfreich zu wissen, wie gut diese Zuordnung überprüft +wurde. + +"0" zeigt, daß Sie keine bestimmte Aussage über die Sorgfalt der + Schlüsselzuordnung machen. + +"1" Sie glauben, daß der Schlüssel der benannten Person gehört, + aber Sie konnten oder nahmen die Ãœberpüfung überhaupt nicht vor. + Dies ist hilfreich für eine "persona"-Ãœberprüfung, wobei man den + Schlüssel eines Pseudonym-Trägers beglaubigt + +"2" Sie nahmen eine flüchtige Ãœberprüfung vor. Das heißt Sie haben z.B. + den Schlüsselfingerabdruck kontrolliert und die User-ID des Schlüssels + anhand des Fotos geprüft. + +"3" Sie haben eine ausführlich Kontrolle des Schlüssels vorgenommen. + Das kann z.B. die Kontrolle des Schlüsselfingerabdrucks mit dem + Schlüsselinhaber persönlich vorgenommen haben; daß Sie die User-ID des + Schlüssel anhand einer schwer zu fälschenden Urkunde mit Foto (wie z.B. + einem Paß) abgeglichen haben und schließlich per Email-Verkehr die + Email-Adresse als zum Schlüsselbesitzer gehörig erkannt haben. + +Beachten Sie, daß diese Beispiele für die Antworten 2 und 3 *nur* Beispiele +sind. Schlußendlich ist es Ihre Sache, was Sie unter "flüchtig" oder + "ausführlich" verstehen, wenn Sie Schlüssel Dritter beglaubigen. + +Wenn Sie nicht wissen, wie Sie antworten sollen, wählen Sie "0". +. + +.gpg.change_passwd.empty.okay +Geben Sie "ja" oder "nein" ein +. + +.gpg.keyedit.save.okay +Geben Sie "ja" oder "nein" ein +. + +.gpg.keyedit.cancel.okay +Geben Sie "ja" oder "nein" ein +. + +.gpg.keyedit.sign_all.okay +Geben Sie "ja" (oder nur "j") ein, um alle User-IDs zu beglaubigen +. + +.gpg.keyedit.remove.uid.okay +Geben Sie "ja" (oder nur "j") ein, um diese User-ID zu LÖSCHEN. +Alle Zertifikate werden dann auch weg sein! +. + +.gpg.keyedit.remove.subkey.okay +Geben Sie "ja" (oder nur "j") ein, um diesen Unterschlüssel zu löschen +. + +.gpg.keyedit.delsig.valid +Dies ist eine gültige Beglaubigung für den Schlüssel. Es ist normalerweise +unnötig sie zu löschen. Sie ist möglicherweise sogar notwendig, um einen +Trust-Weg zu diesem oder einem durch diesen Schlüssel beglaubigten Schlüssel +herzustellen. +. + +.gpg.keyedit.delsig.unknown +Diese Beglaubigung kann nicht geprüft werden, da Sie den passenden Schlüssel +nicht besitzen. Sie sollten die Löschung der Beglaubigung verschieben, bis +sie wissen, welcher Schlüssel verwendet wurde. Denn vielleicht würde genau +diese Beglaubigung den "Trust"-Weg komplettieren. +. + +.gpg.keyedit.delsig.invalid +Diese Beglaubigung ist ungültig. Es ist sinnvoll sie aus Ihrem +Schlüsselbund zu entfernen. +. + +.gpg.keyedit.delsig.selfsig +Diese Beglaubigung bindet die User-ID an den Schlüssel. Normalerweise ist +es nicht gut, solche Beglaubigungen zu entfernen. Um ehrlich zu sein: +Es könnte dann sein, daß GnuPG diesen Schlüssel gar nicht mehr benutzen kann. +Sie sollten diese Eigenbeglaubigung also nur dann entfernen, wenn sie aus +irgendeinem Grund nicht gültig ist und eine zweite Beglaubigung verfügbar ist. +. + +.gpg.keyedit.updpref.okay +Ändern der Voreinstellung aller User-IDs (oder nur der ausgewählten) +auf die aktuelle Liste der Voreinstellung. Die Zeitangaben aller betroffenen +Eigenbeglaubigungen werden um eine Sekunde vorgestellt. + +. + +.gpg.passphrase.enter +Bitte geben Sie die Passphrase ein. Dies ist ein geheimer Satz + +. + +.gpg.passphrase.repeat +Um sicher zu gehen, daß Sie sich bei der Eingabe der Passphrase nicht +vertippt haben, geben Sie diese bitte nochmal ein. Nur wenn beide Eingaben +übereinstimmen, wird die Passphrase akzeptiert. +. + +.gpg.detached_signature.filename +Geben Sie den Namen der Datei an, zu dem die abgetrennte Unterschrift gehört +. + +.gpg.openfile.overwrite.okay +Geben Sie "ja" ein, wenn Sie die Datei überschreiben möchten +. + +.gpg.openfile.askoutname +Geben Sie bitte einen neuen Dateinamen ein. Falls Sie nur die +Eingabetaste betätigen, wird der (in Klammern angezeigte) Standarddateiname +verwendet. +. + +.gpg.ask_revocation_reason.code +Sie sollten einen Grund für die Zertifizierung angeben. Je nach +Zusammenhang können Sie aus dieser Liste auswählen: + "Schlüssel wurde kompromitiert" + Falls Sie Grund zu der Annahme haben, daß nicht berechtigte Personen + Zugriff zu Ihrem geheimen Schlüssel hatten + "Schlüssel ist überholt" + Falls Sie diesen Schlüssel durch einem neuen ersetzt haben. + "Schlüssel wird nicht mehr benutzt" + Falls Sie diesen Schlüssel zurückgezogen haben. + "User-ID ist nicht mehr gültig" + Um bekanntzugeben, daß die User-ID nicht mehr benutzt werden soll. + So weist man normalerweise auf eine ungültige Emailadresse hin. + +. + +.gpg.ask_revocation_reason.text +Wenn Sie möchten, können Sie hier einen Text eingeben, der darlegt, warum +Sie diesen Widerruf herausgeben. Der Text sollte möglichst knapp sein. +Eine Leerzeile beendet die Eingabe. + +. + + + +# Local variables: +# mode: default-generic +# coding: utf-8 +# End: diff --git a/doc/help.el.txt b/doc/help.el.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.el.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.eo.txt b/doc/help.eo.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.eo.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.es.txt b/doc/help.es.txt new file mode 100644 index 0000000..d59f214 --- /dev/null +++ b/doc/help.es.txt @@ -0,0 +1,251 @@ +# help.es.txt - es GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Está en su mano asignar un valor aquÃ. Dicho valor nunca será exportado a +terceros. Es necesario para implementar la red de confianza, no tiene nada +que ver con la red de certificados (implÃcitamente creada). +. + +.gpg.edit_ownertrust.set_ultimate.okay +Para construir la Red-de-Confianza, GnuPG necesita saber qué claves +tienen confianza absoluta - normalmente son las claves para las que usted +puede acceder a la clave secreta. Conteste "sÃ" para hacer que esta +clave se considere como de total confianza + +. + +.gpg.untrusted_key.override +Si quiere usar esta clave no fiable de todos modos, conteste "sÃ". +. + +.gpg.pklist.user_id.enter +Introduzca el ID de usuario al que quiere enviar el mensaje. +. + +.gpg.keygen.algo +Seleccione el algoritmo que usar. + +DSA (alias DSS) es el Algoritmo de Firma Digital y sólo se usa para firmas. + +Elgamal es un algoritmo sólo para cifrar. + +RSA sirve tanto para firmar como para cifrar. + +La primera clave (clave primaria) debe ser siempre de tipo capaz de firmar. +. + +.gpg.keygen.algo.rsa_se +En general no es una buena idea usar la misma clave para firmar y +cifrar. Este algoritmo debéria usarse solo en ciertos contextos. +Por favor consulte primero a un experto en seguridad. +. + +.gpg.keygen.size +Introduzca la longitud de la clave +. + +.gpg.keygen.size.huge.okay +Responda "sÃ" o "no" +. + +.gpg.keygen.size.large.okay +Responda "sÃ" o "no" +. + +.gpg.keygen.valid +Introduzca el valor requerido conforme se muestra. +Es posible introducir una fecha ISO (AAAA-MM-DD), pero no se obtendrá una +buena respuesta a los errores; el sistema intentará interpretar el valor +introducido como un intervalo. +. + +.gpg.keygen.valid.okay +Responda "sÃ" o "no" +. + +.gpg.keygen.name +Introduzca el nombre del dueño de la clave +. + +.gpg.keygen.email +Introduzca una dirección de correo electrónico (opcional pero muy +recomendable) +. + +.gpg.keygen.comment +Introduzca un comentario opcional +. + +.gpg.keygen.userid.cmd +N para cambiar el nombre. +C para cambiar el comentario. +E para cambiar la dirección. +O para continuar con la generación de clave. +S para interrumpir la generación de clave. +. + +.gpg.keygen.sub.okay +Responda "sÃ" (o sólo "s") para generar la subclave. +. + +.gpg.sign_uid.okay +Responda "sÃ" o "no" +. + +.gpg.sign_uid.class +Cuando firme un ID de usuario en una clave, deberÃa verificar que la clave +pertenece a la persona que se nombra en el ID de usuario. Es útil para +otros saber cómo de cuidadosamente lo ha verificado. + +"0" significa que no hace ninguna declaración concreta sobre como ha + comprobado la validez de la clave. + +"1" significa que cree que la clave pertenece a la persona que declara + poseerla pero no pudo o no verificó la clave en absoluto. Esto es útil + para una verificación en persona cuando firmas la clave de un usuario + pseudoanónimo. + +"2" significa que hizo una comprobación informal de la clave. Por ejemplo + podrÃa querer decir que comprobó la huella dactilar de la clave y + comprobó el ID de usuario en la clave con un ID fotográfico. + +"3" significa que hizo una comprobación exhaustiva de la clave. Por + ejemplo verificando la huella dactilar de la clave con el propietario + de la clave, y que comprobó, mediante un documento difÃcil de falsificar + con ID fotográfico (como un pasaporte) que el nombre del poseedor de la + clave coincide con el ID de usuario en la clave y finalmente que verificó + (intercambiando email) que la dirección de email de la clave pertenece + al poseedor de la clave. + +Observe que los ejemplos dados en los niveles 2 y 3 son *solo* ejemplos. +En definitiva, usted decide lo que significa "informal" y "exhaustivo" +para usted cuando firma las claves de otros. + +Si no sabe qué contestar, conteste "0". +. + +.gpg.change_passwd.empty.okay +Responda "sÃ" o "no" +. + +.gpg.keyedit.save.okay +Responda "sÃ" o "no" +. + +.gpg.keyedit.cancel.okay +Responda "sÃ" o "no" +. + +.gpg.keyedit.sign_all.okay +Responda "sÃ" si quiere firmar TODOS los IDs de usuario +. + +.gpg.keyedit.remove.uid.okay +Responda "sÃ" si realmente quiere borrar este ID de usuario. +¡También se perderán todos los certificados! +. + +.gpg.keyedit.remove.subkey.okay +Responda "sÃ" si quiere borrar esta subclave +. + +.gpg.keyedit.delsig.valid +Esta es una firma válida de esta clave. Normalmente no será deseable +borrar esta firma ya que puede ser importante para establecer una conexión +de confianza con la clave o con otra clave certificada por ésta. +. + +.gpg.keyedit.delsig.unknown +Esta firma no puede ser comprobada porque no tiene Vd. la clave +correspondiente. DeberÃa posponer su borrado hasta conocer qué clave +se usó, ya que dicha clave podrÃa establecer una conexión de confianza +a través de otra clave certificada. +. + +.gpg.keyedit.delsig.invalid +Esta firma no es válida. Tiene sentido borrarla de su anillo. +. + +.gpg.keyedit.delsig.selfsig +Esta es una firma que une el ID de usuario a la clave. No suele ser una +buena idea borrar dichas firmas. De hecho, GnuPG podrÃa no ser capaz de +volver a usar esta clave. Asà que bórrela tan sólo si esta autofirma no +es válida por alguna razón y hay otra disponible. +. + +.gpg.keyedit.updpref.okay +Cambiar las preferencias de todos los IDs de usuario (o sólo los +seleccionados) a la lista actual de preferencias. El sello de tiempo +de todas las autofirmas afectadas se avanzará en un segundo. + +. + +.gpg.passphrase.enter +Por favor introduzca la contraseña: una frase secreta + +. + +.gpg.passphrase.repeat +Repita la última frase contraseña para asegurarse de lo que tecleó. +. + +.gpg.detached_signature.filename +Introduzca el nombre del fichero al que corresponde la firma +. + +.gpg.openfile.overwrite.okay +Responda "sÃ" para sobreescribir el fichero +. + +.gpg.openfile.askoutname +Introduzca un nuevo nombre de fichero. Si pulsa INTRO se usará el fichero +por omisión (mostrado entre corchetes). +. + +.gpg.ask_revocation_reason.code +DeberÃa especificar un motivo para la certificación. Dependiendo del +contexto puede elegir una opción de esta lista: + "La clave ha sido comprometida" + Use esto si tiene razones para pensar que personas no autorizadas + tuvieron acceso a su clave secreta. + "La clave ha sido sustituida" + Use esto si ha reemplazado la clave por otra más nueva. + "La clave ya no está en uso" + Use esto si ha dejado de usar esta clave. + "La identificación de usuario ya no es válida" + Use esto para señalar que la identificación de usuario no deberÃa + seguir siendo usada; esto se utiliza normalmente para marcar una + dirección de correo-e como inválida. + +. + +.gpg.ask_revocation_reason.text +Si lo desea puede introducir un texto explicando por qué emite +este certificado de revocación. Por favor, que el texto sea breve. +Una lÃnea vacÃa pone fin al texto. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.et.txt b/doc/help.et.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.et.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.fi.txt b/doc/help.fi.txt new file mode 100644 index 0000000..4286cc0 --- /dev/null +++ b/doc/help.fi.txt @@ -0,0 +1,256 @@ +# help.fi.txt - fi GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Tämän arvon määrittäminen on sinun tehtäväsi, tätä arvoa ei koskaan +kerrota kolmansille osapuolille. Tarvitsemme sitä toteuttamaan +luottamusverkko eikä sillä ei ole mitään tekemistä (epäsuorasti luotujen) +varmenneverkkojen kanssa. +. + +.gpg.edit_ownertrust.set_ultimate.okay +Rakentaakseen luottamusverkon, GnuPG:n täytyy tietää mihin avaimiin +luotetaan ehdottomasti - nämä ovat tavallisesti ne avaimet, joiden salainen +pari on sinulla. Vastaa "kyllä" luottaaksesi tähän avaimeen ehdoitta + +. + +.gpg.untrusted_key.override +Vastaa "kyllä" jos haluat kaikesta huolimatta käyttää tätä epäluotettavaa +avainta. +. + +.gpg.pklist.user_id.enter +Syötä vastaanottajan, jolle haluat lähettää viestin, käyttäjätunnus. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.gpg.keygen.algo.rsa_se +Yleensä ei ole järkevää käyttää samaa avainta allekirjoitukseen +ja salaamiseen. Tätä algorimiä tulisi käyttää vain määrätyissä ympäristöissä. +Ole hyvä ja kysy tietoturva-asiantuntijaltasi ensin +. + +.gpg.keygen.size +Syötä avaimen koko +. + +.gpg.keygen.size.huge.okay +Vastaa "kyllä" tai " ei" +. + +.gpg.keygen.size.large.okay +Vastaa "kyllä" tai " ei" +. + +.gpg.keygen.valid +Syötä pyydetty arvo kuten näkyy kehotteessa. +On mahdollista syöttää ISO-muotoinen päivä (VVVV-KK-PP), +mutta sen seurauksena et saa kunnollista virheilmoitusta +vaan järjestelmä yrittää tulkita arvon aikajaksona. +. + +.gpg.keygen.valid.okay +Vastaa "kyllä" tai " ei" +. + +.gpg.keygen.name +Anna avaimen haltijan nimi +. + +.gpg.keygen.email +anna vapaaehtoinen, mutta erittäin suositeltava sähköpostiosoite +. + +.gpg.keygen.comment +Kirjoita vapaaehtoinen huomautus +. + +.gpg.keygen.userid.cmd +N muuta nimeä +C muuta kommenttia +E muuta sähköpostiosoitetta +O jatka avaimen luomista +L lopeta +. + +.gpg.keygen.sub.okay +Vastaa "kyllä" (tai vain "k") jos haluat luoda aliavaimen. +. + +.gpg.sign_uid.okay +Vastaa "kyllä" tai " ei" +. + +.gpg.sign_uid.class +Allekirjoittaessasi avaimen käyttäjätunnuksen sinun tulisi varmista, että +avain todella kuuluu henkilölle, joka mainitaan käyttäjätunnuksessa. Muiden +on hyvä tietää kuinka huolellisesti olet varmistanut tämän. + +"0" tarkoittaa, että et väitä mitään siitä, kuinka huolellisesti olet + varmistanut avaimen. + +"1" tarkoittaa, että uskot avaimen kuuluvan henkilölle, joka väittää + hallitsevan sitä, mutta et voinut varmistaa tai et varmistanut avainta + lainkaan. Tämä on hyödyllinen "persoonan" varmistamiseen, jossa + allekirjoitat pseudonyymin käyttäjän avaimen. + +"2" tarkoittaa arkista varmistusta. Esimerkiksi olet varmistanut + avaimen sormenjäljen ja tarkistanut käyttäjätunnuksen ja + valokuvatunnisteen täsmäävän. + +"3" tarkoittaa syvällistä henkilöllisyyden varmistamista. Esimerkiksi + tämä voi tarkoittaa avaimen sormenjäljen tarkistamista avaimen haltijan + kanssa henkilökohtaisesti, ja että tarkistit nimen avaimessa täsmäävän + vaikeasti väärennettävän kuvallisen henkilöllisyystodistuksen (kuten + passi) kanssa, ja lopuksi varmistit (sähköpostin vaihtamisella), että + sähköpostiosoite kuuluu avaimen haltijalle. + +Huomaa, että yllä annetut esimerkit tasoille 2 ja 3 ovat todellakin *vain* +esimerkkejä. Lopullisesti se on sinun päätöksesi mitä "arkinen" ja +"syvällinen" tarkoittaa allekirjoittaessasi muita avaimia. + +Jos et tiedä mikä olisi sopiva vastaus, vastaa "0". +. + +.gpg.change_passwd.empty.okay +Vastaa "kyllä" tai " ei" +. + +.gpg.keyedit.save.okay +Vastaa "kyllä" tai " ei" +. + +.gpg.keyedit.cancel.okay +Vastaa "kyllä" tai " ei" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.gpg.keyedit.remove.uid.okay +Vastaa "kyllä", jos haluat poistaa tämän käyttäjätunnuksen. +Menetät samalla kaikki siihen liittyvät varmenteet! +. + +.gpg.keyedit.remove.subkey.okay +Vastaa "kyllä", jos aliavaimen voi poistaa +. + +.gpg.keyedit.delsig.valid +Tämä on voimassa oleva allekirjoitus tälle avaimelle, tavallisesti ei +kannata poistaa tätä allekirjoitusta koska se saattaa olla tarpeen +luottamussuhteen luomiseksi avaimeen tai johonkin toiseen tämän avaimen +varmentamaan avaimeen. +. + +.gpg.keyedit.delsig.unknown +Allekirjoitusta ei voida tarkistaa koska sinulla ei ole +siihen liittyvää avainta. Lykkää sen poistamista kunnes + tiedät mitä avainta on käytetty, koska allekirjoitus +avain saattaa luoda luottamusketjun toisen, jo ennalta +varmennetun avaimen kautta. +. + +.gpg.keyedit.delsig.invalid +Allekirjoitus ei ole pätevä. Järkevintä olisi poistaa se +avainrenkaastasi. +. + +.gpg.keyedit.delsig.selfsig +Tämä allekirjoitus takaa avaimen haltijan henkilöllisyyden. +Tällaisen allekirjoituksen poistaminen on tavallisesti huono +ajatus. GnuPG ei kenties voi käyttää avainta enää. Poista +allekirjoitus vain, jos se ei ole jostain syystä pätevä, ja +avaimella on jo toinen allekirjoitus. +. + +.gpg.keyedit.updpref.okay +Muuta valinnat kaikille käyttäjätunnuksille (tai vain valituille) +nykyiseen luetteloon valinnoista. Kaikkien muutettujen +oma-allekirjoitusten aikaleima siirretään yhdellä sekunnilla eteenpäin. + +. + +.gpg.passphrase.enter +Ole hyvä ja syötä salasana, tämän on salainen lause + +. + +.gpg.passphrase.repeat +Toista edellinen salasanasi varmistuaksesi siitä, mitä kirjoitit. +. + +.gpg.detached_signature.filename +Anna allekirjoitetun tiedoston nimi +. + +.gpg.openfile.overwrite.okay +Vastaa "kyllä", jos tiedoston voi ylikirjoittaa +. + +.gpg.openfile.askoutname +Syötä uusi tiedostonimi. Jos painat vain RETURN, käytetään +oletustiedostoa (joka näkyy sulkeissa). +. + +.gpg.ask_revocation_reason.code +Sinun tulisi määrittää syy varmenteelle. Riippuen asiayhteydestä +voit valita tästä listasta: + "Avain on paljastunut" + Käytä tätä, jos sinulla on syytä uskoa, että luvattomat henkilöt + ovat saaneet salaisen avaimesi käsiinsä. + "Avain on korvattu" + Käytä tätä, jos olet korvannut tämän uudemmalla avaimella. + "Avain ei ole enää käytössä" + Käytä tätä, jost ole lopettanut tämän avaimen käytön. + "Käyttäjätunnus ei ole enää voimassa" + Käytä tätä ilmoittamaan, että käyttäjätunnusta ei pitäisi käyttää; + tätä normaalisti käytetään merkitsemään sähköpostiosoite vanhenneeksi. + +. + +.gpg.ask_revocation_reason.text +Halutessasi voit kirjoittaa tähän kuvauksen miksi julkaiset tämän +mitätöintivarmenteen. Kirjoita lyhyesti. +Tyhjä rivi päättää tekstin. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.fr.txt b/doc/help.fr.txt new file mode 100644 index 0000000..4e4e7da --- /dev/null +++ b/doc/help.fr.txt @@ -0,0 +1,256 @@ +# help.fr.txt - fr GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +C'est à vous d'assigner une valeur ici; cette valeur ne sera jamais +envoyée à une tierce personne. Nous en avons besoin pour créer le réseau +de confiance (web-of-trust); cela n'a rien à voir avec le réseau des +certificats (créé implicitement) +. + +.gpg.edit_ownertrust.set_ultimate.okay +Pour mettre en place le Réseau de confiance (Web of Trust), GnuPG a +besoin de savoir en quelles clés votre confiance est ultime - ce sont +en général les clés dont vous avez accès à la clé secrète. Répondez +"oui" pour indiquer que votre confiance en cette clé est ultime + +. + +.gpg.untrusted_key.override +Si vous voulez utiliser cette clé peu sûre quand-même, répondez «oui». +. + +.gpg.pklist.user_id.enter +Entrez le nom d'utilisateur de la personne à qui vous voulez envoyer +le message. +. + +.gpg.keygen.algo +Sélectionnez l'algorithme à utiliser. + +DSA (connu également sous le nom de DSS) est un algorithme de signature +digitale et ne peut être utilisé que pour des signatures. + +Elgamal est un algorithme pour le chiffrement seul. + +RSA peut être utilisé pour les signatures et le chiffrement. + +La première clé (clé principale) doit toujours être une clé capable +de signer. +. + +.gpg.keygen.algo.rsa_se +En général ce n'est pas une bonne idée d'utiliser la même clé pour +signer et pour chiffrer. Cet algorithme ne doit être utilisé que +pour certains domaines. +Consultez votre expert en sécurité d'abord. +. + +.gpg.keygen.size +Entrez la taille de la clé +. + +.gpg.keygen.size.huge.okay +Répondez «oui» ou «non» +. + +.gpg.keygen.size.large.okay +Répondez «oui» ou «non» +. + +.gpg.keygen.valid +Entrez la valeur demandée comme indiqué dans la ligne de commande. +On peut entrer une date ISO (AAAA-MM-JJ) mais le résultat d'erreur sera +mauvais - le système essaierait d'interpréter la valeur donnée comme un +intervalle. +. + +.gpg.keygen.valid.okay +Répondez «oui» ou «non» +. + +.gpg.keygen.name +Entrez le nom du propriétaire de la clé +. + +.gpg.keygen.email +entrez une adresse e-mail optionnelle mais hautement recommandée +. + +.gpg.keygen.comment +Entrez un commentaire optionnel +. + +.gpg.keygen.userid.cmd +N pour changer le nom. +C pour changer le commentaire. +E pour changer l'adresse e-mail. +O pour continuer à générer la clé. +Q pour arrêter de générer de clé. +. + +.gpg.keygen.sub.okay +Répondez «oui» (ou simplement «o») pour générer la sous-clé +. + +.gpg.sign_uid.okay +Répondez «oui» ou «non» +. + +.gpg.sign_uid.class +Quand vous signez un nom d'utilisateur d'une clé, vous devriez d'abord +vérifier que la clé appartient à la personne nommée. Il est utile que +les autres personnes sachent avec quel soin vous l'avez vérifié. + +"0" signifie que vous n'avez pas d'opinon. + +"1" signifie que vous croyez que la clé appartient à la personne qui +dit la posséder mais vous n'avez pas pu vérifier du tout la clé. +C'est utile lorsque vous signez la clé d'un pseudonyme. + +"2" signifie que vous avez un peu vérifié la clé. Par exemple, cela +pourrait être un vérification de l'empreinte et du nom de +l'utilisateur avec la photo. + +"3" signifie que vous avez complètement vérifié la clé. Par exemple, +cela pourrait être une vérification de l'empreinte, du nom de +l'utilisateur avec un document difficile à contrefaire (comme un +passeport) et de son adresse e-mail (vérifié par un échange de +courrier électronique). + +Notez bien que les exemples donnés ci-dessus pour les niveaux 2 et +3 ne sont *que* des exemples. +C'est à vous de décider quelle valeur mettre quand vous signez +les clés des autres personnes. + +Si vous ne savez pas quelle réponse est la bonne, répondez "0". +. + +.gpg.change_passwd.empty.okay +Répondez «oui» ou «non» +. + +.gpg.keyedit.save.okay +Répondez «oui» ou «non» +. + +.gpg.keyedit.cancel.okay +Répondez «oui» ou «non» +. + +.gpg.keyedit.sign_all.okay +Répondez «oui» si vous voulez signer TOUS les noms d'utilisateurs +. + +.gpg.keyedit.remove.uid.okay +Répondez «oui» si vous voulez vraiment supprimer ce nom +d'utilisateur. Tous les certificats seront alors perdus en même temps ! +. + +.gpg.keyedit.remove.subkey.okay +Répondez «oui» s'il faut vraiment supprimer la sous-clé +. + +.gpg.keyedit.delsig.valid +C'est une signature valide dans la clé; vous n'avez pas normalement +intérêt à supprimer cette signature car elle peut être importante pour +établir une connection de confiance vers la clé ou une autre clé certifiée +par celle-là . +. + +.gpg.keyedit.delsig.unknown +Cette signature ne peut pas être vérifiée parce que vous n'avez pas la +clé correspondante. Vous devriez remettre sa supression jusqu'à ce que +vous soyez sûr de quelle clé a été utilisée car cette clé de signature +peut établir une connection de confiance vers une autre clé déjà certifiée. +. + +.gpg.keyedit.delsig.invalid +Cette signature n'est pas valide. Vous devriez la supprimer de votre +porte-clés. +. + +.gpg.keyedit.delsig.selfsig +Cette signature relie le nom d'utilisateur à la clé. Habituellement +enlever une telle signature n'est pas une bonne idée. En fait GnuPG peut +ne plus être capable d'utiliser cette clé. Donc faites ceci uniquement si +cette auto-signature est invalide pour une certaine raison et si une autre +est disponible. +. + +.gpg.keyedit.updpref.okay +Changer les préférences de tous les noms d'utilisateurs (ou juste +ceux qui sont sélectionnés) vers la liste actuelle. La date de toutes +les auto-signatures affectées seront avancées d'une seconde. + +. + +.gpg.passphrase.enter +Entrez le mot de passe ; c'est une phrase secrète + +. + +.gpg.passphrase.repeat +Répétez la dernière phrase de passe pour être sûr de ce que vous +avez tapé. +. + +.gpg.detached_signature.filename +Donnez le nom du fichier auquel la signature se rapporte +. + +.gpg.openfile.overwrite.okay +Répondez «oui» s'il faut vraiment réécrire le fichier +. + +.gpg.openfile.askoutname +Entrez le nouveau nom de fichier. Si vous tapez simplement ENTRÉE le +fichier par défaut (indiqué entre crochets) sera utilisé. +. + +.gpg.ask_revocation_reason.code +Vous devriez donner une raison pour la certification. Selon le contexte +vous pouvez choisir dans cette liste: + «La clé a été compromise» + Utilisez cette option si vous avez une raison de croire que des + personnes ont pu accéder à votre clé secrète sans autorisation. + «La clé a été remplacée» + Utilisez cette option si vous avez remplacé la clé par une nouvelle. + «La clé n'est plus utilisée» + Utilisez cette option si cette clé n'a plus d'utilité. + «Le nom d'utilisateur n'est plus valide» + Utilisez cette option si le nom d'utilisateur ne doit plus être + utilisé. Cela sert généralement à indiquer qu'une adresse e-mail + est invalide. + +. + +.gpg.ask_revocation_reason.text +Si vous le désirez, vous pouvez entrer un texte qui explique pourquoi vous +avez émis ce certificat de révocation. Essayez de garder ce texte concis. +Une ligne vide délimite la fin du texte. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.gl.txt b/doc/help.gl.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.gl.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.hu.txt b/doc/help.hu.txt new file mode 100644 index 0000000..81b3991 --- /dev/null +++ b/doc/help.hu.txt @@ -0,0 +1,257 @@ +# help.hu.txt - hu GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Az Ön döntésén múlik, hogy milyen értéket ad meg itt. Ezt az értéket soha +nem exportáljuk mások részére. Ez a bizalmak hálózatához (web-of-trust) +szükséges, semmi köze az igazolások hálózatához (web-of-certificates). +. + +.gpg.edit_ownertrust.set_ultimate.okay +Hogy a bizalmak hálózatát felépÃtsük, a GnuPG-nek tudnia kell, hogy +mely kulcsok alapvetÅ‘en megbÃzhatóak - általában ezek azok a kulcsok, +melyek titkos kulcsához hozzáfér. Válaszoljon "igen"-nel, ha kulcsot +alapvetÅ‘en megbÃzhatónak jelöli! + +. + +.gpg.untrusted_key.override +Ha mégis használni akarja ezt a kulcsot, melyben nem bÃzunk, +válaszoljon "igen"-nel! +. + +.gpg.pklist.user_id.enter +Adja meg a cÃmzett felhasználói azonosÃtóját! +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.gpg.keygen.algo.rsa_se +Ãltalában nem jó ötlet ugyanazt a kulcsot használni aláÃráshoz és +titkosÃtáshoz. Ezt az algoritmust csak bizonyos területeken ajánlatos +használni. Kérem, elÅ‘ször konzultáljon a biztonsági szakértÅ‘jével! +. + +.gpg.keygen.size +Adja meg a kulcs méretét! +. + +.gpg.keygen.size.huge.okay +Kérem, adjon "igen" vagy "nem" választ! +. + +.gpg.keygen.size.large.okay +Kérem, adjon "igen" vagy "nem" választ! +. + +.gpg.keygen.valid +Adja meg a szükséges értéket, ahogy a prompt mutatja! +Lehetséges ISO dátumot is beÃrni (ÉÉÉÉ-HH-NN), de nem fog rendes +hibaüzenetet kapni, hanem a rendszer megpróbálja az értéket +intervallumként értelmezni. +. + +.gpg.keygen.valid.okay +Kérem, adjon "igen" vagy "nem" választ! +. + +.gpg.keygen.name +Adja meg a kulcs tulajdonosának a nevét! +. + +.gpg.keygen.email +Kérem, adjon meg egy opcionális, de nagyon ajánlott e-mail cÃmet! +. + +.gpg.keygen.comment +Kérem, adjon meg egy opcionális megjegyzést! +. + +.gpg.keygen.userid.cmd +N név változtatása +M megjegyzés változtatása +E e-mail változtatása +R kulcsgenerálás folytatása +Q kilépés a kulcsgenerálásból +. + +.gpg.keygen.sub.okay +Válaszoljon "igen"-nel (vagy csak "i"-vel), ha kezdhetjük az alkulcs +létrehozását! +. + +.gpg.sign_uid.okay +Kérem, adjon "igen" vagy "nem" választ! +. + +.gpg.sign_uid.class +MielÅ‘tt aláÃr egy felhasználói azonosÃtót egy kulcson, ellenÅ‘riznie kell, +hogy a kulcs a felhasználói azonosÃtóban megnevezett személyhez tartozik. +Mások számára hasznos lehet, ha tudják, hogy milyen gondosan ellenÅ‘rizte +Ön ezt. + +"0" azt jelenti, hogy nem tesz az ellenÅ‘rzés gondosságára vonatkozó + kijelentést. + +"1" azt jelenti, hogy Ön hiszi, hogy a kulcs annak a személynek a + tulajdona, aki azt állÃtja, hogy az övé, de Ön nem tudta ezt + ellenÅ‘rizni, vagy egyszerűen nem ellenÅ‘rizte ezt. Ez hasznos egy + "persona" tÃpusú ellenÅ‘rzéshez, mikor Ön egy pszeudonim felhasználó + kulcsát Ãrja alá. + +"2" azt jelenti, hogy Ön a kulcsot hétköznapi alapossággal ellenÅ‘rizte. + Például ez azt jelentheti, hogy ellenÅ‘rizte a kulcs ujjlenyomatát, és + összevetette a kulcson szereplÅ‘ felhasználóazonosÃtót egy fényképes + igazolvánnyal. + +"3" azt jelenti, hogy alaposan ellenÅ‘rizte a kulcsot. Például ez azt + jelentheti, hogy a kulcs ujjlenyomatát a tulajdonossal személyesen + találkozva ellenÅ‘rizte, egy nehezen hamisÃtható, fényképes igazolvánnyal + (mint az útlevél) meggyÅ‘zÅ‘dött arról, hogy a személy neve egyezik a + kulcson levÅ‘vel, és végül (e-mail váltással) ellenÅ‘rizte, hogy a kulcson + szereplÅ‘ e-mail cÃm a kulcs tulajdonosához tartozik. + +A 2-es és 3-as szintekhez adott példák *csak* példák. VégsÅ‘ soron Ön dönti +el, hogy mit jelentenek Önnek a "hétköznapi" és "alapos" kifejezések, +amikor mások kulcsát aláÃrja. + +Ha nem tudja, hogy mit válaszoljon, Ãrjon "0"-t! +. + +.gpg.change_passwd.empty.okay +Kérem, adjon "igen" vagy "nem" választ! +. + +.gpg.keyedit.save.okay +Kérem, adjon "igen" vagy "nem" választ! +. + +.gpg.keyedit.cancel.okay +Kérem, adjon "igen" vagy "nem" választ! +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.gpg.keyedit.remove.uid.okay +Válaszoljon "igen"-nel, ha valóban törölni akarja ezt a felhasználóazonosÃtót! +Minden igazolás törlÅ‘dik vele együtt! +. + +.gpg.keyedit.remove.subkey.okay +Válaszoljon "igen"-nel, ha az alkulcs törölhetÅ‘. +. + +.gpg.keyedit.delsig.valid +Ez egy érvényes aláÃrás a kulcson. Normál esetben nincs értelme +törölni, mert fontos lehet ahhoz, hogy érvényesÃtse ezt a kulcsot, +vagy egy másikat, melyet ezzel a kulccsal igazolnak. +. + +.gpg.keyedit.delsig.unknown +Ezt az aláÃrást nem tudom ellenÅ‘rizni, mert nincs meg a hozzá tartozó +kulcs. Ajánlatos lenne elhalasztani a törlést addig, amÃg meg nem tudja, +hogy melyik kulcsot használták, mert ez az aláÃró kulcs bizalmi +kapcsolatot hozhat létre egy már hitelesÃtett kulcson keresztül. +. + +.gpg.keyedit.delsig.invalid +Ez az aláÃrás nem érvényes. Értelmetlen eltávolÃtani a kulcskarikáról. +. + +.gpg.keyedit.delsig.selfsig +Ez egy olyan aláÃrás, amely összeköti a felhasználóazonosÃtót +a kulccsal. Ãltalában nem jó ötlet egy ilyen aláÃrást eltávolÃtani. +Az is lehetséges, hogy a GnuPG többé nem tudja használni ezt +a kulcsot. Csak akkor tegye ezt, ha valami okból ez az önaláÃrás nem +érvényes, és rendelkezésre áll egy másik! +. + +.gpg.keyedit.updpref.okay +Lecseréli az összes felhasználóazonosÃtóhoz (vagy csak a kijelöltekhez) +tartozó preferenciákat az aktuális preferenciákra. Minden érintett +önaláÃrás idÅ‘pontját egy másodperccel növeli. + +. + +.gpg.passphrase.enter +Kérem, adja meg a jelszót! Ezt egy titkos mondat. + +. + +.gpg.passphrase.repeat +Kérem, ismételje meg az elÅ‘zÅ‘ jelszót ellenÅ‘rzésképpen! +. + +.gpg.detached_signature.filename +Adja meg az állomány nevét, melyhez az aláÃrás tartozik! +. + +.gpg.openfile.overwrite.okay +Válaszoljon "igen"-nel, ha felülÃrható az állomány! +. + +.gpg.openfile.askoutname +Kérem, adjon meg egy új fájlnevet! Ha RETURN-t/ENTER-t nyom, akkor +a szögletes zárójelben levÅ‘ alapértelmezett nevet használom. +. + +.gpg.ask_revocation_reason.code +Ajánlatos megadni a visszavonás okát. A helyzettÅ‘l függÅ‘en válasszon +a következÅ‘ listából: + "A kulcs kompromittálódott." + Használja ezt akkor, ha oka van azt hinni, hogy titkos kulcsa + illetéktelen kezekbe került! + "A kulcsot lecserélték." + Használja ezt akkor, ha a kulcsot lecserélte egy újabbra! + "A kulcs már nem használatos." + Használja ezt akkor, ha már nem használja a kulcsot! + "A felhasználóazonosÃtó már nem érvényes." + Használja ezt akkor, ha azt állÃtja, hogy a felhasználóazonosÃtó + már nem használatos! Ãltalában érvénytelen e-mail cÃmet jelent. + +. + +.gpg.ask_revocation_reason.text +Ha akarja, megadhat egy szöveget, melyben megindokolja, hogy miért +adta ki ezt a visszavonó igazolást. Kérem, fogalmazzon tömören! +Egy üres sor jelzi a szöveg végét. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.id.txt b/doc/help.id.txt new file mode 100644 index 0000000..c07492f --- /dev/null +++ b/doc/help.id.txt @@ -0,0 +1,251 @@ +# help.id.txt - id GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Terserah anda untuk memberi nilai baru di sini; nilai ini tidak akan diekspor +ke pihak ketiga. Kami perlu untuk mengimplementasikan web-of-trust; tidak ada +kaitan dengan (membuat secara implisit) web-of-certificates. +. + +.gpg.edit_ownertrust.set_ultimate.okay +Untuk membuat Web-of-Trust, GnuPG perlu tahu kunci mana yang +sangat dipercaya - mereka biasanya adalah kunci yang anda punya +akses ke kunci rahasia. Jawab "yes" untuk menset kunci ini ke +sangat dipercaya + +. + +.gpg.untrusted_key.override +Jika anda ingin menggunakan kunci tidak terpercaya ini, jawab "ya". +. + +.gpg.pklist.user_id.enter +Masukkan ID user penerima pesan. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.gpg.keygen.algo.rsa_se +Secara umum bukan ide baik untuk menggunakan kunci yang sama untuk menandai dan +mengenkripsi. Algoritma ini seharusnya digunakan dalam domain tertentu. +Silakan berkonsultasi dulu dengan ahli keamanan anda. +. + +.gpg.keygen.size +Masukkan ukuran kunci +. + +.gpg.keygen.size.huge.okay +Jawab "ya" atau "tidak" +. + +.gpg.keygen.size.large.okay +Jawab "ya" atau "tidak" +. + +.gpg.keygen.valid +Masukkan nilai yang diperlukan seperti pada prompt. +Dapat digunakan format (YYYY-MM-DD) untuk mengisi tanggal ISO tetapi anda +tidak akan mendapat respon kesalahan yang baik - sebaiknya sistem akan +berusaha menginterprestasi nilai yang diberikan sebagai sebuah interval. +. + +.gpg.keygen.valid.okay +Jawab "ya" atau "tidak" +. + +.gpg.keygen.name +Masukkan nama pemegang kunci +. + +.gpg.keygen.email +silakan masukkan alamat email (pilihan namun sangat dianjurkan) +. + +.gpg.keygen.comment +Silakan masukkan komentar tambahan +. + +.gpg.keygen.userid.cmd +N untuk merubah nama. +K untuk merubah komentar. +E untuk merubah alamat email. +O untuk melanjutkan dengan pembuatan kunci. +K untuk menghentikan pembuatan kunci. +. + +.gpg.keygen.sub.okay +Jawab "ya" (atau "y") jika telah siap membuat subkey. +. + +.gpg.sign_uid.okay +Jawab "ya" atau "tidak" +. + +.gpg.sign_uid.class +Ketika anda menandai user ID pada kunci, anda perlu memverifikasi bahwa kunci +milik orang yang disebut dalam user ID. Ini penting bagi orang lain untuk tahu +seberapa cermat anda memverifikasi ini. + +"0" berarti anda tidak melakukan klaim tentang betapa cermat anda memverifikasi kunci. + +"1" berarti anda percaya bahwa kunci dimiliki oleh orang yang mengklaim memilikinya + namun anda tidak dapat, atau tidak memverifikasi kunci sama sekali. Hal ini bergunabagi + verifikasi "persona", yaitu anda menandai kunci user pseudonymous + +"2" berarti anda melakukan verifikasi kasual atas kunci. Sebagai contoh, halini dapat + berarti bahwa anda memverifikasi fingerprint kunci dan memeriksa user ID pada kunci + dengan photo ID. + +"3" berarti anda melakukan verifikasi ekstensif atas kunci. Sebagai contoh, hal ini + dapat berarti anda memverifikasi fingerprint kunci dengan pemilik kunci + secara personal, dan anda memeriksa, dengan menggunakan dokumen yang sulit dipalsukan yang memiliki + photo ID (seperti paspor) bahwa nama pemilik kunci cocok dengan + nama user ID kunci, dan bahwa anda telah memverifikasi (dengan pertukaran + email) bahwa alamat email pada kunci milik pemilik kunci. + +Contoh-contoh pada level 2 dan 3 hanyalah contoh. +Pada akhirnya, terserah anda untuk memutuskan apa arti "kasual" dan "ekstensif" +bagi anda ketika menandai kunci lain. + +Jika anda tidak tahu jawaban yang tepat, jawab "0". +. + +.gpg.change_passwd.empty.okay +Jawab "ya" atau "tidak" +. + +.gpg.keyedit.save.okay +Jawab "ya" atau "tidak" +. + +.gpg.keyedit.cancel.okay +Jawab "ya" atau "tidak" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.gpg.keyedit.remove.uid.okay +Jawab "ya" jika anda benar-benar ingin menghapus ID user ini. +Seluruh sertifikat juga akan hilang! +. + +.gpg.keyedit.remove.subkey.okay +Jawab "ya" jika ingin menghapus subkey +. + +.gpg.keyedit.delsig.valid +Ini adalah signature valid untuk kunci; anda normalnya tdk ingin menghapus +signature ini karena mungkin penting membangun koneksi trust ke kunci atau +ke kunci tersertifikasi lain dengan kunci ini. +. + +.gpg.keyedit.delsig.unknown +Signature ini tidak dapat diperiksa karena anda tidak memiliki kunci +korespondennya. Anda perlu menunda penghapusannya hingga anda tahu +kunci yang digunakan karena kunci penanda ini mungkin membangun suatu +koneksi trust melalui kunci yang telah tersertifikasi lain. +. + +.gpg.keyedit.delsig.invalid +Signature tidak valid. Adalah hal yang masuk akal untuk menghapusnya dari +keyring anda +. + +.gpg.keyedit.delsig.selfsig +Ini adalah signature yang menghubungkan ID pemakai ke kunci. Biasanya +bukan ide yang baik untuk menghapus signature semacam itu. Umumnya +GnuPG tidak akan dapat menggunakan kunci ini lagi. Sehingga lakukan hal +ini bila self-signature untuk beberapa alasan tidak valid dan +tersedia yang kedua. +. + +.gpg.keyedit.updpref.okay +Rubah preferensi seluruh user ID (atau hanya yang terpilih) +ke daftar preferensi saat ini. Timestamp seluruh self-signature +yang terpengaruh akan bertambah satu detik. + +. + +.gpg.passphrase.enter +Silakan masukkan passphrase; ini kalimat rahasia + +. + +.gpg.passphrase.repeat +Silakan ulangi passphrase terakhir, sehingga anda yakin yang anda ketikkan. +. + +.gpg.detached_signature.filename +Beri nama file tempat berlakunya signature +. + +.gpg.openfile.overwrite.okay +Jawab "ya" jika tidak apa-apa menimpa file +. + +.gpg.openfile.askoutname +Silakan masukan nama file baru. Jika anda hanya menekan RETURN nama +file baku (yang diapit tanda kurung) akan dipakai. +. + +.gpg.ask_revocation_reason.code +Anda harus menspesifikasikan alasan pembatalan. Semua ini tergantung +konteks, anda dapat memilih dari daftar berikut: + "Key has been compromised" + Gunakan ini jika anda punya alasan untuk percaya bahwa orang yang tidak berhak + memiliki akses ke kunci pribadi anda. + "Key is superseded" + Gunakan ini bila anda mengganti kunci anda dengan yang baru. + "Key is no longer used" + Gunakan ini bila anda telah mempensiunkan kunci ini. + "User ID is no longer valid" + Gunakan ini untuk menyatakan user ID tidak boleh digunakan lagi; + normalnya digunakan untuk menandai bahwa alamat email tidak valid lagi. + +. + +.gpg.ask_revocation_reason.text +Jika anda suka, anda dapat memasukkan teks menjelaskan mengapa anda +mengeluarkan sertifikat pembatalan ini. Buatlah ringkas. +Baris kosong mengakhiri teks. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.it.txt b/doc/help.it.txt new file mode 100644 index 0000000..675f8c0 --- /dev/null +++ b/doc/help.it.txt @@ -0,0 +1,251 @@ +# help.it.txt - Italian GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +E compito tuo assegnare un valore; questo valore non sarà mai esportato a +terzi. Ci serve per implementare il web-of-trust; non ha nulla a che fare +con il web-of-certificates (creato implicitamente). +. + +.gpg.edit_ownertrust.set_ultimate.okay +Per costruire il Web-Of-Trust, GnuPG ha bisogno di sapere quali chiavi sono +definitivamente affidabili - di solito quelle per cui hai accesso alla chiave +segreta. +Rispondi "sì" per impostare questa chiave come definitivamente affidabile + +. + +.gpg.untrusted_key.override +Se vuoi usare comunque questa chiave non fidata, rispondi "si". +. + +.gpg.pklist.user_id.enter +Inserisci l'user ID del destinatario a cui vuoi mandare il messaggio. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.gpg.keygen.algo.rsa_se +In generale non è una buona idea usare la stessa chiave per le firme e la +cifratura. Questo algoritmo dovrebbe solo essere usato in determinati campi. +Per favore consulta prima il tuo esperto di sicurezza. +. + +.gpg.keygen.size +Inserisci le dimensioni della chiave +. + +.gpg.keygen.size.huge.okay +Rispondi "si" o "no" +. + +.gpg.keygen.size.large.okay +Rispondi "si" o "no" +. + +.gpg.keygen.valid +Inserisci il valore richiesto come indicato dal prompt. +È possibile inserire una data in formato ISO (YYYY-MM-DD) ma non avrai un +messaggio di errore corretto: il sistema cerca di interpretare il valore +dato come un intervallo. +. + +.gpg.keygen.valid.okay +Rispondi "si" o "no" +. + +.gpg.keygen.name +Inserisci il nome del proprietario della chiave +. + +.gpg.keygen.email +Inserisci un indirizzo di email opzionale (ma fortemente suggerito) +. + +.gpg.keygen.comment +Inserisci un commento opzionale +. + +.gpg.keygen.userid.cmd +N per cambiare il nome. +C per cambiare il commento. +E per cambiare l'indirizzo di email. +O per continuare con la generazione della chiave. +Q per abbandonare il processo di generazione della chiave. +. + +.gpg.keygen.sub.okay +Rispondi "si" (o "y") se va bene generare la subchiave. +. + +.gpg.sign_uid.okay +Rispondi "si" o "no" +. + +.gpg.sign_uid.class +Quando firmi l'user ID di una chiave dovresti prima verificare che questa +appartiene alla persona indicata nell'user ID. È utile agli altri sapere +con quanta attenzione lo hai verificato. + +"0" significa che non fai particolari affermazioni sull'attenzione con cui + hai ferificato la chiave. + +"1" significa che credi che la chiave sia posseduta dalla persona che dice di + possederla, ma non hai o non hai potuto verificare per niente la chiave. + +"2" significa che hai fatto una verifica superficiale della chiave. Per esempio + potrebbe significare che hai verificato l'impronta digitale e confrontato + l'user ID della chiave con un documento di identità con fotografia. + +"3" significa che hai fatto una verifica approfondita della chiave. Per esempio + potrebbe significare che hai verificato di persona l'impronta digitale con + il possessore della chiave e hai controllato, per esempio per mezzo di + un documento di identità con fotografia difficile da falsificare (come + un passaporto), che il nome del proprietario della chiave corrisponde a + quello nell'user ID della chiave, e per finire che hai verificato + (scambiando dei messaggi) che l'indirizzo di email sulla chiave appartiene + al proprietario. + +Nota che gli esempi indicati per i livelli 2 e 3 sono *solo* esempi. Alla fine +sta a te decidere cosa significano "superficiale" e "approfondita" quando +firmi chiavi di altri. + +Se non sai cosa rispondere, rispondi "0". +. + +.gpg.change_passwd.empty.okay +Rispondi "si" o "no" +. + +.gpg.keyedit.save.okay +Rispondi "si" o "no" +. + +.gpg.keyedit.cancel.okay +Rispondi "si" o "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.gpg.keyedit.remove.uid.okay +Rispondi "si" se vuoi davvero cancellare questo user ID. +Tutti i certificati saranno persi! +. + +.gpg.keyedit.remove.subkey.okay +Rispondi "si" se va bene cancellare la subchiave +. + +.gpg.keyedit.delsig.valid +Questa è una firma valida per la chiave. Normalmente non vorresti cancellare +questa firma perchè può essere importante per stabilire una connessione di +fiducia alla chiave o a un'altra chiave certificata da questa chiave. +. + +.gpg.keyedit.delsig.unknown +Questa firma non può essere verificata perchè non hai la chiave corrispondente. +Dovresti rimandare la sua cancellazione finchè non saprai quale chiave è stata +usata perchè questa chiave potrebbe stabilire una connessione di fiducia +attraverso una chiave già certificata. +. + +.gpg.keyedit.delsig.invalid +La firma non è valida. Ha senso rimuoverla dal tuo portachiavi. +. + +.gpg.keyedit.delsig.selfsig +Questa è una firma che collega l'user id alla chiave. Solitamente non è una +buona idea rimuovere questo tipo di firma. In realtà GnuPG potrebbe non essere +più in grado di usare questa chiave. Quindi fallo solo se questa autofirma non +è valida per qualche ragione e ne è disponibile un'altra. +. + +.gpg.keyedit.updpref.okay +Cambia le preferenze di tutti gli user ID (o solo di quelli selezionati) con +la lista di preferenze corrente. L'orario di tutte le autofirme coinvolte +sarà aumentato di un secondo. + +. + +.gpg.passphrase.enter +Inserisci la passphrase, cioè una frase segreta + +. + +.gpg.passphrase.repeat +Ripeti l'ultima passphrase per essere sicuro di cosa hai scritto. +. + +.gpg.detached_signature.filename +Inserisci il nome del file a cui si riferisce la firma. +. + +.gpg.openfile.overwrite.okay +Rispondi "si" se va bene sovrascrivere il file. +. + +.gpg.openfile.askoutname +Inserisci il nuovo nome del file. Se premi INVIO sarà usato il nome +predefinito (quello indicato tra parentesi). +. + +.gpg.ask_revocation_reason.code +Dovresti specificare un motivo per questa certificazione. A seconda del +contesto hai la possibilità di scegliere tra questa lista: + "Key has been compromised" + Usa questo se hai un motivo per credere che una persona non autorizzata + abbia avuto accesso alla tua chiave segreta. + "Key is superseded" + Usa questo se hai sostituito questa chiave con una più recente. + "Key is no longer used" + Usa questo se hai mandato in pensione questa chiave. + "User ID is no longer valid" + Usa questo per affermare che l'user ID non dovrebbe più essere usato; + solitamente è usato per indicare un indirizzo di email non valido. + +. + +.gpg.ask_revocation_reason.text +Se vuoi, puoi digitare un testo che descrive perché hai emesso +questo certificato di revoca. Per favore sii conciso. +Una riga vuota termina il testo. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.ja.txt b/doc/help.ja.txt new file mode 100644 index 0000000..c503de6 --- /dev/null +++ b/doc/help.ja.txt @@ -0,0 +1,335 @@ +# help.ja.txt - Japanese GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + +.#pinentry.qualitybar.tooltip +# [ ã“ã®ã‚¨ãƒ³ãƒˆãƒªã¯æœ‰åŠ¹ã«ã™ã‚‹ã«ã¯ã€ä¸Šè¨˜ã®ã‚ー㮠# を削除ã—ã¦ãã ã•ã„。] +# ã“ã‚Œã¯ä¾‹ã§ã™ã€‚ +ã“ã®ãƒãƒ¼ã¯ã€å…¥åŠ›ã•ã‚ŒãŸãƒ‘スフレーズã®å“質を示ã—ã¦ã„ã¾ã™ã€‚ + +ãƒãƒ¼ãŒèµ¤ã„色ã¨ãªã£ã¦ã„ã‚‹å ´åˆã€GnuPGã¯ãƒ‘スフレーズãŒå¼±ã™ãŽã‚‹ã¨åˆ¤æ–ã—ã€å— +ã‘付ã‘ã¾ã›ã‚“。管ç†è€…ã«ãƒ‘スフレーズã®åˆ¶é™ã®è¨å®šã«ã¤ã„ã¦è©³ç´°ã‚’å•ã„åˆã‚ã› +ã¦ãã ã•ã„。 +. + +.gnupg.agent-problem +# There was a problem accessing or starting the agent. +動作ä¸ã®Gpg-Agentã¸ã®æŽ¥ç¶šãŒã§ããªã‹ã£ãŸã‹ã€é€šä¿¡ã®å•é¡ŒãŒç™ºç”Ÿã—ã¾ã—ãŸã€‚ + +システムã¯ã€Gpg-Agentã¨å‘¼ã°ã‚Œã‚‹ãƒãƒƒã‚¯ã‚°ãƒ©ã‚¦ãƒ³ãƒ‰ãƒ»ãƒ—ãƒã‚»ã‚¹ã‚’利用ã—ã€ç§˜å¯† +éµã¨ãƒ‘スフレーズã®å•ã„åˆã‚ã›ã‚’処ç†ã—ã¾ã™ã€‚ã“ã®ã‚¨ãƒ¼ã‚¸ã‚§ãƒ³ãƒˆã¯é€šå¸¸ã€ãƒ¦ãƒ¼ +ザãŒãƒã‚°ã‚¤ãƒ³ã™ã‚‹ã¨ãã«é–‹å§‹ã•ã‚Œã€ãƒã‚°ã‚¤ãƒ³ã—ã¦ã„ã‚‹é–“ã€å‹•ã„ã¦ã„ã¾ã™ã€‚ã‚‚ã—〠+エージェントãŒåˆ©ç”¨å¯èƒ½ã§ãªã„å ´åˆã€ã‚·ã‚¹ãƒ†ãƒ ã¯ã€ãã®å ´ã§ã‚¨ãƒ¼ã‚¸ã‚§ãƒ³ãƒˆã®èµ· +動を試ã—ã¾ã™ãŒã€ã“ã®å ´åˆã€æ©Ÿèƒ½ãŒã‚„や制é™ã•ã‚Œã€è‹¥å¹²ã®å•é¡ŒãŒã‚ã‚‹å ´åˆãŒã‚ +ã‚Šã¾ã™ã€‚ + +ã‚‚ã—ã‹ã—ãŸã‚‰ã€ç®¡ç†è€…ã«å•ã„åˆã‚ã›ã¦ã€ã“ã®å•é¡Œã‚’ã©ã®ã‚ˆã†ã«è§£æ±ºã—ãŸã‚‰è‰¯ã„ +ã‹èžã„ãŸæ–¹ãŒè‰¯ã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。ã¨ã‚Šã‚ãˆãšã®æ–¹ç–ã¨ã—ã¦ã¯ã€ä¸€åº¦ãƒã‚°ã‚¢ã‚¦ +トã—ã¦ã‚‚ã†ä¸€åº¦ãƒã‚°ã‚¤ãƒ³ã—ã€æ”¹å–„ãŒè¦‹ã‚‰ã‚Œã‚‹ã‹è©¦ã—ã¦ã¿ã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ã€‚ã‚‚ +ã—ã€ã“ã‚ŒãŒã†ã¾ãã„ãよã†ã§ã‚ã‚Œã°ç®¡ç†è€…ã«å ±å‘Šã—ã¦ãã ã•ã„。ãã‚Œã¯ãŠãら +ãã€ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã®ãƒã‚°ã§ã‚ã‚‹ã“ã¨ã‚’示ã—ã¦ã„ã¾ã™ã®ã§ã€‚ +. + + +.gnupg.dirmngr-problem +# There was a problen accessing the dirmngr. +動作ä¸ã®Dirmngrã¸ã®æŽ¥ç¶šãŒã§ããªã‹ã£ãŸã‹ã€é€šä¿¡ã®å•é¡ŒãŒç™ºç”Ÿã—ã¾ã—ãŸã€‚ + +証明書失効リスト(CRL)を検索ã—ã€OCSPã®æ‡¸è³žã¨LDAPサーãƒã‚’通ã˜ã¦éµã‚’検索㙠+ã‚‹ãŸã‚ã€ã‚·ã‚¹ãƒ†ãƒ ã¯ã€Dirmngrã¨å‘¼ã°ã‚Œã‚‹å¤–部サービス・プãƒã‚°ãƒ©ãƒ を利用ã—ã¾ +ã™ã€‚Dirmngrã¯é€šå¸¸ã€ã‚·ã‚¹ãƒ†ãƒ サービス(daemon)ã¨ã—ã¦å®ŸåŠ¹ã•ã‚Œã¾ã™ã€ä¸€èˆ¬ãƒ¦ãƒ¼ +ザã¯æ°—ã«ã™ã‚‹å¿…è¦ã¯ã‚ã‚Šã¾ã›ã‚“。å•é¡ŒãŒã‚ã‚‹å ´åˆã€ã‚·ã‚¹ãƒ†ãƒ ã¯ã€è¦æ±‚ã«å¿œã˜ã¦ã€ +Dirmngrã‚’èµ·å‹•ã™ã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ãŒã€ã“ã‚Œã¯å¯¾å¿œç–ã§ã‚ã‚Šã€æ€§èƒ½ã«åˆ¶é™ãŒç”Ÿã˜ +ã¾ã™ã€‚ + +ã“ã®å•é¡ŒãŒã‚ã‚‹å ´åˆã€ã‚·ã‚¹ãƒ†ãƒ 管ç†è€…ã«é€£çµ¡ã—ã€ã©ã®ã‚ˆã†ã«é€²ã‚ãŸã‚‰è‰¯ã„ã‹å• +ã„åˆã‚ã›ã¦ãã ã•ã„。ã¨ã‚Šã‚ãˆãšã®è§£æ±ºç–ã¨ã—ã¦ã¯ã€gpgsmã®è¨å®šã§CRLã®æ¤œè¨¼ +ã‚’åœæ¢ã•ã›ã‚‹ã“ã¨ãŒè€ƒãˆã‚‰ã‚Œã¾ã™ã€‚ +. + + +.gpg.edit_ownertrust.value +ã“ã“ã§ã®å€¤ã®æŒ‡å®šã¯ã€ã‚ãªãŸã«ä»»ã•ã‚Œã¦ã„ã¾ã™ã€‚ã“ã®å€¤ã¯ã€ç¬¬ä¸‰è€…ã«é–‹ç¤ºã•ã‚Œ +ã‚‹ã“ã¨ã¯æ±ºã—ã¦ã‚ã‚Šã¾ã›ã‚“。ウェブ・オブ・トラストを実装ã™ã‚‹ãŸã‚ã«ã“ã®å€¤ +ãŒå¿…è¦ã¨ãªã‚Šã¾ã™ãŒã€(暗黙的ã«ä½œã‚‰ã‚Œã‚‹)証明書ã®ç¶²ã«ã¯ä½•ã‚‚関係ã—ã¾ã›ã‚“。 +. + +.gpg.edit_ownertrust.set_ultimate.okay +ウェブ・オブ・トラストを構築ã™ã‚‹ãŸã‚ã«GnuPGã¯ã€ã©ã®éµãŒç©¶æ¥µçš„ã«ä¿¡é ¼ã§ã +ã‚‹ã‹ã‚’知る必è¦ãŒã‚ã‚Šã¾ã™ã€‚ãã®éµã¯é€šå¸¸ã¯ã€ã‚ãªãŸãŒç§˜å¯†éµã¸ã‚¢ã‚¯ã‚»ã‚¹ã§ã +ã‚‹ã‚‚ã®ã§ã™ã€‚ã“ã®éµãŒç©¶æ¥µçš„ã«ä¿¡é ¼ã§ãã‚‹å ´åˆã€"yes" ã¨ç”ãˆã¦ãã ã•ã„。 +. + + +.gpg.untrusted_key.override +ã“ã®ä¿¡é ¼ã•ã‚Œã¦ãªã„éµã‚’ã©ã¡ã‚‰ã«ã›ã‚ˆä½¿ã„ãŸã„å ´åˆã€"yes" ã¨ç”ãˆã¦ãã ã•ã„。 +. + +.gpg.pklist.user_id.enter +ã“ã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’é€ã‚ŠãŸã„宛先ã®ãƒ¦ãƒ¼ã‚¶IDを入力ã—ã¦ãã ã•ã„。 +. + +.gpg.keygen.algo +使用ã™ã‚‹ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã‚’é¸æŠžã—ã¦ãã ã•ã„。 + +DSA (別å DSS)ã¯é›»åç½²åアルゴリズムã§ã‚ã‚Šã€ç½²åã«ã®ã¿ä½¿ãˆã¾ã™ã€‚ + +Elgamal ã¯æš—å·åŒ–ã®ã¿ã®ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã§ã™ã€‚ + +RSA ã¯ç½²åã¨æš—å·åŒ–ã®ã©ã¡ã‚‰ã«ã‚‚使ãˆã¾ã™ã€‚ + +主éµã¯å¸¸ã«ã€ç½²åãŒå¯èƒ½ã®éµã§ã‚ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ +. + + +.gpg.keygen.algo.rsa_se +一般的ã«ã€ç½²åã¨æš—å·åŒ–ã«åŒä¸€ã®éµã‚’用ã„ã‚‹ã“ã¨ã¯è‰¯ã„ã“ã¨ã§ã¯ã‚ã‚Šã¾ã›ã‚“。 +ã“ã®ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã¯ã‚る特定ã®é ˜åŸŸã ã‘ã«ä½¿ã†ã¹ãã§ã™ã€‚ã¾ãšã€ã‚»ã‚ュリティ +ã®å°‚門家ã«ç›¸è«‡ã—ã¦ãã ã•ã„。 +. + + +.gpg.keygen.size +éµã®é•·ã•ã‚’入力ã—ã¦ãã ã•ã„。 + +æ案ã•ã‚ŒãŸãƒ‡ãƒ•ã‚©ãƒ«ãƒˆãŒé€šå¸¸è‰¯ã„é¸æŠžã§ã™ã€‚ + +大ããªéµé•·ã‚’使ã„ãŸã„å ´åˆã€ãŸã¨ãˆã°4096ビットãªã©ã€æœ¬å½“ã«æ„味ãŒã‚ã‚‹ã‹å† +検討ã—ã¦ãã ã•ã„。ã“ã¡ã‚‰ã®ã‚¦ã‚§ãƒ–ページを見るã®ã‚‚良ã„ã¨æ€ã„ã¾ã™: +http://www.xkcd.com/538/ +. + +.gpg.keygen.size.huge.okay +"yes" ã‹ "no" ã§ç”ãˆã¦ãã ã•ã„。 +. + + +.gpg.keygen.size.large.okay +"yes" ã‹ "no" ã§ç”ãˆã¦ãã ã•ã„。 +. + + +.gpg.keygen.valid +プãƒãƒ³ãƒ—トã§ç¤ºã•ã‚ŒãŸå¿…è¦ãªå€¤ã‚’入力ã—ã¦ãã ã•ã„。ISOå½¢å¼ã®æ—¥ä»˜ +(YYYY-MM-DD)ã®å…¥åŠ›ãŒå¯èƒ½ã§ã™ãŒã€è‰¯ã„エラー対応ãŒå¾—られãªã„ã‹ã‚‚ã—ã‚Œã¾ã› +ん。システムãŒä¸Žãˆã‚‰ã‚ŒãŸå€¤ã‚’期間ã¨è§£é‡ˆã™ã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ã€‚. +. + +.gpg.keygen.valid.okay +"yes" ã‹ "no" ã§ç”ãˆã¦ãã ã•ã„。 +. + + +.gpg.keygen.name +éµã®æŒã¡ä¸»ã®åå‰ã‚’入力ã—ã¦ãã ã•ã„。 +æ–‡å— "<" 㨠">" ã¯è¨±ã•ã‚Œã¦ã„ã¾ã›ã‚“。 +例: Heinrich Heine +. + + +.gpg.keygen.email +オプションã§ã™ãŒæŽ¨å¥¨ã•ã‚Œã‚‹é›»åメールアドレスを入力ã—ã¦ãã ã•ã„。 +例: heinrichh@duesseldorf.de +. + +.gpg.keygen.comment +オプションã®ã‚³ãƒ¡ãƒ³ãƒˆã‚’入力ã—ã¦ãã ã•ã„。 +æ–‡å— "(" 㨠")" ã¯è¨±ã•ã‚Œã¦ã„ã¾ã›ã‚“。 +一般的ã«ã‚³ãƒ¡ãƒ³ãƒˆã¯å¿…è¦ã§ã¯ã‚ã‚Šã¾ã›ã‚“。 +. + + +.gpg.keygen.userid.cmd +# (Keep a leading empty line) + +N åå‰ã®å¤‰æ›´ã€‚ +C コメントã®å¤‰æ›´ã€‚ +E é›»åメールアドレスã®å¤‰æ›´ã€‚ +O éµç”Ÿæˆã«é€²ã‚€ã€‚ +Q éµç”Ÿæˆã‚’æ¢ã‚る。 +. + +.gpg.keygen.sub.okay +副éµã‚’生æˆã—ã¦ã‚ˆã‘ã‚Œã°ã€"yes" (ã‚ã‚‹ã„ã¯å˜ã« "y") ã¨ç”ãˆã¦ãã ã•ã„。 +. + +.gpg.sign_uid.okay +"yes" ã‹ "no" ã§ç”ãˆã¦ãã ã•ã„。 +. + +.gpg.sign_uid.class +ã‚ã‚‹éµã®ãƒ¦ãƒ¼ã‚¶IDã«ç½²åã™ã‚‹ã¨ãã€ã‚ãªãŸã¯ã€ã¾ãšã€ãã®éµãŒãã®ãƒ¦ãƒ¼ã‚¶IDã® +人ã«å±žã™ã‚‹ã‹ã©ã†ã‹ã‚’確èªã—ãªã‘ã‚Œã°ãªã‚Šã¾ã›ã‚“。ã‚ãªãŸãŒã©ã‚Œãらã„ã“れを +æ…Žé‡ã«ç¢ºèªã—ãŸã‹ã«ã¤ã„ã¦ã€ã»ã‹ã®äººãŒçŸ¥ã‚‹ã“ã¨ã¯æœ‰ç”¨ã§ã™ã€‚ + +"0" ã¯ã€ã©ã‚Œãらã„æ…Žé‡ã«ç¢ºèªã—ãŸã‹ã«ã¤ã„ã¦ç‰¹ã«ãªã«ã‚‚主張ã—ãªã„ã“ã¨ã‚’æ„味ã—ã¾ã™ã€‚ + +"1" ã¯ã€ã‚ãªãŸã¯ã€ä¸»å¼µã™ã‚‹ãã®äººãŒæ‰€æœ‰ã™ã‚‹éµã§ã‚ã‚‹ã¨è€ƒãˆã‚‹ãŒã€ãã®éµã«ã¤ã„ã¦ã€ + 確èªã§ããªã‹ã£ãŸã€ã‚ã‚‹ã„ã¯ã—ãªã‹ã£ãŸã“ã¨ã‚’æ„味ã—ã¾ã™ã€‚ã“ã‚Œã¯ã€ãƒšãƒ³ãƒãƒ¼ãƒ ã® + ユーザã®éµã«ç½²åã™ã‚‹ã‚ˆã†ãª "persona" 確èªã«æœ‰ç”¨ã§ã™ã€‚ + +"2" ã¯ã€ãã®éµã«å¯¾ã—ã€é€šå¸¸ã®æ¤œè¨¼ã‚’è¡Œã£ãŸã“ã¨ã‚’æ„味ã—ã¾ã™ã€‚ãŸã¨ãˆã°ã€éµ + ã®ãƒ•ã‚£ãƒ³ã‚¬ãƒ¼ãƒ—リントを確èªã—ã€å†™çœŸä»˜ãIDã§ãƒ¦ãƒ¼ã‚¶IDを確èªã—ãŸã“ã¨ã‚’ + æ„味ã—ã¾ã™ã€‚ + +"3" ã¯ã€ãã®éµã«å¯¾ã—ã€åºƒç¯„ãªæ¤œè¨¼ã‚’è¡Œã£ãŸã“ã¨ã‚’æ„味ã—ã¾ã™ã€‚ãŸã¨ãˆã°ã€éµ + ã®ãƒ•ã‚£ãƒ³ã‚¬ãƒ¼ãƒ—リントを対é¢ã§ç¢ºèªã—ã€ãƒ‘スãƒãƒ¼ãƒˆãªã©å½é€ ã™ã‚‹ã“ã¨ãŒé›£ + ã—ã„写真付ãIDã§ãƒ¦ãƒ¼ã‚¶IDを確èªã—ã€æ‰€æœ‰è€…ã®åå‰ãŒéµã®ãƒ¦ãƒ¼ã‚¶IDã«é©åˆ + ã—ã€ãƒ¡ãƒ¼ãƒ«ã®äº¤æ›ã§ã€ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ‰€æœ‰è€…ã«å±žã™ã‚‹ã“ã¨ã‚’確èªã—ãŸã“ + ã¨ã‚’æ„味ã—ã¾ã™ã€‚ + +上記ã®ãƒ¬ãƒ™ãƒ«2ã¨ãƒ¬ãƒ™ãƒ«3ã§ç¤ºã—ãŸä¾‹ã¯ã€å˜ã«ä¾‹ã§ã‚ã‚‹ã“ã¨ã«æ³¨æ„ã—ã¦ãã ã•ã„。 +çµå±€ã¯ã€ã»ã‹ã®éµã«ç½²åã™ã‚‹ã¨ãã€ãªã«ãŒã‚ãªãŸã«ã¨ã£ã¦ã€Œé€šå¸¸ã€ã§ã€ãªã«ãŒ +「広範ã€ã‹ã‚’を決ã‚ã‚‹ã®ã¯ã€ã‚ãªãŸè‡ªèº«ã«ä»»ã•ã‚Œã¦ã„ã¾ã™ã€‚ + +æ£ã—ã„ç”ãˆãŒãªã«ã‹ã‚ã‹ã‚‰ãªã„ã¨ã㯠"0" ã¨ç”ãˆã¦ãã ã•ã„。 +. + +.gpg.change_passwd.empty.okay +"yes" ã‹ "no" ã§ç”ãˆã¦ãã ã•ã„。 +. + + +.gpg.keyedit.save.okay +"yes" ã‹ "no" ã§ç”ãˆã¦ãã ã•ã„。 +. + + +.gpg.keyedit.cancel.okay +"yes" ã‹ "no" ã§ç”ãˆã¦ãã ã•ã„。 +. + +.gpg.keyedit.sign_all.okay +ã™ã¹ã¦ã®ãƒ¦ãƒ¼ã‚¶IDã«å¯¾ã—ã¦ç½²åã—ãŸã„å ´åˆã€"yes"ã¨ç”ãˆã¦ãã ã•ã„。 +. + +.gpg.keyedit.remove.uid.okay +ã“ã®ãƒ¦ãƒ¼ã‚¶IDを本当ã«å‰Šé™¤ã—ãŸã„å ´åˆã€"yes"ã¨ç”ãˆã¦ãã ã•ã„。 +ãã†ã™ã‚‹ã¨å…¨éƒ¨ã®è¨¼æ˜Žæ›¸ãŒå¤±ã‚ã‚Œã¾ã™! +. + +.gpg.keyedit.remove.subkey.okay +副éµã‚’削除ã—ã¦ã‚ˆã„å ´åˆã€"yes"ã¨ç”ãˆã¦ãã ã•ã„。 +. + + +.gpg.keyedit.delsig.valid +ã“ã‚Œã¯ã€ã“ã®éµã®æœ‰åŠ¹ãªç½²åã§ã™ã€‚通常ã€ã“ã®ç½²åを削除ã™ã‚‹ã“ã¨ã¯æœ›ã¾ãªã„ +ã§ã—ょã†ã€‚ã“ã®éµ(ã¾ãŸã¯ã€ã“ã®éµã§è¨¼æ˜Žã•ã‚ŒãŸåˆ¥ã®éµ)ã¸ã®ä¿¡é ¼ã®ã‚³ãƒã‚¯ã‚·ãƒ§ +ンãŒæˆç«‹ã™ã‚‹ã“ã¨ãŒé‡è¦ã¨ãªã‚‹å ´åˆãŒã‚ã‚‹ã‹ã‚‰ã§ã™ã€‚ +. + +.gpg.keyedit.delsig.unknown +ã“ã®ç½²åã¯æ¤œè¨¼ã§ãã¾ã›ã‚“ã§ã—ãŸã€‚対応ã™ã‚‹éµã‚’æŒã£ã¦ã„ãªã„ã‹ã‚‰ã§ã™ã€‚ã©ã® +éµãŒä½¿ã‚ã‚ŒãŸã‹ã‚ã‹ã‚‹ã¾ã§ã“ã®å‰Šé™¤ã‚’延期ã™ã¹ãã§ã™ã€‚ã“ã®ç½²åã®éµã¯ã€åˆ¥ã® +ã™ã§ã«è¨¼æ˜Žã•ã‚ŒãŸéµã‚’通ã˜ã¦ä¿¡é ¼ã®ã‚³ãƒã‚¯ã‚·ãƒ§ãƒ³ã‚’æˆç«‹ã™ã‚‹ã“ã¨ãŒã‚ã‚‹ã‹ã‚‰ã§ +ã™ã€‚ +. + +.gpg.keyedit.delsig.invalid +ã“ã®ç½²åã¯æœ‰åŠ¹ã§ã¯ã‚ã‚Šã¾ã›ã‚“。éµãƒªãƒ³ã‚°ã‹ã‚‰å‰Šé™¤ã™ã‚‹ã“ã¨ã«æ„味ãŒã‚ã‚Šã¾ã™ã€‚ +. + +.gpg.keyedit.delsig.selfsig +ã“ã‚Œã¯ã“ã®ãƒ¦ãƒ¼ã‚¶IDã¨ã“ã®éµã¨ã‚’çµã¶ç½²åã§ã™ã€‚通常ã€ã“ã®ã‚ˆã†ãªç½²åを削除 +ã™ã‚‹ã“ã¨ã¯è‰¯ã„ã“ã¨ã§ã¯ã‚ã‚Šã¾ã›ã‚“。実際ã€GnuPGã¯ã“ã®éµã‚’使ã†ã“ã¨ãŒã§ã㪠+ããªã£ã¦ã—ã¾ã†ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。ã§ã™ã‹ã‚‰ã€ã“ã®è‡ªå·±ç½²åãŒãªã‚“らã‹ã®ç†ç”±ã« +よã£ã¦ç„¡åŠ¹ã§ã‚ã‚Šã€ç¬¬äºŒã®ã‚‚ã®ãŒåˆ©ç”¨å¯èƒ½ã§ã‚ã‚‹å ´åˆã«ã ã‘ã€å®Ÿè¡Œã—ã¦ãã ã• +ã„。 +. + +.gpg.keyedit.updpref.okay +ã™ã¹ã¦ã®ãƒ¦ãƒ¼ã‚¶ID(ã‚‚ã—ãã¯å˜ã«é¸æŠžã•ã‚ŒãŸä¸€ã¤)ã®å„ªå…ˆæŒ‡å®šã‚’ç¾è¡Œã®å„ªå…ˆæŒ‡å®š +ã«å¤‰æ›´ã—ã¾ã™ã€‚ã™ã¹ã¦ã®é–¢ä¿‚ã™ã‚‹è‡ªå·±ç½²åã®ã‚¿ã‚¤ãƒ スタンプã¯ã€ä¸€ç§’進んã ã‚‚ +ã®ã¨ãªã‚Šã¾ã™ã€‚ +. + +.gpg.passphrase.enter +# (keep a leading empty line) + +パスフレーズを入力ã—ã¦ãã ã•ã„。秘密ã®æ–‡ã§ã™ã€‚ +. + + +.gpg.passphrase.repeat +ã‚‚ã†ä¸€åº¦ãƒ‘スフレーズを入力ã—ã€é–“é•ã„ãªã入力ã•ã‚ŒãŸã“ã¨ã‚’確èªã—ã¦ãã ã•ã„。 +. + +.gpg.detached_signature.filename +ç½²åãŒé©ç”¨ã•ã‚Œã‚‹ãƒ•ã‚¡ã‚¤ãƒ«ã®åå‰ã‚’与ãˆã¦ãã ã•ã„。 +. + +.gpg.openfile.overwrite.okay +# openfile.c (overwrite_filep) +ファイルを上書ãã—ã¦ã‚ˆã‘ã‚Œã°ã€"yes"ã¨ç”ãˆã¦ãã ã•ã„。 +. + +.gpg.openfile.askoutname +# openfile.c (ask_outfile_name) +æ–°ã—ã„ファイルåを入力ã—ã¦ãã ã•ã„。å˜ã«Enterを打ã¤ã¨ã€ã‚«ãƒƒã‚³ã§ç¤ºã•ã‚ŒãŸ +デフォルトã®ãƒ•ã‚¡ã‚¤ãƒ«ãŒä½¿ã‚ã‚Œã¾ã™ã€‚ +. + +.gpg.ask_revocation_reason.code +# revoke.c (ask_revocation_reason) +証明書ã®ç†ç”±ã‚’指定ã—ã¾ã™ã€‚下記ã®ãƒªã‚¹ãƒˆã‹ã‚‰é¸æŠžã—ã¦ãã ã•ã„: + "éµãŒå±ã†ããªã£ãŸ" + 承èªã—ã¦ã„ãªã„人ãŒã‚ãªãŸã®ç§˜å¯†éµã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’å¾—ãŸã¨è€ƒãˆã‚‹ç†ç”±ãŒ + ã‚ã‚‹å ´åˆã«ã€ã“れを指定ã—ã¾ã™ã€‚ + "éµã‚’å–り替ãˆãŸ" + æ–°ã—ã„éµã§ã“ã®éµã‚’ç½®ãæ›ãˆãŸå ´åˆã«ã€ã“れを指定ã—ã¾ã™ã€‚ + "éµã¯ã‚‚ã†ä½¿ã‚ã‚Œãªã„" + ã“ã®éµã‚’使ã‚ãªããªã£ãŸå ´åˆã«ã€ã“れを指定ã—ã¾ã™ã€‚ + "ユーザIDãŒç„¡åŠ¹ã¨ãªã£ãŸ" + ユーザIDã‚’ã‚‚ã¯ã‚„使ã†ã¹ãã§ãªã„å ´åˆã«ã€ã“れを指定ã—ã¾ã™ã€‚通常ã€ã“ + ã‚Œã¯ã€é›»åメールアドレスãŒç„¡åŠ¹ã¨ãªã£ãŸå ´åˆã§ã™ã€‚ +. + + +.gpg.ask_revocation_reason.text +# revoke.c (ask_revocation_reason) +å¿…è¦ã§ã‚ã‚Œã°ã€ã“ã®å¤±åŠ¹è¨¼æ˜Žæ›¸ã‚’発行ã™ã‚‹ç†ç”±ã‚’記述ã™ã‚‹æ–‡ç« を入力ã™ã‚‹ +ã“ã¨ãŒã§ãã¾ã™ã€‚ã“ã®æ–‡ç« ã¯ç°¡æ½”ã«ã—ã¦ãã ã•ã„。空行ã¯æ–‡ç« ã®çµ‚ã‚ã‚Šã‚’ +æ„味ã—ã¾ã™ã€‚ +. + + +.gpgsm.root-cert-not-trusted +# This text gets displayed by the audit log if +# a root certificates was not trusted. +ルート証明書(ä¿¡é ¼ã®æ‹ り所)ãŒä¿¡é ¼ã§ãã‚‹ã¨ã•ã‚Œã¦ã„ã¾ã›ã‚“。è¨å®šã«ã‚‚より㾠+ã™ãŒã€ãã®ãƒ«ãƒ¼ãƒˆè¨¼æ˜Žæ›¸ã‚’ä¿¡é ¼ã§ãã‚‹ã‚‚ã®ã¨æŒ‡å®šã™ã‚‹ã‚ˆã†ã«æ—¢ã«å•ã‚ã‚ŒãŸã‹ã‚‚ +ã—ã‚Œã¾ã›ã‚“ã—ã€æ‰‹å‹•ã§GnuPGãŒãã®è¨¼æ˜Žæ›¸ã‚’ä¿¡é ¼ã§ãã‚‹ã¨æ‰±ã†ã‚ˆã†ã«è¨å®šã™ã‚‹å¿… +è¦ãŒã‚ã‚Šã¾ã™ã€‚ä¿¡é ¼ã§ãる証明書ã¯ã€GnuPGã®ãƒ›ãƒ¼ãƒ ディレクトリã®ãƒ•ã‚¡ã‚¤ãƒ« +trustlist.txt ã«è¨å®šã—ã¾ã™ã€‚ç–‘å•ã®ã‚ã‚‹å ´åˆã€ã‚·ã‚¹ãƒ†ãƒ 管ç†è€…ã«ã“ã®è¨¼æ˜Žæ›¸ +ã‚’ä¿¡é ¼ã—ã¦ã‚ˆã„ã‚‚ã®ã‹ã©ã†ã‹å•ã„åˆã‚ã›ã¦ãã ã•ã„。 +. + + +.gpgsm.crl-problem +# This tex is displayed by the audit log for problems with +# the CRL or OCSP checking. +è¨å®šã«ã‚ˆã‚Šã¾ã™ãŒã€CRLã®å–å¾—ã‹ã€OCSP検証ã®éš›ã«å•é¡ŒãŒèµ·ãã¾ã—ãŸã€‚ã“ã‚ŒãŒå‹• +ã‹ãªã„å ´åˆã€å®Ÿã«æ§˜ã€…ãªç†ç”±ãŒã‚ã‚Šãˆã¾ã™ã€‚解決ç–ã¯ã€ãƒžãƒ‹ãƒ¥ã‚¢ãƒ«ã‚’見ã¦ãã +ã•ã„。 +. + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.nb.txt b/doc/help.nb.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.nb.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.pl.txt b/doc/help.pl.txt new file mode 100644 index 0000000..c5444b6 --- /dev/null +++ b/doc/help.pl.txt @@ -0,0 +1,250 @@ +# help.pl.txt - pl GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Te wartoÅ›ci użytkownik przydziela wg swojego uznania; nie bÄ™dÄ… nigdy +eksportowane poza ten system. Potrzebne sÄ… one do zbudowania sieci +zaufania, i nie ma to nic wspólnego z tworzonÄ… automatycznie sieciÄ… +certyfikatów. +. + +.gpg.edit_ownertrust.set_ultimate.okay +Aby zbudować Sieć Zaufania, GnuPG potrzebuje znać klucze do których +masz absolutne zaufanie. Zwykle sÄ… to klucze do których masz klucze +tajne. Odpowiedz ,,tak'', jeÅ›li chcesz okreÅ›lić ten klucz jako klucz +do którego masz absolutne zaufanie. + +. + +.gpg.untrusted_key.override +JeÅ›li mimo wszystko chcesz użyć tego klucza, klucza, co do którego nie ma +żadnej pewnoÅ›ci do kogo należy, odpowiedz ,,tak''. +. + +.gpg.pklist.user_id.enter +Podaj adresatów tej wiadomoÅ›ci. +. + +.gpg.keygen.algo +ProszÄ™ wybrać algorytm. + +DSA (znany także jako DSS) to algorytm podpisu cyfrowego (Digital Signature +Algorithm) i może być używany tylko do podpisów. + +Elgamal to algorytm tylko do szyfrowania. + +RSA może być używany do podpisów lub szyfrowania. + +Pierwszy (główny) klucz zawsze musi być kluczem nadajÄ…cym siÄ™ do podpisywania. +. + +.gpg.keygen.algo.rsa_se +Używanie tego samego klucza do podpisywania i szyfrowania nie jest dobrym +pomysÅ‚em. Można tak postÄ™pować tylko w niektórych zastosowaniach. ProszÄ™ siÄ™ +najpierw skonsultować z ekspertem od bezpieczeÅ„stwa. +. + +.gpg.keygen.size +Wprowadź rozmiar klucza +. + +.gpg.keygen.size.huge.okay +Odpowiedz "tak" lub "nie". +. + +.gpg.keygen.size.large.okay +Odpowiedz "tak" lub "nie". +. + +.gpg.keygen.valid +Wprowadź żądanÄ… wartość (jak w znaku zachÄ™ty). +Można tu podać datÄ™ w formacie ISO (RRRR-MM-DD) ale nie da to +wÅ‚aÅ›ciwej obsÅ‚ugi bÅ‚Ä™dów - system próbuje interpretować podanÄ… wartość +jako okres. +. + +.gpg.keygen.valid.okay +Odpowiedz "tak" lub "nie". +. + +.gpg.keygen.name +Nazwa wÅ‚aÅ›ciciela klucza. +. + +.gpg.keygen.email +proszÄ™ wprowadzić opcjonalny ale wysoce doradzany adres e-mail +. + +.gpg.keygen.comment +ProszÄ™ wprowadzić opcjonalny komentarz +. + +.gpg.keygen.userid.cmd +N aby zmienić nazwÄ™ (nazwisko). +C aby zmienić komentarz.< +E aby zmienić adres e-mail. +O aby kontynuować tworzenie klucza. +Q aby zrezygnować z tworzenia klucza. +. + +.gpg.keygen.sub.okay +JeÅ›li ma zostać wygenerowany podklucz, należy odpowiedzieć "tak". +. + +.gpg.sign_uid.okay +Odpowiedz "tak" lub "nie". +. + +.gpg.sign_uid.class +Przy podpisywaniu identyfikatora użytkownika na kluczu należy sprawdzić, +czy tożsamość użytkownika odpowiada temu, co jest wpisane w identyfikatorze. +Innym użytkownikom przyda siÄ™ informacja, jak dogÅ‚Ä™bnie zostaÅ‚o to przez +Ciebie sprawdzone. + +"0" oznacza, że nie podajesz żadnych informacji na temat tego jak dogÅ‚Ä™bnie + tożsamość użytkownika zostaÅ‚a przez Ciebie potwierdzona. + +"1" oznacza, że masz przekonanie, że tożsamość użytkownika odpowiada + identyfikatorowi klucza, ale nie byÅ‚o możliwoÅ›ci sprawdzenia tego. + Taka sytuacja wystÄ™puje też kiedy podpisujesz identyfikator bÄ™dÄ…cy + pseudonimem. + +"2" oznacza, że tożsamość użytkownika zostaÅ‚a przez Ciebie potwierdzona + pobieżnie - sprawdziliÅ›cie odcisk klucza, sprawdziÅ‚aÅ›/eÅ› tożsamość + na okazanym dokumencie ze zdjÄ™ciem. + +"3" to dogÅ‚Ä™bna weryfikacja tożsamoÅ›ci. Na przykÅ‚ad sprawdzenie odcisku + klucza, sprawdzenie tożsamoÅ›ci z okazanego oficjalnego dokumentu ze + zdjÄ™ciem (np paszportu) i weryfikacja poprawnoÅ›ci adresu poczty + elektronicznej przez wymianÄ™ poczty z tym adresem. + +Zauważ, że podane powyżej przykÅ‚ady dla poziomów "2" i "3" to *tylko* +przykÅ‚ady. Do Ciebie należy decyzja co oznacza "pobieżny" i "dogÅ‚Ä™bny" w +kontekÅ›cie poÅ›wiadczania i podpisywania kluczy. + +JeÅ›li nie wiesz co odpowiedzieć, podaj "0". +. + +.gpg.change_passwd.empty.okay +Odpowiedz "tak" lub "nie". +. + +.gpg.keyedit.save.okay +Odpowiedz "tak" lub "nie". +. + +.gpg.keyedit.cancel.okay +Odpowiedz "tak" lub "nie". +. + +.gpg.keyedit.sign_all.okay +Odpowiedz "tak", aby podpisać WSZYSTKIE identyfikatory użytkownika. +. + +.gpg.keyedit.remove.uid.okay +Aby skasować ten identyfikator użytkownika (co wiąże siÄ™ ze utratÄ… +wszystkich jego poÅ›wiadczeÅ„!) należy odpowiedzieć ,,tak''. +. + +.gpg.keyedit.remove.subkey.okay +Aby skasować podklucz należy odpowiedzieć "tak". +. + +.gpg.keyedit.delsig.valid +To jest poprawny podpis na tym kluczu; normalnie nie należy go usuwać +ponieważ może być ważny dla zestawienia poÅ‚Ä…czenia zaufania do klucza +którym go zÅ‚ożono lub do innego klucza nim poÅ›wiadczonego. +. + +.gpg.keyedit.delsig.unknown +Ten podpis nie może zostać potwierdzony ponieważ nie ma +odpowiadajÄ…cego mu klucza publicznego. Należy odÅ‚ożyć usuniÄ™cie tego +podpisu do czasu, kiedy okaże siÄ™ który klucz zostaÅ‚ użyty, ponieważ +w momencie uzyskania tego klucza może pojawić siÄ™ Å›cieżka zaufania +pomiÄ™dzy tym a innym, już poÅ›wiadczonym kluczem. +. + +.gpg.keyedit.delsig.invalid +Ten podpis jest niepoprawny. Można usunąć go ze zbioru kluczy. +. + +.gpg.keyedit.delsig.selfsig +To jest podpis wiążący identyfikator użytkownika z kluczem. Nie należy +go usuwać - GnuPG może nie móc posÅ‚ugiwać siÄ™ dalej kluczem bez +takiego podpisu. Bezpiecznie można go usunąć tylko jeÅ›li ten podpis +klucza nim samym z jakichÅ› przyczyn nie jest poprawny, i klucz jest +drugi raz podpisany w ten sam sposób. +. + +.gpg.keyedit.updpref.okay +Przestawienie wszystkich (lub tylko wybranych) identyfikatorów na aktualne +ustawienia. Data na odpowiednich podpisach zostane przesuniÄ™ta do przodu o +jednÄ… sekundÄ™. + +. + +.gpg.passphrase.enter +Podaj dÅ‚ugie, skomplikowane hasÅ‚o, np. caÅ‚e zdanie. + +. + +.gpg.passphrase.repeat +ProszÄ™ powtórzyć hasÅ‚o, aby upewnić siÄ™ że nie byÅ‚o pomyÅ‚ki. +. + +.gpg.detached_signature.filename +Podaj nazwÄ™ pliku którego dotyczy ten podpis +. + +.gpg.openfile.overwrite.okay +JeÅ›li można nadpisać ten plik, należy odpowiedzieć ,,tak'' +. + +.gpg.openfile.askoutname +Nazwa pliku. NaciÅ›niÄ™cie ENTER potwierdzi nazwÄ™ domyÅ›lnÄ… (w nawiasach). +. + +.gpg.ask_revocation_reason.code +Nalezy podać powód unieważnienia klucza. W zależnoÅ›ci od kontekstu można +go wybrać z listy: + "Klucz zostaÅ‚ skompromitowany" + Masz powody uważać że twój klucz tajny dostaÅ‚ siÄ™ w niepowoÅ‚ane rÄ™ce. + "Klucz zostaÅ‚ zastÄ…piony" + Klucz zostaÅ‚ zastÄ…piony nowym. + "Klucz nie jest już używany" + Klucz zostaÅ‚ wycofany z użycia. + "Identyfikator użytkownika przestaÅ‚ być poprawny" + Identyfikator użytkownika (najczęściej adres e-mail przestaÅ‚ być + poprawny. + +. + +.gpg.ask_revocation_reason.text +JeÅ›li chcesz, możesz podać opis powodu wystawienia certyfikatu +unieważnienia. Opis powinien byc zwiÄ™zÅ‚y. +Pusta linia koÅ„czy wprowadzanie tekstu. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.pt.txt b/doc/help.pt.txt new file mode 100644 index 0000000..da9a181 --- /dev/null +++ b/doc/help.pt.txt @@ -0,0 +1,253 @@ +# help.pt.txt - pt GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Você decide que valor usar aqui; este valor nunca será exportado para +terceiros. Precisamos dele implementar a rede de confiança, que não tem +nada a ver com a rede de certificados (implicitamente criada). +. + +.gpg.edit_ownertrust.set_ultimate.okay +Para construir a Teia-de-Confiança ('Web-of-Trust'), o GnuPG precisa de +saber quais são as chaves em que deposita confiança absoluta - normalmente +estas são as chaves a que tem acesso à chave privada. Responda "sim" para +que esta chave seja de confiança absoluta. + +. + +.gpg.untrusted_key.override +Se você quiser usar esta chave, não de confiança, assim mesmo, responda "sim". +. + +.gpg.pklist.user_id.enter +Digite o ID de utilizador do destinatário para quem quer enviar a +mensagem. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.gpg.keygen.algo.rsa_se +Em geral não é uma boa ideia utilizar a mesma chave para assinar e para +cifrar. Este algoritmo só deve ser utilizado em alguns domÃnios. +Por favor consulte primeiro o seu perito em segurança. +. + +.gpg.keygen.size +Insira o tamanho da chave +. + +.gpg.keygen.size.huge.okay +Responda "sim" ou "não" +. + +.gpg.keygen.size.large.okay +Responda "sim" ou "não" +. + +.gpg.keygen.valid +Digite o valor necessário conforme pedido. +É possÃvel digitar uma data ISO (AAAA-MM-DD) mas você não terá uma boa +reacção a erros - o sistema tentará interpretar o valor dado como um intervalo. +. + +.gpg.keygen.valid.okay +Responda "sim" ou "não" +. + +.gpg.keygen.name +Digite o nome do possuidor da chave +. + +.gpg.keygen.email +por favor digite um endereço de email (opcional mas recomendado) +. + +.gpg.keygen.comment +Por favor digite um comentário (opcional) +. + +.gpg.keygen.userid.cmd +N para mudar o nome. +C para mudar o comentário. +E para mudar o endereço de email +O para continuar a geração da chave. +S para interromper a geração da chave. +. + +.gpg.keygen.sub.okay +Responda "sim" (ou apenas "s") se quiser gerar a subchave. +. + +.gpg.sign_uid.okay +Responda "sim" ou "não" +. + +.gpg.sign_uid.class +Quando assina uma chave de identificação de um utilizador, deve primeiro +verificar que a chave pertence realmente à pessoa em questão. É útil para +terceiros saberem com que cuidado é que efectuou esta verificação. + +"0" significa que não deseja declarar a forma com verificou a chave + +"1" significa que acredita que a chave pertence à pessoa em questão, mas + não conseguiu ou não tentou verificar. Este grau é útil para quando + assina a chave de uma utilizador pseudo-anónimo. + +"2" significa que efectuou uma verificação normal da chave. Por exemplo, + isto pode significar que verificou a impressão digital da chave e + verificou o identificador de utilizador da chave contra uma identificação + fotográfica. + +"3" significa que efectuou uma verificação exaustiva da chave. Por exemplo, + isto pode significar que efectuou a verificação pessoalmente, e que + utilizou um documento, com fotografia, difÃcil de falsificar + (como por exemplo um passaporte) que o nome do dono da chave é o + mesmo do que o identificador da chave, e que, finalmente, verificou + (através de troca de e-mail) que o endereço de email da chave pertence + ao done da chave. + +Atenção: os exemplos dados para os nÃveis 2 e 3 são *apenas* exemplos. +Compete-lhe a si decidir o que considera, ao assinar chaves, uma verificação +"normal" e uma verificação "exaustiva". + +Se não sabe qual é a resposta correcta, responda "0". +. + +.gpg.change_passwd.empty.okay +Responda "sim" ou "não" +. + +.gpg.keyedit.save.okay +Responda "sim" ou "não" +. + +.gpg.keyedit.cancel.okay +Responda "sim" ou "não" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.gpg.keyedit.remove.uid.okay +Responda "sim" se quiser realmente remover este ID de utilizador. +Todos os certificados também serão perdidos! +. + +.gpg.keyedit.remove.subkey.okay +Responda "sim" se quiser remover a subchave +. + +.gpg.keyedit.delsig.valid +Esta é uma assinatura válida na chave; normalmente não é desejável +remover esta assinatura porque ela pode ser importante para estabelecer +uma conexão de confiança à chave ou a outra chave certificada por esta. +. + +.gpg.keyedit.delsig.unknown +Esta assinatura não pode ser verificada porque você não tem a chave +correspondente. Você deve adiar sua remoção até saber que chave foi usada +porque a chave desta assinatura pode estabelecer uma conexão de confiança +através de outra chave já certificada. +. + +.gpg.keyedit.delsig.invalid +A assinatura não é válida. Faz sentido removê-la do seu porta-chaves. +. + +.gpg.keyedit.delsig.selfsig +Esta é uma assinatura que liga o ID de utilizador à chave. Geralmente +não é uma boa idéia remover tal assinatura. É possÃvel que o GnuPG +não consiga mais usar esta chave. Faça isto apenas se por alguma +razão esta auto-assinatura não for válida e há uma segunda disponÃvel. +. + +.gpg.keyedit.updpref.okay +Muda as preferências de todos os identificadores de utilizadores +(ou apenas dos seleccionados) para a lista actual de preferências. +O 'timestamp' de todas as auto-assinaturas afectuadas será avançado +em um segundo. + +. + +.gpg.passphrase.enter +Por favor digite a frase secreta + +. + +.gpg.passphrase.repeat +Por favor repita a frase secreta, para ter certeza do que digitou. +. + +.gpg.detached_signature.filename +Dê o nome para o ficheiro ao qual a assinatura se aplica +. + +.gpg.openfile.overwrite.okay +Responda "sim" se quiser escrever por cima do ficheiro +. + +.gpg.openfile.askoutname +Por favor digite um novo nome de ficheiro. Se você apenas carregar em RETURN +o ficheiro por omissão (que é mostrado entre parênteses) será utilizado. +. + +.gpg.ask_revocation_reason.code +Deve especificar uma razão para a emissão do certificado. Dependendo no +contexto, pode escolher as seguintes opções desta lista: + "A chave foi comprometida" + Utilize esta opção se tem razões para acreditar que indivÃduos não + autorizados obtiveram acesso à sua chave secreta. + "A chave foi substituida" + Utilize esta opção se substituiu esta chave com uma mais recente. + "A chave já não é utilizada" + Utilize esta opção se já não utiliza a chave. + "O identificador do utilizador já não é válido" + Utilize esta opção para comunicar que o identificador do utilizador + não deve ser mais utilizado; normalmente utilizada para indicar + que um endereço de email é inválido. + +. + +.gpg.ask_revocation_reason.text +Se desejar, pode inserir uma texto descrevendo a razão pela qual criou +este certificado de revogação. Por favor mantenha este texto conciso. +Uma linha vazia termina o texto. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.pt_BR.txt b/doc/help.pt_BR.txt new file mode 100644 index 0000000..e88265c --- /dev/null +++ b/doc/help.pt_BR.txt @@ -0,0 +1,253 @@ +# help.pt_BR.txt - Brazilian GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Você decide que valor usar aqui; este valor nunca será exportado para +terceiros. Precisamos dele implementar a rede de confiança, que não tem +nada a ver com a rede de certificados (implicitamente criada). +. + +.gpg.edit_ownertrust.set_ultimate.okay +Para construir a Teia-de-Confiança ('Web-of-Trust'), o GnuPG precisa de +saber quais são as chaves em que deposita confiança absoluta - normalmente +estas são as chaves a que tem acesso à chave privada. Responda "sim" para +que esta chave seja de confiança absoluta. + +. + +.gpg.untrusted_key.override +Se você quiser usar esta chave não confiável assim mesmo, responda "sim". +. + +.gpg.pklist.user_id.enter +Digite o ID de usuário do destinatário para o qual você quer enviar a +mensagem. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.gpg.keygen.algo.rsa_se +Em geral não é uma boa ideia utilizar a mesma chave para assinar e para +cifrar. Este algoritmo só deve ser utilizado em alguns domÃnios. +Por favor consulte primeiro o seu perito em segurança. +. + +.gpg.keygen.size +Digite o tamanho da chave +. + +.gpg.keygen.size.huge.okay +Responda "sim" ou "não" +. + +.gpg.keygen.size.large.okay +Responda "sim" ou "não" +. + +.gpg.keygen.valid +Digite o valor necessário conforme pedido. +É possÃvel digitar uma data ISO (AAAA-MM-DD) mas você não terá uma boa +reação a erros - o sistema tentará interpretar o valor dado como um intervalo. +. + +.gpg.keygen.valid.okay +Responda "sim" ou "não" +. + +.gpg.keygen.name +Digite o nome do possuidor da chave +. + +.gpg.keygen.email +por favor digite um endereço de email (opcional mas recomendado) +. + +.gpg.keygen.comment +Por favor digite um comentário (opcional) +. + +.gpg.keygen.userid.cmd +N para mudar o nome. +C para mudar o comentário. +E para mudar o endereço de correio eletrônico. +O para continuar a geração da chave. +S para interromper a geração da chave. +. + +.gpg.keygen.sub.okay +Responda "sim" (ou apenas "s") se quiser gerar a subchave. +. + +.gpg.sign_uid.okay +Responda "sim" ou "não" +. + +.gpg.sign_uid.class +Quando assina uma chave de identificação de um utilizador, deve primeiro +verificar que a chave pertence realmente à pessoa em questão. É útil para +terceiros saberem com que cuidado é que efectuou esta verificação. + +"0" significa que não deseja declarar a forma com verificou a chave + +"1" significa que acredita que a chave pertence à pessoa em questão, mas + não conseguiu ou não tentou verificar. Este grau é útil para quando + assina a chave de uma utilizador pseudo-anónimo. + +"2" significa que efectuou uma verificação normal da chave. Por exemplo, + isto pode significar que verificou a impressão digital da chave e + verificou o identificador de utilizador da chave contra uma identificação + fotográfica. + +"3" significa que efectuou uma verificação exaustiva da chave. Por exemplo, + isto pode significar que efectuou a verificação pessoalmente, e que + utilizou um documento, com fotografia, difÃcil de falsificar + (como por exemplo um passaporte) que o nome do dono da chave é o + mesmo do que o identificador da chave, e que, finalmente, verificou + (através de troca de e-mail) que o endereço de email da chave pertence + ao done da chave. + +Atenção: os exemplos dados para os nÃveis 2 e 3 são *apenas* exemplos. +Compete-lhe a si decidir o que considera, ao assinar chaves, uma verificação +"normal" e uma verificação "exaustiva". + +Se não sabe qual é a resposta correcta, responda "0". +. + +.gpg.change_passwd.empty.okay +Responda "sim" ou "não" +. + +.gpg.keyedit.save.okay +Responda "sim" ou "não" +. + +.gpg.keyedit.cancel.okay +Responda "sim" ou "não" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.gpg.keyedit.remove.uid.okay +Responda "sim" se quiser realmente remover este ID de usuário. +Todos os certificados também serão perdidos! +. + +.gpg.keyedit.remove.subkey.okay +Responda "sim" se quiser remover a subchave +. + +.gpg.keyedit.delsig.valid +Esta é uma assinatura válida na chave; normalmente não é desejável +remover esta assinatura porque ela pode ser importante para estabelecer +uma conexão de confiança à chave ou a outra chave certificada por esta. +. + +.gpg.keyedit.delsig.unknown +Esta assinatura não pode ser verificada porque você não tem a chave +correspondente. Você deve adiar sua remoção até saber que chave foi usada +porque a chave desta assinatura pode estabelecer uma conexão de confiança +através de outra chave já certificada. +. + +.gpg.keyedit.delsig.invalid +A assinatura não é válida. Faz sentido removê-la de seu chaveiro. +. + +.gpg.keyedit.delsig.selfsig +Esta é uma assinatura que liga o ID de usuário à chave. Geralmente +não é uma boa idéia remover tal assinatura. É possÃvel que o GnuPG +não consiga mais usar esta chave. Faça isto apenas se por alguma +razão esta auto-assinatura não for válida e há uma segunda disponÃvel. +. + +.gpg.keyedit.updpref.okay +Muda as preferências de todos os identificadores de utilizadores +(ou apenas dos seleccionados) para a lista actual de preferências. +O 'timestamp' de todas as auto-assinaturas afectuadas será avançado +em um segundo. + +. + +.gpg.passphrase.enter +Por favor digite a frase secreta + +. + +.gpg.passphrase.repeat +Por favor repita a última frase secreta, para ter certeza do que você digitou. +. + +.gpg.detached_signature.filename +Dê o nome para o arquivo ao qual a assinatura se aplica +. + +.gpg.openfile.overwrite.okay +Responda "sim" se quiser sobrescrever o arquivo +. + +.gpg.openfile.askoutname +Por favor digite um novo nome de arquivo. Se você apenas apertar RETURN o +arquivo padrão (que é mostrado em colchetes) será usado. +. + +.gpg.ask_revocation_reason.code +Deve especificar uma razão para a emissão do certificado. Dependendo no +contexto, pode escolher as seguintes opções desta lista: + "A chave foi comprometida" + Utilize esta opção se tem razões para acreditar que indivÃduos não + autorizados obtiveram acesso à sua chave secreta. + "A chave foi substituida" + Utilize esta opção se substituiu esta chave com uma mais recente. + "A chave já não é utilizada" + Utilize esta opção se já não utiliza a chave. + "O identificador do utilizador já não é válido" + Utilize esta opção para comunicar que o identificador do utilizador + não deve ser mais utilizado; normalmente utilizada para indicar + que um endereço de email é inválido. + +. + +.gpg.ask_revocation_reason.text +Se desejar, pode inserir uma texto descrevendo a razão pela qual criou +este certificado de revogação. Por favor mantenha este texto conciso. +Uma linha vazia termina o texto. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.ro.txt b/doc/help.ro.txt new file mode 100644 index 0000000..b26dd53 --- /dev/null +++ b/doc/help.ro.txt @@ -0,0 +1,251 @@ +# help.ro.txt - ro GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Este sarcina d-voastră să atribuiÅ£i o valoare aici; această valoare +nu va fi niciodată exportată pentru o terţă parte. Trebuie să +implementăm reÅ£eaua-de-încredere; aceasta nu are nimic în comun cu +certificatele-de-reÅ£ea (create implicit). +. + +.gpg.edit_ownertrust.set_ultimate.okay +Pentru a construi ReÅ£eaua-de-ÃŽncredere, GnuPG trebuie să ÅŸtie care chei +au nivel de încredere suprem - acestea de obicei sunt cheile pentru care +aveÅ£i acces la cheia secretă. RăspundeÅ£i "da" pentru a seta +această cheie cu nivel de încredere suprem + +. + +.gpg.untrusted_key.override +Dacă doriÅ£i oricum să folosiÅ£i această cheie fără încredere, răspundeÅ£i "da". +. + +.gpg.pklist.user_id.enter +IntroduceÅ£i ID-ul utilizator al destinatarului mesajului. +. + +.gpg.keygen.algo +SelectaÅ£i algoritmul de folosit. + +DSA (aka DSS) este Digital Signature Algorithm ÅŸi poate fi folosit numai +pentru semnături. + +Elgamal este un algoritm numai pentru cifrare. + +RSA poate fi folosit pentru semnături sau cifrare. + +Prima cheie (primară) trebuie să fie întotdeauna o cheie cu care se poate semna. +. + +.gpg.keygen.algo.rsa_se +ÃŽn general nu este o idee bună să folosiÅ£i aceeaÅŸi cheie ÅŸi pentru +semnare ÅŸi pentru cifrare. Acest algoritm ar trebui folosit numai +în anumite domenii. Vă rugăm consultaÅ£i mai întâi un expert în domeniu. +. + +.gpg.keygen.size +IntroduceÅ£i lungimea cheii +. + +.gpg.keygen.size.huge.okay +RăspundeÅ£i "da" sau "nu" +. + +.gpg.keygen.size.large.okay +RăspundeÅ£i "da" sau "nu" +. + +.gpg.keygen.valid +IntroduceÅ£i valoarea cerută precum a arătat la prompt. +Este posibil să introduceÅ£i o dată ISO (AAAA-LL-ZZ) dar nu veÅ£i +obÅ£ine un răspuns de eroare bun - în loc sistemul încearcă să +interpreteze valoare dată ca un interval. +. + +.gpg.keygen.valid.okay +RăspundeÅ£i "da" sau "nu" +. + +.gpg.keygen.name +IntroduceÅ£i numele deÅ£inătorului cheii +. + +.gpg.keygen.email +vă rugăm introduceÅ£i o adresă de email (opÅ£ională dar recomandată) +. + +.gpg.keygen.comment +Vă rugăm introduceÅ£i un comentriu opÅ£ional +. + +.gpg.keygen.userid.cmd +N pentru a schimba numele. +C pentru a schimba comentariul. +E pentru a schimba adresa de email. +O pentru a continua cu generarea cheii. +T pentru a termina generarea cheii. +. + +.gpg.keygen.sub.okay +RăspundeÅ£i "da" (sau numai "d") dacă sunteÅ£i OK să generaÅ£i subcheia. +. + +.gpg.sign_uid.okay +RăspundeÅ£i "da" sau "nu" +. + +.gpg.sign_uid.class +Când semnaÅ£i un ID utilizator pe o cheie ar trebui să verificaÅ£i mai întâi +că cheia aparÅ£ine persoanei numite în ID-ul utilizator. Este util ÅŸi altora +să ÅŸtie cât de atent aÅ£i verificat acest lucru. + +"0" înseamnă că nu pretindeÅ£i nimic despre cât de atent aÅ£i verificat cheia +"1" înseamnă că credeÅ£i că cheia este a persoanei ce pretinde că este + proprietarul ei, dar n-aÅ£i putut, sau nu aÅ£i verificat deloc cheia. + Aceasta este utilă pentru verificare "persona", unde semnaÅ£i cheia + unui utilizator pseudonim. + +"2" înseamnă că aÅ£i făcut o verificare supericială a cheii. De exemplu, + aceasta ar putea însemna că aÅ£i verificat amprenta cheii ÅŸi aÅ£i verificat + ID-ul utilizator de pe cheie cu un ID cu poză. + +"3" înseamnă că aÅ£i făcut o verificare extensivă a cheii. De exemplu, + aceasta ar putea însemna că aÅ£i verificat amprenta cheii cu proprietarul + cheii în persoană, că aÅ£i verificat folosind un document dificil de + falsificat cu poză (cum ar fi un paÅŸaport) că numele proprietarului cheii + este acelaÅŸi cu numele ID-ului utilizator al cheii ÅŸi că aÅ£i verificat + (schimbând emailuri) că adresa de email de pe cheie aparÅ£ine proprietarului +cheii. + +De notat că exemplele date pentru nivelele 2 ÅŸi 3 ceva mai sus sunt *numai* +exemple. La urma urmei, d-voastră decideÅ£i ce înseamnă "superficial" ÅŸi +"extensiv" pentru d-voastră când semnaÅ£i alte chei. + +Dacă nu ÅŸtiÅ£i care este răspunsul, răspundeÅ£i "0". +. + +.gpg.change_passwd.empty.okay +RăspundeÅ£i "da" sau "nu" +. + +.gpg.keyedit.save.okay +RăspundeÅ£i "da" sau "nu" +. + +.gpg.keyedit.cancel.okay +RăspundeÅ£i "da" sau "nu" +. + +.gpg.keyedit.sign_all.okay +RăspundeÅ£i "da" dacă doriÅ£i să semnaÅ£i TOATE ID-urile utilizator +. + +.gpg.keyedit.remove.uid.okay +RăspundeÅ£i "da" dacă într-adevăr doriÅ£i să ÅŸtergeÅ£i acest ID utilizator. +Toate certificatele sunt de asemenea pierdute! +. + +.gpg.keyedit.remove.subkey.okay +RăspundeÅ£i "da" dacă este OK să ÅŸtergeÅ£i subcheia +. + +.gpg.keyedit.delsig.valid +Aceasta este o semnătură validă pe cheie; în mod normal n-ar trebui +să ÅŸtergeÅ£i această semnătură pentru că aceasta ar putea fi importantăla stabilirea conexiunii de încredere la cheie sau altă cheie certificată +de această cheie. +. + +.gpg.keyedit.delsig.unknown +Această semnătură nu poate fi verificată pentru că nu aveÅ£i cheia +corespunzătoare. Ar trebui să amânaÅ£i ÅŸtergerea sa până ÅŸtiÅ£i care +cheie a fost folosită pentru că această cheie de semnare ar putea +constitui o conexiune de încredere spre o altă cheie deja certificată. +. + +.gpg.keyedit.delsig.invalid +Semnătura nu este validă. Aceasta ar trebui ÅŸtearsă de pe inelul +d-voastră de chei. +. + +.gpg.keyedit.delsig.selfsig +Aceasta este o semnătură care leagă ID-ul utilizator de cheie. +De obicei nu este o idee bună să ÅŸtergeÅ£i o asemenea semnătură. +De fapt, GnuPG ar putea să nu mai poată folosi această cheie. +AÅŸa că faceÅ£i acest lucru numai dacă această auto-semnătură este +dintr-o oarecare cauză invalidă ÅŸi o a doua este disponibilă. +. + +.gpg.keyedit.updpref.okay +SchimbaÅ£i toate preferinÅ£ele ale tuturor ID-urilor utilizator (sau doar +cele selectate) conform cu lista curentă de preferinÅ£e. Timestamp-urile +tuturor auto-semnăturilor afectate vor fi avansate cu o secundă. + +. + +.gpg.passphrase.enter +Vă rugăm introduceÅ£i fraza-parolă; aceasta este o propoziÅ£ie secretă + +. + +.gpg.passphrase.repeat +Vă rugăm repetaÅ£i ultima frază-parolă, pentru a fi sigur(ă) ce aÅ£i tastat. +. + +.gpg.detached_signature.filename +DaÅ£i numele fiÅŸierului la care se aplică semnătura +. + +.gpg.openfile.overwrite.okay +RăspundeÅ£i "da" dacă este OK să suprascrieÅ£i fiÅŸierul +. + +.gpg.openfile.askoutname +Vă rugăm introduceÅ£i un nou nume-fiÅŸier. Dacă doar apăsaÅ£i RETURN, +va fi folosit fiÅŸierul implicit (arătat în paranteze). +. + +.gpg.ask_revocation_reason.code +Ar trebui să specificaÅ£i un motiv pentru certificare. ÃŽn funcÅ£ie de +context aveÅ£i posibilitatea să alegeÅ£i din această listă: + "Cheia a fost compromisă" + FolosiÅ£i această opÅ£iune dacă aveÅ£i un motiv să credeÅ£i că persoane + neautorizate au avut acces la cheia d-voastră secretă. + "Cheia este înlocuită" + FolosiÅ£i această opÅ£iune dacă înlocuiÅ£i cheia cu una nouă. + "Cheia nu mai este folosită" + FolosiÅ£i această opÅ£iune dacă pensionaÅ£i cheia. + "ID-ul utilizator nu mai este valid" + FolosiÅ£i această opÅ£iune dacă ID-ul utilizator nu mai trebuie folosit; + de obicei folosită pentru a marca o adresă de email ca invalidă. + +. + +.gpg.ask_revocation_reason.text +Dacă doriÅ£i, puteÅ£i introduce un text descriind de ce publicaÅ£i acest +certificat de revocare. Vă rugăm fiÅ£i concis. +O linie goală termină textul. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.ru.txt b/doc/help.ru.txt new file mode 100644 index 0000000..b78e1ff --- /dev/null +++ b/doc/help.ru.txt @@ -0,0 +1,369 @@ +# help.ru.txt - Russian GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# Copyright (C) 2016 Ineiev <ineiev@gnu.org> (translation) +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + +# The translated revision was taken from HEAD b8bb16c6c08d3c2947f1ff67 +# which is the same as the revision from STABLE-BRANCH-2-0 776bee6d370 + +.#pinentry.qualitybar.tooltip +# [remove the hash mark from the key to enable this text] +# This entry is just an example on how to customize the tooltip shown +# when hovering over the quality bar of the pinentry. We don't +# install this text so that the hardcoded translation takes +# precedence. An administrator should write up a short help to tell +# the users about the configured passphrase constraints and save that +# to /etc/gnupg/help.txt. The help text should not be longer than +# about 800 characters. +Ðтот индикатор показывает качеÑтво введенной выше фразы-паролÑ. + +Пока индикатор краÑный, GnuPG Ñчитает фразу-пароль неприемлемо Ñлабой. +Уточните у Ñвоего админиÑтратора принÑтые Ñ‚Ñ€ÐµÐ±Ð¾Ð²Ð°Ð½Ð¸Ñ Ðº фразе-паролю. +. + + +.gnupg.agent-problem +# There was a problem accessing or starting the agent. +К запущенному Gpg-Agent было невозможно подключитьÑÑ, либо возникла +проблема ÑÐ¾ÐµÐ´Ð¸Ð½ÐµÐ½Ð¸Ñ Ñ Ð½Ð¸Ð¼. + +СиÑтема иÑпользует фоновый процеÑÑ Ð¿Ð¾Ð´ названием Gpg-Agent +Ð´Ð»Ñ Ð¾Ð±Ñ€Ð°Ð±Ð¾Ñ‚ÐºÐ¸ Ñекретных ключей и запроÑа фраз-паролей. Обычно процеÑÑ +запуÑкаетÑÑ Ð¿Ñ€Ð¸ входе Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð² ÑиÑтему и работает, пока +пользователь не выйдет. ЕÑли процеÑÑ Ð½ÐµÐ´Ð¾Ñтупен, ÑиÑтема пытаетÑÑ +запуÑтить его на ходу, но функции Ñтой верÑий неÑколько ограничены, +Ñто может привеÑти к небольшим проблемам. + +ВероÑтно, Ð´Ð»Ñ Ñ€ÐµÑˆÐµÐ½Ð¸Ñ Ð¿Ñ€Ð¾Ð±Ð»ÐµÐ¼Ñ‹ нужно обратитьÑÑ Ðº админиÑтратору. +Ð’ качеÑтве временной меры можно выйти и Ñнова войти в ÑиÑтему; +может быть, Ñто поможет. Ð’ любом Ñлучае Ñообщите об Ñтом +админиÑтратору, потому что Ñто указывает на недочет в программе. +. + + +.gnupg.dirmngr-problem +# There was a problen accessing the dirmngr. +К запущенному Dirmngr было невозможно подключитьÑÑ, либо возникла +проблема ÑÐ¾ÐµÐ´Ð¸Ð½ÐµÐ½Ð¸Ñ Ñ Ð½Ð¸Ð¼. + +Ð”Ð»Ñ Ð¿Ñ€Ð¾Ñмотра ÑпиÑков отзыва Ñертификатов во Ð²Ñ€ÐµÐ¼Ñ Ð¿Ñ€Ð¾Ð²ÐµÑ€ÐºÐ¸ +Ñертификатов и Ð´Ð»Ñ Ð¿Ð¾Ð¸Ñка ключей на локальных Ñерверах ÑиÑтема +пользуетÑÑ Ð²Ð½ÐµÑˆÐ½ÐµÐ¹ Ñлужебной программой Dirmngr. Обычно она работает +как ÑиÑÑ‚ÐµÐ¼Ð½Ð°Ñ Ñлужба (демон) и не нуждаетÑÑ Ð² каких-либо дейÑтвиÑÑ… +Ñо Ñтороны пользователÑ. Ð’ Ñлучае проблем ÑиÑтема может запуÑкать +новую копию Dirmngr по каждому запроÑу; Ñто запаÑной вариант +Ñ ÑƒÑ…ÑƒÐ´ÑˆÐµÐ½Ð½Ñ‹Ð¼Ð¸ характериÑтиками. + +ЕÑли Ð’Ñ‹ ÑтолкнулиÑÑŒ Ñ Ñтой проблемой, обратитеÑÑŒ к ÑиÑтемному +админиÑтратору. Ð’ качеÑтве временного Ñ€ÐµÑˆÐµÐ½Ð¸Ñ Ð¼Ð¾Ð¶Ð½Ð¾ попробовать +отключить проверку ÑпиÑков отзыва Ñертификатов в наÑтройках gpgsm. +. + + +.gpg.edit_ownertrust.value +# The help identies prefixed with "gpg." used to be hard coded in gpg +# but may now be overridden by help texts from this file. +ЕÑли хотите, поÑтавьте здеÑÑŒ значение; оно никогда не будет выводитьÑÑ +Ð´Ð»Ñ Ñ‚Ñ€ÐµÑ‚ÑŒÐ¸Ñ… Ñторон. Ðам оно нужно Ð´Ð»Ñ Ñ€ÐµÐ°Ð»Ð¸Ð·Ð°Ñ†Ð¸Ð¸ Ñети довериÑ; оно +никак не ÑвÑзано Ñ (неÑвно Ñоздаваемой) Ñетью Ñертификатов. +. + +.gpg.edit_ownertrust.set_ultimate.okay +Ð”Ð»Ñ Ð¿Ð¾ÑÑ‚Ñ€Ð¾ÐµÐ½Ð¸Ñ Ð¡ÐµÑ‚Ð¸ Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ GnuPG нужно знать, каким ключам доверÑÑ‚ÑŒ +полноÑтью - обычно Ñто ключи, Ñекретные чаÑти которых у Ð’Ð°Ñ ÐµÑÑ‚ÑŒ. +Ответ "да" уÑтановит полное доверие Ñтому ключу. + + +.gpg.untrusted_key.override +ЕÑли Ð’Ñ‹ хотите вÑе равно пользоватьÑÑ Ñтим недоверенным ключом, +ответьте "да". +. + +.gpg.pklist.user_id.enter +Введите ID Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ - Ð¿Ð¾Ð»ÑƒÑ‡Ð°Ñ‚ÐµÐ»Ñ Ð’Ð°ÑˆÐµÐ³Ð¾ ÑообщениÑ. +. + +.gpg.keygen.algo +Выберите алгоритм. + +DSA (он же DSS) можно применÑÑ‚ÑŒ только Ð´Ð»Ñ Ð¿Ð¾Ð´Ð¿Ð¸Ñей. + +Elgamal - алгоритм только Ð´Ð»Ñ ÑˆÐ¸Ñ„Ñ€Ð¾Ð²Ð°Ð½Ð¸Ñ. + +RSA можно применÑÑ‚ÑŒ Ð´Ð»Ñ ÑˆÐ¸Ñ„Ñ€Ð¾Ð²Ð°Ð½Ð¸Ñ Ð¸Ð»Ð¸ подпиÑей. + +Первый (первичный) ключ вÑегда должен быть пригоден Ð´Ð»Ñ Ð¿Ð¾Ð´Ð¿Ð¸Ñей. +. + + +.gpg.keygen.algo.rsa_se +Ð’ целом неразумно пользоватьÑÑ Ð¾Ð´Ð½Ð¸Ð¼ и тем же ключом и Ð´Ð»Ñ Ð¿Ð¾Ð´Ð¿Ð¸Ñи, +и Ð´Ð»Ñ ÑˆÐ¸Ñ„Ñ€Ð¾Ð²Ð°Ð½Ð¸Ñ. Ðто может быть полезно только в определенных +ÑлучаÑÑ…. ПроконÑультируйтеÑÑŒ Ñо Ñвоим ÑкÑпертом по безопаÑноÑти. +. + + +.gpg.keygen.flags +ПоменÑÑ‚ÑŒ функции ключа. + +Переключать можно только функции, доÑтупные Ð´Ð»Ñ Ð²Ñ‹Ð±Ñ€Ð°Ð½Ð½Ð¾Ð³Ð¾ +алгоритма. + +Ð”Ð»Ñ Ð±Ñ‹Ñтрой уÑтановки Ñразу вÑех возможноÑтей введите Ñначала '=', +а за ним ÑпиÑок букв, задающих набор функций: '1' - подпиÑÑŒ, '2' - +шифрование, '3' - аутентификациÑ. Ðеправильные буквы и функции +не учитываютÑÑ. Сразу поÑле быÑтрого ввода Ñто подменю закрываетÑÑ. +. + + +.gpg.keygen.size +Введите размер ключа. + +Предлагаемое значение обычно хорошо подходит. + +ЕÑли Вам нужен ключ большого размера, например, 4096 бит, подумайте, +дейÑтвительно ли Ñто Ð´Ð»Ñ Ð’Ð°Ñ Ð¸Ð¼ÐµÐµÑ‚ ÑмыÑл. См. ÐºÐ¾Ð¼Ð¸ÐºÑ Ð½Ð° Ñтранице +http://www.xkcd.com/538/ . +. + +.gpg.keygen.size.huge.okay +Отвечайте "да" или "нет". +. + + +.gpg.keygen.size.large.okay +Отвечайте "да" или "нет". +. + + +.gpg.keygen.valid +Введите нужное значение, как показано в приглашении. +Можно ввеÑти дату ИСО (ГГГГ-ММ-ДД), но ÑÐ¾Ð¾Ð±Ñ‰ÐµÐ½Ð¸Ñ Ð¾Ð± ошибках будут +неудобочитаемыми: ÑиÑтема пытаетÑÑ Ð¸Ð½Ñ‚ÐµÑ€Ð¿Ñ€ÐµÑ‚Ð¸Ñ€Ð¾Ð²Ð°Ñ‚ÑŒ данное значение +как интервал. +. + +.gpg.keygen.valid.okay +Отвечайте "да" или "нет". +. + + +.gpg.keygen.name +Введите Ð¸Ð¼Ñ Ð²Ð»Ð°Ð´ÐµÐ»ÑŒÑ†Ð° ключа. +Символы "<" и ">" недопуÑтимы. +Пример: ВаÑÑ ÐŸÑƒÑˆÐºÐ¸Ð½ +. + + +.gpg.keygen.email +Введите, пожалуйÑта, Ð°Ð´Ñ€ÐµÑ Ñлектронной почты (необÑзательно, +но очень рекомендуетÑÑ). +Пример: vp@test.ru +. + +.gpg.keygen.comment +Введите, пожалуйÑта, необÑзательное примечание. +Символы "(" и ")" недопуÑтимы. +Ð’ общем и целом оно не нужно. +. + + +.gpg.keygen.userid.cmd +# (Keep a leading empty line) + +N Ñменить имÑ. +C Ñменить примечание. +E Ñменить адреÑ. +O продолжить Ñоздание ключа. +Q прекратить Ñоздание ключа. +. + +.gpg.keygen.sub.okay +Введите "да" (или "y"), чтобы разрешить Ñоздание ключа. +. + +.gpg.sign_uid.okay +Отвечайте "да" или "нет". +. + +.gpg.sign_uid.class +Когда Ð’Ñ‹ подпиÑываете идентификатор Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð² ключе, нужно Ñначала +удоÑтоверитьÑÑ, что ключ принадлежит указанному в идентификаторе лицу. +Другим полезно знать, наÑколько тщательно Ð’Ñ‹ Ñто проверили. + +"0" значит, что Ð’Ñ‹ не указываете, наÑколько тщательно вы проверÑли ключ. + +"1" значит, что Ð’Ñ‹ Ñчитаете, что ключ принадлежит заÑвленному лицу, но Ð’Ñ‹ + не могли проверить или не проверÑли ключ. Ðто полезно Ð´Ð»Ñ Ð¿Ñ€Ð¾Ð²ÐµÑ€ÐºÐ¸ + "инкогнито", когда вы подпиÑываете ключ Ñ Ð¿Ñевдонимом. + +"2" значит, что Ð’Ñ‹ провели чаÑтичную проверку ключа. Ðапример, проверили + отпечаток ключа и идентификатор Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð¸Ð· ключа + по фотоидентификатору. + +"3" значит, что Ð’Ñ‹ провели тщательную проверку ключа. Ðапример, + Ð’Ñ‹ проверили отпечаток ключа, а также проверили по удоÑтоверению + личноÑти (такому как паÑпорт), что Ð¸Ð¼Ñ Ð²Ð»Ð°Ð´ÐµÐ»ÑŒÑ†Ð° ключа Ñовпадает + Ñ Ð¸Ð¼ÐµÐ½ÐµÐ¼ человека, запиÑанным в идентификаторе Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ ÐºÐ»ÑŽÑ‡Ð°; + наконец, Ð’Ñ‹ удоÑтоверилиÑÑŒ (обменÑвшиÑÑŒ Ñлектронной почтой), что + Ð°Ð´Ñ€ÐµÑ Ñлектронной почты принадлежит владельцу ключа. + +Имейте в виду, что примеры, данные Ð´Ð»Ñ ÑƒÑ€Ð¾Ð²Ð½ÐµÐ¹ 2 и 3 - Ñто *только* +примеры. Ð’ конечном Ñчете Ð’Ñ‹ Ñами решаете, что значит "чаÑтичнаÑ" +и "тщательнаÑ" проверка, когда Ð’Ñ‹ подпиÑываете другие ключи. + +ЕÑли затруднÑетеÑÑŒ Ñ Ð¾Ñ‚Ð²ÐµÑ‚Ð¾Ð¼, поÑтавьте "0". +. + +.gpg.change_passwd.empty.okay +Отвечайте "да" или "нет". +. + + +.gpg.keyedit.save.okay +Отвечайте "да" или "нет". +. + + +.gpg.keyedit.cancel.okay +Отвечайте "да" или "нет". +. + +.gpg.keyedit.sign_all.okay +Ответьте "да", еÑли хотите подпиÑать ВСЕ идентификаторы пользователÑ. +. + +.gpg.keyedit.remove.uid.okay +Ответьте "да", еÑли дейÑтвительно хотите удалить Ñтот идентификатор +пользователÑ. +Ð’Ñе Ñертификаты будут также удалены! +. + +.gpg.keyedit.remove.subkey.okay +Ответьте "да", еÑли подключ можно удалить. +. + + +.gpg.keyedit.delsig.valid +Ðто Ð²ÐµÑ€Ð½Ð°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑŒ ключа; как правило, ее не нужно удалÑÑ‚ÑŒ, +поÑкольку может быть важно уÑтановить отношение Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ Ð¼ÐµÐ¶Ð´Ñƒ +Ñтим ключом и другими ключами. +. + +.gpg.keyedit.delsig.unknown +Ðту подпиÑÑŒ Ð½ÐµÐ»ÑŒÐ·Ñ Ð¿Ñ€Ð¾Ð²ÐµÑ€Ð¸Ñ‚ÑŒ, поÑкольку отÑутÑтвует ÑоответÑтвующий +ключ. Удаление ее нужно отложить до тех пор, пока не Ñтанет +извеÑтно, какой из ключей был иÑпользован, так как подпиÑÑŒ +Ñтого ключа могло бы уÑтановить отношение Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ Ñ‡ÐµÑ€ÐµÐ· +другой, уже Ñертифицированный ключ. +. + +.gpg.keyedit.delsig.invalid +ПодпиÑÑŒ недейÑтвительна. Имеет ÑмыÑл удалить ее из Вашей таблицы +ключей. +. + +.gpg.keyedit.delsig.selfsig +Ðта подпиÑÑŒ ÑвÑзывает идентификатор Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ñ ÐºÐ»ÑŽÑ‡Ð¾Ð¼. Обычно +удалÑÑ‚ÑŒ такие подпиÑи не Ñледует. Ðто может Ñделать ключ непригодным +Ð´Ð»Ñ Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ Ñ GnuPG. Так что делайте Ñто только еÑли Ñта +ÑамоподпиÑÑŒ по какой-то причине недейÑтвительна и еÑÑ‚ÑŒ другаÑ. +. + +.gpg.keyedit.updpref.okay +Изменить Ð¿Ñ€ÐµÐ´Ð¿Ð¾Ñ‡Ñ‚ÐµÐ½Ð¸Ñ Ð´Ð»Ñ Ð²Ñех идентификаторов Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ (или +только Ð´Ð»Ñ Ð²Ñ‹Ð±Ñ€Ð°Ð½Ð½Ñ‹Ñ…) на текущий ÑпиÑок предпочтений. Дата вÑех +ÑамоподпиÑей, которых Ñто каÑаетÑÑ, будет Ñдвинута вперед +на одну Ñекунду. +. + + +.gpg.passphrase.enter +# (keep a leading empty line) + +Введите, пожалуйÑта, фразу-пароль (Ñекретное предложение). +. + + +.gpg.passphrase.repeat +Повторите введенную фразу-пароль, чтобы проверить, что Ð’Ñ‹ не ошиблиÑÑŒ. +. + +.gpg.detached_signature.filename +Задайте Ð¸Ð¼Ñ Ñ„Ð°Ð¹Ð»Ð°, который подпиÑываетÑÑ. +. + +.gpg.openfile.overwrite.okay +# openfile.c (overwrite_filep) +Ответьте "да", еÑли файл можно перезапиÑать. +. + +.gpg.openfile.askoutname +# openfile.c (ask_outfile_name) +Введите новое Ð¸Ð¼Ñ Ñ„Ð°Ð¹Ð»Ð°. ЕÑли проÑто нажать "Enter", будет +иÑпользован файл по умолчанию (указан в Ñкобках). +. + +.gpg.ask_revocation_reason.code +# revoke.c (ask_revocation_reason) +Ðужно указать причину отзыва. Можно выбрать из ÑпиÑка: + "Ключ был раÑкрыт" + ЕÑÑ‚ÑŒ оÑÐ½Ð¾Ð²Ð°Ð½Ð¸Ñ Ð¿Ð¾Ð»Ð°Ð³Ð°Ñ‚ÑŒ, что какие-то лица получили + неÑанкционированный доÑтуп к Ñекретному ключу. + "Ключ заменен другим" + Ð’Ñ‹ заменили ключ на новый. + "Ключ больше не иÑпользуетÑÑ" + Ð’Ñ‹ дали ключу отÑтавку. + "ID Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð±Ð¾Ð»ÑŒÑˆÐµ не дейÑтвителен" + ID Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð±Ð¾Ð»ÑŒÑˆÐµ не должен употреблÑÑ‚ÑŒÑÑ; обычно Ñто значит, + что Ð°Ð´Ñ€ÐµÑ Ñлектронной почты недейÑтвителен. +. + +.gpg.ask_revocation_reason.text +# revoke.c (ask_revocation_reason) +ЕÑли хотите, можете ввеÑти текÑÑ‚, поÑÑнÑющий причину, по которой +выпущен Ñтот Ñертификат отзыва. ВыражайтеÑÑŒ, пожалуйÑта, ÑÑно. +ТекÑÑ‚ заканчиваетÑÑ Ð¿ÑƒÑтой Ñтрокой. +. + + + + +.gpgsm.root-cert-not-trusted +# This text gets displayed by the audit log if +# a root certificates was not trusted. +Ðет Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ Ðº корневому Ñертификату. Ð’ завиÑимоÑти от наÑтроек +Вам могли предложить пометить Ñтот корневой Ñертификат как доверенный +или вручную указать GnuPG, что Ñтому Ñертификату нужно доверÑÑ‚ÑŒ. +Доверенные Ñертификаты задаютÑÑ Ð² файле trustlist.txt в домашнем +каталоге GnuPG. ЕÑли ÑомневаетеÑÑŒ, ÑпроÑите Ñвоего ÑиÑтемного +админиÑтратора, Ñледует ли Вам доверÑÑ‚ÑŒ Ñтому Ñертификату. + + +.gpgsm.crl-problem +# This tex is displayed by the audit log for problems with +# the CRL or OCSP checking. +Ð’ завиÑимоÑти от наÑтроек возникла проблема в получении ÑпиÑка +отозванных Ñертификатов или в выполнении проверки по протоколу +OCSP. Ðто могло ÑлучитьÑÑ Ð¿Ð¾ очень многим причинам. ОбратитеÑÑŒ +к документации за возможными решениÑми. + + +# Local variables: +# mode: default-generic +# coding: utf-8 +# End: diff --git a/doc/help.sk.txt b/doc/help.sk.txt new file mode 100644 index 0000000..9e50c76 --- /dev/null +++ b/doc/help.sk.txt @@ -0,0 +1,254 @@ +# help.sk.txt - sk GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Je na Vás, aby ste sem priradili hodnotu; táto hodnota nebude nikdy +exportovaná tretej strane. Potrebujeme ju k implementácii "pavuÄiny +dôvery"; nemá to niÄ spoloÄné s (implicitne vytvorenou) "pavuÄinou +certifikátov". +. + +.gpg.edit_ownertrust.set_ultimate.okay +Aby bolo možné vybudovaÅ¥ pavuÄinu dôvery, musà GnuPG vedieÅ¥, ktorým kľúÄom +dôverujete absolútne - obyÄajne sú to tie kľúÄe, pre ktoré máte prÃstup +k tajným kľúÄom. Odpovedzte "ano", aby ste nastavili tieto kľúÄe +ako absolútne dôveryhodné + +. + +.gpg.untrusted_key.override +Pokiaľ aj tak chcete použiÅ¥ tento nedôveryhodný kľúÄ, odpovedzte "ano". +. + +.gpg.pklist.user_id.enter +Vložte identifikátor adresáta, ktorému chcete poslaÅ¥ správu. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.gpg.keygen.algo.rsa_se +VÅ¡ebecne nemožno odporúÄaÅ¥ použÃvaÅ¥ rovnaký kÄ¾ÃºÄ na Å¡ifrovanie a podeisovanie +Tento algoritmus je vhodné použiÅ¥ len za urÄitých podmienok. +Kontaktujte prosÃm najprv bezpeÄnostného Å¡pecialistu. +. + +.gpg.keygen.size +Vložte dĺžku kľúÄa +. + +.gpg.keygen.size.huge.okay +Odpovedzte "ano" alebo "nie" +. + +.gpg.keygen.size.large.okay +Odpovedzte "ano" alebo "nie" +. + +.gpg.keygen.valid +Vložte požadovanú hodnotu tak, ako je uvedené v prÃkazovom riadku. +Je možné vložiÅ¥ dátum vo formáte ISO (RRRR-MM-DD), ale nedostanete +správnu chybovú hlášku - miesto toho systém skúsi interpretovaÅ¥ +zadanú hodnotu ako interval. +. + +.gpg.keygen.valid.okay +Odpovedzte "ano" alebo "nie" +. + +.gpg.keygen.name +Vložte meno držiteľa kľúÄa +. + +.gpg.keygen.email +prosÃm, vložte e-mailovú adresu (nepovinné, ale veľmi odporúÄané) +. + +.gpg.keygen.comment +ProsÃm, vložte nepovinný komentár +. + +.gpg.keygen.userid.cmd +N pre zmenu názvu. +C pre zmenu komentára. +E pre zmenu e-mailovej adresy. +O pre pokraÄovanie generovania kľúÄa. +Q pre ukonÄenie generovania kľúÄa. +. + +.gpg.keygen.sub.okay +Ak chcete generovaÅ¥ podkľúÄ, odpovedzte "ano" (alebo len "a"). +. + +.gpg.sign_uid.okay +Odpovedzte "ano" alebo "nie" +. + +.gpg.sign_uid.class +Skôr ako podpÃÅ¡ete id užÃvateľa, mali by ste najprv overiÅ¥, Äi kÄ¾ÃºÄ +patrà osobe, ktorej meno je uvedené v identifikátore užÃvateľa. +Je veľmi užitoÄné, keÄ ostatnà vedia, ako dôsledne ste previedli +takéto overenie. + +"0" znamená, že neuvádzate, ako dôsledne ste pravosÅ¥ kľúÄa overili + +"1" znamená, že verÃte tomu, že kÄ¾ÃºÄ patrà osobe, ktorá je uvedená, + v užÃvateľskom ID, ale nemohli ste alebo jste nepreverili túto skutoÄnosÅ¥. + To je užitoÄné pre "osobnú" verifikáciu, keÄ podpisujete kľúÄe, ktoré + použÃvajú pseudonym užÃvateľa. + +"2" znamená, že ste ÄiastoÄne overili pravosÅ¥ kľúÄa. Napr. ste overili + fingerprint kľúÄa a skontrolovali identifikátor užÃvateľa + uvedený na kľúÄi s fotografickým id. + +"3" Znamená, že ste vykonali veľmi dôkladné overenie pravosti kľúÄa. + To môže naprÃklad znamenaÅ¥, že ste overili fingerprint kľúÄa + jeho vlastnÃka osobne a Äalej ste pomocou tažko falÅ¡ovateľného + dokumentu s fotografiou (naprÃklad pasu) overili, že meno majiteľa + kľúÄa sa zhoduje s menom uvedeným v užÃvateľskom ID a Äalej ste + overili (výmenou elektronických dopisov), že elektronická adresa uvedená + v ID užÃvateľa patrà majiteľovi kľúÄa. + +ProsÃm nezabúdajte, že prÃklady uvedené pre úroveň 2 a 3 sú *len* +prÃklady. +Je len na VaÅ¡om rozhodnutÃ, Äo "ÄiastoÄné" a "dôkladné" overenie znamená +keÄ budete podpisovaÅ¥ kľúÄe iným užÃvateľom. + +Pokiaľ neviete, aká je správna odpoveÄ, odpovedzte "0". +. + +.gpg.change_passwd.empty.okay +Odpovedzte "ano" alebo "nie" +. + +.gpg.keyedit.save.okay +Odpovedzte "ano" alebo "nie" +. + +.gpg.keyedit.cancel.okay +Odpovedzte "ano" alebo "nie" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.gpg.keyedit.remove.uid.okay +Pokiaľ skutoÄne chcete zmazaÅ¥ tento identifikátor užÃvateľa, odpovedzte "ano". +VÅ¡etky certifikáty budú tiež stratené! +. + +.gpg.keyedit.remove.subkey.okay +Odpovedzte "ano", pokiaľ chcete zmazaÅ¥ podkÄ¾ÃºÄ +. + +.gpg.keyedit.delsig.valid +Toto je platný podpis kľúÄa; normálne nechcete tento podpis zmazaÅ¥, +pretože môže byÅ¥ dôležitý pri vytváranà dôvery kľúÄa alebo iného kľúÄa +ceritifikovaného týmto kľúÄom. +. + +.gpg.keyedit.delsig.unknown +Tento podpis nemôže byÅ¥ overený, pretože nemáte zodpovedajúci verejný kľúÄ. +Jeho zmazanie by ste mali odložiÅ¥ do Äasu, keÄ budete vedieÅ¥, ktorý kÄ¾ÃºÄ +bol použitý, pretože tento podpisovacà kÄ¾ÃºÄ môže vytvoriÅ¥ dôveru +prostrednÃctvom iného už certifikovaného kľúÄa. +. + +.gpg.keyedit.delsig.invalid +Podpis je neplatný. Je rozumné ho odstrániÅ¥ z Vášho súboru kľúÄov. +. + +.gpg.keyedit.delsig.selfsig +Toto je podpis, ktorý viaže identifikátor užÃvateľa ku kľúÄu. ZvyÄajne +nie je dobré takýto podpis odstrániÅ¥. GnuPG nemôže tento kÄ¾ÃºÄ naÄalej +použÃvaÅ¥. Urobte to len v prÃpade, keÄ je tento podpis kľúÄa +nÃm samým z nejakého dôvodu neplatný a keÄ je k dispozÃcii iný kľúÄ. +. + +.gpg.keyedit.updpref.okay +ZmeniÅ¥ predvoľby pre vÅ¡etky užÃvateľské ID (alebo len pre oznaÄené) +na aktuálny zoznam predvolieb. ÄŒasové razÃtka vÅ¡etkých dotknutých podpisov +kľúÄov nimi samotnými budú posunuté o jednu sekundu dopredu. + +. + +.gpg.passphrase.enter +ProsÃm, vložte heslo; toto je tajná veta + +. + +.gpg.passphrase.repeat +ProsÃm, zopakujte posledné heslo, aby ste si boli istý, Äo ste napÃsali. +. + +.gpg.detached_signature.filename +Zadajte názov súboru, ku ktorému sa podpis vzÅ¥ahuje +. + +.gpg.openfile.overwrite.okay +Ak si prajete prepÃsanie súboru, odpovedzte "ano" +. + +.gpg.openfile.askoutname +ProsÃm, vložte nový názov súboru. Ak len stlaÄÃte RETURN, bude +použitý implicitný súbor (ktorý je zobrazený v zátvorkách). +. + +.gpg.ask_revocation_reason.code +Mali by ste Å¡pecifikovaÅ¥ dôvod certifikácie. V závislosti na kontexte +máte možnosÅ¥ si vybraÅ¥ zo zoznamu: + "kÄ¾ÃºÄ bol kompromitovaný" + Toto použite, pokiaľ si myslÃte, že k Vášmu tajnému kľúÄu zÃskali + prÃstup neoprávnené osoby. + "kÄ¾ÃºÄ je nahradený" + Toto použite, pokiaľ ste tento kÄ¾ÃºÄ nahradili novÅ¡Ãm kľúÄom. + "kÄ¾ÃºÄ sa už nepoužÃva" + Toto použite, pokiaľ tento kÄ¾ÃºÄ už nepoužÃvate. + "Identifikátor užÃvateľa už nie je platný" + Toto použite, pokiaľ by sa identifikátor užÃvateľa už nemal použÃvaÅ¥; + normálne sa použÃva na oznaÄenie neplatnej e-mailové adresy. + +. + +.gpg.ask_revocation_reason.text +Ak chcete, môžete vložiÅ¥ text popisujúcà pôvod vzniku tohto revokaÄného +ceritifikátu. ProsÃm, struÄne. +Text konÄà prázdnym riadkom. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.sv.txt b/doc/help.sv.txt new file mode 100644 index 0000000..0ac3be7 --- /dev/null +++ b/doc/help.sv.txt @@ -0,0 +1,286 @@ +# help..txt - GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.#gpg.edit_ownertrust.value +# fixme: Please translate and remove the hash mark from the key line. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.#gpg.edit_ownertrust.set_ultimate.okay +# fixme: Please translate and remove the hash mark from the key line. +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted + +. + +.#gpg.untrusted_key.override +# fixme: Please translate and remove the hash mark from the key line. +If you want to use this untrusted key anyway, answer "yes". +. + +.#gpg.pklist.user_id.enter +# fixme: Please translate and remove the hash mark from the key line. +Enter the user ID of the addressee to whom you want to send the message. +. + +.#gpg.keygen.algo +# fixme: Please translate and remove the hash mark from the key line. +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + +.#gpg.keygen.algo.rsa_se +# fixme: Please translate and remove the hash mark from the key line. +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + +.#gpg.keygen.size +# fixme: Please translate and remove the hash mark from the key line. +Enter the size of the key +. + +.#gpg.keygen.size.huge.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.size.large.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.valid +# fixme: Please translate and remove the hash mark from the key line. +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.#gpg.keygen.valid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keygen.name +# fixme: Please translate and remove the hash mark from the key line. +Enter the name of the key holder +. + +.#gpg.keygen.email +# fixme: Please translate and remove the hash mark from the key line. +please enter an optional but highly suggested email address +. + +.#gpg.keygen.comment +# fixme: Please translate and remove the hash mark from the key line. +Please enter an optional comment +. + +.#gpg.keygen.userid.cmd +# fixme: Please translate and remove the hash mark from the key line. +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to to quit the key generation. +. + +.#gpg.keygen.sub.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.#gpg.sign_uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.sign_uid.class +# fixme: Please translate and remove the hash mark from the key line. +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.#gpg.change_passwd.empty.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.save.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.cancel.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" or "no" +. + +.#gpg.keyedit.sign_all.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you want to sign ALL the user IDs +. + +.#gpg.keyedit.remove.uid.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.#gpg.keyedit.remove.subkey.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to delete the subkey +. + +.#gpg.keyedit.delsig.valid +# fixme: Please translate and remove the hash mark from the key line. +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.#gpg.keyedit.delsig.unknown +# fixme: Please translate and remove the hash mark from the key line. +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.#gpg.keyedit.delsig.invalid +# fixme: Please translate and remove the hash mark from the key line. +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.#gpg.keyedit.delsig.selfsig +# fixme: Please translate and remove the hash mark from the key line. +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.#gpg.keyedit.updpref.okay +# fixme: Please translate and remove the hash mark from the key line. +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. + +. + +.#gpg.passphrase.enter +# fixme: Please translate and remove the hash mark from the key line. +Please enter the passphrase; this is a secret sentence + +. + +.#gpg.passphrase.repeat +# fixme: Please translate and remove the hash mark from the key line. +Please repeat the last passphrase, so you are sure what you typed in. +. + +.#gpg.detached_signature.filename +# fixme: Please translate and remove the hash mark from the key line. +Give the name of the file to which the signature applies +. + +.#gpg.openfile.overwrite.okay +# fixme: Please translate and remove the hash mark from the key line. +Answer "yes" if it is okay to overwrite the file +. + +.#gpg.openfile.askoutname +# fixme: Please translate and remove the hash mark from the key line. +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.#gpg.ask_revocation_reason.code +# fixme: Please translate and remove the hash mark from the key line. +You should specify a reason for the certification. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. + +. + +.#gpg.ask_revocation_reason.text +# fixme: Please translate and remove the hash mark from the key line. +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.tr.txt b/doc/help.tr.txt new file mode 100644 index 0000000..086f191 --- /dev/null +++ b/doc/help.tr.txt @@ -0,0 +1,242 @@ +# help.tr.txt - tr GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +Bir deÄŸeri buraya iÅŸaretlemek size kalmış; bu deÄŸer herhangi bir 3. ÅŸahsa +gönderilmeyecek. Bir güvence ağı saÄŸlamak için bizim buna ihtiyacımız var; +bunun (açıkça belirtilmeden oluÅŸturulmuÅŸ) sertifikalar ağıyla +hiçbir alakası yok. +. + +.gpg.edit_ownertrust.set_ultimate.okay +Web-of-Trust oluÅŸturulabilmesi için GnuPG'ye hangi anahtarların son derece +güvenli (bunlar gizli anahtarlarına eriÅŸiminiz olan anahtarlardır) olduÄŸunun +bildirilmesi gerekir. "evet" yanıtı bu anahtarın son derece güvenli +olduÄŸunun belirtilmesi için yeterlidir. + +. + +.gpg.untrusted_key.override +Bu güvencesiz anahtarı yine de kullanmak istiyorsanız cevap olarak + "evet" yazın. +. + +.gpg.pklist.user_id.enter +Bu iletiyi göndereceÄŸiniz adresin kullanıcı kimliÄŸini giriniz. +. + +.gpg.keygen.algo +Kullanılacak algoritmayı seçiniz. + +DSA (nam-ı diÄŸer DSS) Sayısal Ä°mza Algortimasıdır ve +sadece imzalar için kullanılabilir. + +Elgamal sadece ÅŸifreleme amacıyla kullanılabilen bir algoritmadır. + +RSA hem imzalamak hem de ÅŸifrelemek amacıyla kullanılabilir. + +Ä°lk (asıl) anahtar daima imzalama yeteneÄŸine sahip bir anahtar olmalıdır. +. + +.gpg.keygen.algo.rsa_se +Genelde imzalama ve ÅŸifreleme için aynı anahtarı kullanmak iyi bir fikir +deÄŸildir. Bu algoritma sadece belli alanlarda kullanılabilir. +Lütfen güvenlik uzmanınıza danışın. +. + +.gpg.keygen.size +Anahtar uzunluÄŸunu giriniz +. + +.gpg.keygen.size.huge.okay +Cevap "evet" ya da "hayır" +. + +.gpg.keygen.size.large.okay +Cevap "evet" ya da "hayır" +. + +.gpg.keygen.valid +Ä°stenen deÄŸeri girin. ISO tarihi (YYYY-AA-GG) girmeniz mümkündür fakat +iyi bir hata cevabı alamazsınız -- onun yerine sistem verilen deÄŸeri +bir zaman aralığı olarak çözümlemeyi dener. +. + +.gpg.keygen.valid.okay +Cevap "evet" ya da "hayır" +. + +.gpg.keygen.name +Anahtar tutucunun ismini giriniz +. + +.gpg.keygen.email +lütfen bir E-posta adresi girin (isteÄŸe baÄŸlı ancak kuvvetle tavsiye edilir) +. + +.gpg.keygen.comment +Lütfen önbilgi girin (isteÄŸe baÄŸlı) +. + +.gpg.keygen.userid.cmd +S iSim deÄŸiÅŸtirmek için. +B önBilgiyi deÄŸiÅŸtirmek için. +P e-Posta adresini deÄŸiÅŸtirmek için. +D anahtar üretimine Devam etmek için. +K anahtar üretiminden çıKmak için. +. + +.gpg.keygen.sub.okay +Yardımcı anahtarı üretmek istiyorsanız "evet" ya da "e" girin. +. + +.gpg.sign_uid.okay +Cevap "evet" ya da "hayır" +. + +.gpg.sign_uid.class +Bir anahtarı bir kullanıcı kimlikle imzalamadan önce kullanıcı kimliÄŸin +içindeki ismin, anahtarın sahibine ait olup olmadığını kontrol etmelisiniz. + +"0" bu kontrolu yapmadığınız ve yapmayı da bilmediÄŸiniz anlamındadır. +"1" anahtar size sahibi tarafından gönderildi ama siz bu anahtarı baÅŸka + kaynaklardan doÄŸrulamadınız anlamındadır. Bu kiÅŸisel doÄŸrulama için + yeterlidir. En azında yarı anonim bir anahtar imzalaması yapmış + olursunuz. +"2" ayrıntılı bir inceleme yapıldığı anlamındadır. ÖrneÄŸin parmakizi ve + bir anahtarın foto kimliÄŸiyle kullanıcı kimliÄŸini karşılaÅŸtırmak + gibi denetimleri yapmışsınızdır. +"3" inceden inceye bir doÄŸrulama anlatır. ÖrneÄŸin, ÅŸahıstaki anahtarın + sahibi ile anahtar parmak izini karşılaÅŸtırmışsınızdır ve anahtardaki + kullanıcı kimlikte belirtilen isme ait bir basılı kimlik belgesindeki + bir fotoÄŸrafla ÅŸahsı karşılaÅŸtırmışsınızdır ve son olarak anahtar + sahibinin e-posta adresini kendisinin kullanmakta olduÄŸunu da + denetlemiÅŸsinizdir. +Burada 2 ve 3 için verilen örnekler *sadece* örnektir. +Eninde sonunda bir anahtarı imzalarken "ayrıntılı" ve "inceden inceye" kontroller arasındaki ayrıma siz karar vereceksiniz. +Bu kararı verebilecek durumda deÄŸilseniz "0" cevabını verin. +. + +.gpg.change_passwd.empty.okay +Cevap "evet" ya da "hayır" +. + +.gpg.keyedit.save.okay +Cevap "evet" ya da "hayır" +. + +.gpg.keyedit.cancel.okay +Cevap "evet" ya da "hayır" +. + +.gpg.keyedit.sign_all.okay +Kullanıcı kimliklerinin TÃœMünü imzalamak istiyorsanız "evet" ya da "yes" yazın +. + +.gpg.keyedit.remove.uid.okay +Bu kullanıcı kimliÄŸini gerçekten silmek istiyorsanız "evet" girin. +Böylece bütün sertifikaları kaybedeceksiniz! +. + +.gpg.keyedit.remove.subkey.okay +Bu yardımcı anahtarı silme izni vermek istiyorsanız "evet" girin +. + +.gpg.keyedit.delsig.valid +Bu, anahtar üzerinde geçerli bir imzadır; anahtara ya da bu anahtarla +sertifikalanmış bir diÄŸer anahtara bir güvence baÄŸlantısı saÄŸlamakta +önemli olabileceÄŸinden normalde bu imzayı silmek istemezsiniz. +. + +.gpg.keyedit.delsig.unknown +Bu imza, anahtarına sahip olmadığınızdan, kontrol edilemez. Bu imzanın +silinmesini hangi anahtarın kullanıldığını bilene kadar +ertelemelisiniz çünkü bu imzalama anahtarı baÅŸka bir sertifikalı +anahtar vasıtası ile bir güvence baÄŸlantısı saÄŸlayabilir. +. + +.gpg.keyedit.delsig.invalid +Ä°mza geçersiz. Anahtarlıktan kaldırmak uygun olacak. +. + +.gpg.keyedit.delsig.selfsig +Bu imza kullanıcı kimliÄŸini anahtara baÄŸlar. Öz-imzayı silmek hiç iyi +bir fikir deÄŸil. GnuPG bu anahtarı bir daha hiç kullanamayabilir. +Bunu sadece, eÄŸer bu öz-imza bazı durumlarda geçerli deÄŸilse ya da +kullanılabilir bir ikincisi var ise yapın. +. + +.gpg.keyedit.updpref.okay +Tüm kullanıcı kimlik tercihlerini (ya da seçilen birini) mevcut tercihler +listesine çevirir. Tüm etkilenen öz-imzaların zaman damgaları bir sonraki +tarafından öne alınacaktır. + +. + +.gpg.passphrase.enter +Lütfen bir anahtar parolası giriniz; yazdıklarınız görünmeyecek + +. + +.gpg.passphrase.repeat +Lütfen son parolayı tekrarlayarak ne yazdığınızdan emin olun. +. + +.gpg.detached_signature.filename +Ä°mzanın uygulanacağı dosyanın ismini verin +. + +.gpg.openfile.overwrite.okay +Dosyanın üzerine yazılacaksa lütfen "evet" yazın +. + +.gpg.openfile.askoutname +Lütfen yeni dosya ismini girin. Dosya ismini yazmadan RETURN tuÅŸlarsanız +parantez içinde gösterilen öntanımlı dosya kullanılacak. +. + +.gpg.ask_revocation_reason.code +Sertifikalama için bir sebep belirtmelisiniz. İçeriÄŸine baÄŸlı olarak +bu listeden seçebilirsiniz: + "Anahtar tehlikede" + Yetkisiz kiÅŸilerin gizli anahtarınıza eriÅŸebildiÄŸine inanıyorsanız + bunu seçin. + "Anahtar geçici" + Mevcut anahtarı daha yeni bir anahtar ile deÄŸiÅŸtirmiÅŸseniz bunu seçin. + "Anahtar artık kullanılmayacak" + Anahtarı emekliye ayıracaksanız bunu seçin. + "Kullanıcı kimliÄŸi artık geçersiz" + Kullanıcı kimliÄŸi artık kullanılamayacak durumdaysa bunu + seçin; genelde Eposta adresi geçersiz olduÄŸunda kullanılır. + +. + +.gpg.ask_revocation_reason.text +Ä°sterseniz, neden bu yürürlükten kaldırma sertifikasını +verdiÄŸinizi açıklayan bir metin girebilirsiniz. +Lütfen bu metin kısa olsun. Bir boÅŸ satır metni bitirir. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.txt b/doc/help.txt new file mode 100644 index 0000000..a172176 --- /dev/null +++ b/doc/help.txt @@ -0,0 +1,407 @@ +# help.txt - English GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +# Note that this help file needs to be UTF-8 encoded. When looking +# for a help item, GnuPG scans the help files in the following order +# (assuming a GNU or Unix system): +# +# /etc/gnupg/help.LL_TT.txt +# /etc/gnupg/help.LL.txt +# /etc/gnupg/help.txt +# /usr/share/gnupg/help.LL_TT.txt +# /usr/share/gnupg/help.LL.txt +# /usr/share/gnupg/help.txt +# +# Here LL_TT denotes the full name of the current locale with the +# territory (.e.g. "de_DE"), LL denotes just the locale name +# (e.g. "de"). The first matching item is returned. To put a dot or +# a hash mark at the beginning of a help text line, it needs to be +# prefixed with ". ". A single dot may be used to terminated ahelp +# entry. + +.#pinentry.qualitybar.tooltip +# [remove the hash mark from the key to enable this text] +# This entry is just an example on how to customize the tooltip shown +# when hovering over the quality bar of the pinentry. We don't +# install this text so that the hardcoded translation takes +# precedence. An administrator should write up a short help to tell +# the users about the configured passphrase constraints and save that +# to /etc/gnupg/help.txt. The help text should not be longer than +# about 800 characters. +This bar indicates the quality of the passphrase entered above. + +As long as the bar is shown in red, GnuPG considers the passphrase too +weak to accept. Please ask your administrator for details about the +configured passphrase constraints. +. + + +.gnupg.agent-problem +# There was a problem accessing or starting the agent. +It was either not possible to connect to a running Gpg-Agent or a +communication problem with a running agent occurred. + +The system uses a background process, called Gpg-Agent, for processing +private keys and to ask for passphrases. The agent is usually started +when the user logs in and runs as long the user is logged in. In case +that no agent is available, the system tries to start one on the fly +but that version of the agent is somewhat limited in functionality and +thus may lead to little problems. + +You probably need to ask your administrator on how to solve the +problem. As a workaround you might try to log out and in to your +session and see whether this helps. If this helps please tell the +administrator anyway because this indicates a bug in the software. +. + + +.gnupg.dirmngr-problem +# There was a problen accessing the dirmngr. +It was either not possible to connect to a running Dirmngr or a +communication problem with a running Dirmngr occurred. + +To lookup certificate revocation lists (CRLs), performing OCSP +validation and to lookup keys through LDAP servers, the system uses an +external service program named Dirmngr. The Dirmngr is usually running +as a system service (daemon) and does not need any attention by the +user. In case of problems the system might start its own copy of the +Dirmngr on a per request base; this is a workaround and yields limited +performance. + +If you encounter this problem, you should ask your system +administrator how to proceed. As an interim solution you may try to +disable CRL checking in gpgsm's configuration. +. + + +.gpg.edit_ownertrust.value +# The help identies prefixed with "gpg." used to be hard coded in gpg +# but may now be overridden by help texts from this file. +It's up to you to assign a value here; this value will never be exported +to any 3rd party. We need it to implement the web-of-trust; it has nothing +to do with the (implicitly created) web-of-certificates. +. + +.gpg.edit_ownertrust.set_ultimate.okay +To build the Web-of-Trust, GnuPG needs to know which keys are +ultimately trusted - those are usually the keys for which you have +access to the secret key. Answer "yes" to set this key to +ultimately trusted. + + +.gpg.untrusted_key.override +If you want to use this untrusted key anyway, answer "yes". +. + +.gpg.pklist.user_id.enter +Enter the user ID of the addressee to whom you want to send the message. +. + +.gpg.keygen.algo +Select the algorithm to use. + +DSA (aka DSS) is the Digital Signature Algorithm and can only be used +for signatures. + +Elgamal is an encrypt-only algorithm. + +RSA may be used for signatures or encryption. + +The first (primary) key must always be a key which is capable of signing. +. + + +.gpg.keygen.algo.rsa_se +In general it is not a good idea to use the same key for signing and +encryption. This algorithm should only be used in certain domains. +Please consult your security expert first. +. + + + +.gpg.keygen.keygrip +Enter the keygrip of the key to add. + +The keygrip is a string of 40 hex digits that identifies a key. It +must belong to a secret key or a secret subkey stored in your keyring. +. + + +.gpg.keygen.flags +Toggle the capabilities of the key. + +It is only possible to toggle those capabilities which are possible +for the selected algorithm. + +To quickly set the capabilities all at once it is possible to enter a +'=' as first character followed by a list of letters indicating the +capability to set: 's' for signing, 'e' for encryption, and 'a' for +authentication. Invalid letters and impossible capabilities are +ignored. This submenu is immediately closed after using this +shortcut. +. + + +.gpg.keygen.size +Enter the size of the key. + +The suggested default is usually a good choice. + +If you want to use a large key size, for example 4096 bit, please +think again whether it really makes sense for you. You may want +to view the web page http://www.xkcd.com/538/ . +. + +.gpg.keygen.size.huge.okay +Answer "yes" or "no". +. + + +.gpg.keygen.size.large.okay +Answer "yes" or "no". +. + + +.gpg.keygen.valid +Enter the required value as shown in the prompt. +It is possible to enter a ISO date (YYYY-MM-DD) but you won't +get a good error response - instead the system tries to interpret +the given value as an interval. +. + +.gpg.keygen.valid.okay +Answer "yes" or "no". +. + + +.gpg.keygen.name +Enter the name of the key holder. +The characters "<" and ">" are not allowed. +Example: Heinrich Heine +. + + +.gpg.keygen.email +Please enter an optional but highly suggested email address. +Example: heinrichh@duesseldorf.de +. + +.gpg.keygen.comment +Please enter an optional comment. +The characters "(" and ")" are not allowed. +In general there is no need for a comment. +. + + +.gpg.keygen.userid.cmd +# (Keep a leading empty line) + +N to change the name. +C to change the comment. +E to change the email address. +O to continue with key generation. +Q to quit the key generation. +. + +.gpg.keygen.sub.okay +Answer "yes" (or just "y") if it is okay to generate the sub key. +. + +.gpg.sign_uid.okay +Answer "yes" or "no". +. + +.gpg.sign_uid.class +When you sign a user ID on a key, you should first verify that the key +belongs to the person named in the user ID. It is useful for others to +know how carefully you verified this. + +"0" means you make no particular claim as to how carefully you verified the + key. + +"1" means you believe the key is owned by the person who claims to own it + but you could not, or did not verify the key at all. This is useful for + a "persona" verification, where you sign the key of a pseudonymous user. + +"2" means you did casual verification of the key. For example, this could + mean that you verified the key fingerprint and checked the user ID on the + key against a photo ID. + +"3" means you did extensive verification of the key. For example, this could + mean that you verified the key fingerprint with the owner of the key in + person, and that you checked, by means of a hard to forge document with a + photo ID (such as a passport) that the name of the key owner matches the + name in the user ID on the key, and finally that you verified (by exchange + of email) that the email address on the key belongs to the key owner. + +Note that the examples given above for levels 2 and 3 are *only* examples. +In the end, it is up to you to decide just what "casual" and "extensive" +mean to you when you sign other keys. + +If you don't know what the right answer is, answer "0". +. + +.gpg.change_passwd.empty.okay +Answer "yes" or "no". +. + + +.gpg.keyedit.save.okay +Answer "yes" or "no". +. + + +.gpg.keyedit.cancel.okay +Answer "yes" or "no". +. + +.gpg.keyedit.sign_all.okay +Answer "yes" if you want to sign ALL the user IDs. +. + +.gpg.keyedit.remove.uid.okay +Answer "yes" if you really want to delete this user ID. +All certificates are then also lost! +. + +.gpg.keyedit.remove.subkey.okay +Answer "yes" if it is okay to delete the subkey. +. + + +.gpg.keyedit.delsig.valid +This is a valid signature on the key; you normally don't want +to delete this signature because it may be important to establish a +trust connection to the key or another key certified by this key. +. + +.gpg.keyedit.delsig.unknown +This signature can't be checked because you don't have the +corresponding key. You should postpone its deletion until you +know which key was used because this signing key might establish +a trust connection through another already certified key. +. + +.gpg.keyedit.delsig.invalid +The signature is not valid. It does make sense to remove it from +your keyring. +. + +.gpg.keyedit.delsig.selfsig +This is a signature which binds the user ID to the key. It is +usually not a good idea to remove such a signature. Actually +GnuPG might not be able to use this key anymore. So do this +only if this self-signature is for some reason not valid and +a second one is available. +. + +.gpg.keyedit.updpref.okay +Change the preferences of all user IDs (or just of the selected ones) +to the current list of preferences. The timestamp of all affected +self-signatures will be advanced by one second. +. + + +.gpg.passphrase.enter +# (keep a leading empty line) + +Please enter the passphrase; this is a secret sentence. +. + + +.gpg.passphrase.repeat +Please repeat the last passphrase, so you are sure what you typed in. +. + +.gpg.detached_signature.filename +Give the name of the file to which the signature applies. +. + +.gpg.openfile.overwrite.okay +# openfile.c (overwrite_filep) +Answer "yes" if it is okay to overwrite the file. +. + +.gpg.openfile.askoutname +# openfile.c (ask_outfile_name) +Please enter a new filename. If you just hit RETURN the default +file (which is shown in brackets) will be used. +. + +.gpg.ask_revocation_reason.code +# revoke.c (ask_revocation_reason) +You should specify a reason for the revocation. Depending on the +context you have the ability to choose from this list: + "Key has been compromised" + Use this if you have a reason to believe that unauthorized persons + got access to your secret key. + "Key is superseded" + Use this if you have replaced this key with a newer one. + "Key is no longer used" + Use this if you have retired this key. + "User ID is no longer valid" + Use this to state that the user ID should not longer be used; + this is normally used to mark an email address invalid. +. + +.gpg.ask_revocation_reason.text +# revoke.c (ask_revocation_reason) +If you like, you can enter a text describing why you issue this +revocation certificate. Please keep this text concise. +An empty line ends the text. +. + +.gpg.tofu.conflict +# tofu.c +TOFU has detected another key with the same (or a very similar) email +address. It might be that the user created a new key. In this case, +you can safely trust the new key (but, confirm this by asking the +person). However, it could also be that the key is a forgery or there +is an active Man-in-the-Middle (MitM) attack. In this case, you +should mark the key as being bad, so that it is untrusted. Marking a +key as being untrusted means that any signatures will be considered +bad and attempts to encrypt to the key will be flagged. If you are +unsure and can't currently check, you should select either accept once +or reject once. +. + +.gpgsm.root-cert-not-trusted +# This text gets displayed by the audit log if +# a root certificates was not trusted. +The root certificate (the trust-anchor) is not trusted. Depending on +the configuration you may have been prompted to mark that root +certificate as trusted or you need to manually tell GnuPG to trust that +certificate. Trusted certificates are configured in the file +trustlist.txt in GnuPG's home directory. If you are in doubt, ask +your system administrator whether you should trust this certificate. + + +.gpgsm.crl-problem +# This text is displayed by the audit log for problems with +# the CRL or OCSP checking. +Depending on your configuration a problem retrieving the CRL or +performing an OCSP check occurred. There are a great variety of +reasons why this did not work. Check the manual for possible +solutions. + + +# Local variables: +# mode: default-generic +# coding: utf-8 +# End: diff --git a/doc/help.zh_CN.txt b/doc/help.zh_CN.txt new file mode 100644 index 0000000..7b199c2 --- /dev/null +++ b/doc/help.zh_CN.txt @@ -0,0 +1,233 @@ +# help.zh_CN.txt - zh_CN GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +在这里指定的数值完全由您自己决定;这些数值永远ä¸ä¼šè¢«è¾“出给任何第三方。 +我们需è¦å®ƒæ¥å®žçŽ°â€œä¿¡ä»»ç½‘络â€ï¼›è¿™è·Ÿéšå«å»ºç«‹èµ·æ¥çš„“验è¯ç½‘络â€æ— 关。 +. + +.gpg.edit_ownertrust.set_ultimate.okay +è¦å»ºç«‹èµ·ä¿¡ä»»ç½‘络,GnuPG 需è¦çŸ¥é“哪些密钥是å¯ç»å¯¹ä¿¡ä»»çš„――通常 +就是您拥有ç§é’¥çš„那些密钥。回甓yesâ€å°†æ¤å¯†é’¥è®¾æˆå¯ç»å¯¹ä¿¡ä»»çš„ + +. + +.gpg.untrusted_key.override +å¦‚æžœæ‚¨æ— è®ºå¦‚ä½•è¦ä½¿ç”¨è¿™æŠŠæœªè¢«ä¿¡ä»»çš„密钥,请回甓yesâ€ã€‚ +. + +.gpg.pklist.user_id.enter +输入您è¦é€’é€çš„æŠ¥æ–‡çš„æŽ¥æ”¶è€…çš„ç”¨æˆ·æ ‡è¯†ã€‚ +. + +.gpg.keygen.algo +选择使用的算法。 + +DSA (ä¹Ÿå« DSS)å³â€œæ•°å—ç¾å算法â€(ç¾Žå›½å›½å®¶æ ‡å‡†),åªèƒ½å¤Ÿç”¨ä½œç¾å。 + +Elgamal 是一ç§åªèƒ½ç”¨ä½œåŠ 密的算法。 + +RSA å¯ä»¥ç”¨ä½œç¾åæˆ–åŠ å¯†ã€‚ + +第一把密钥(主钥)必须具有ç¾å的能力。 +. + +.gpg.keygen.algo.rsa_se +通常æ¥è¯´ç”¨åŒä¸€æŠŠå¯†é’¥ç¾ååŠåŠ 密并ä¸æ˜¯ä¸ªå¥½ä¸»æ„。这个算法åªåœ¨ç‰¹å®šçš„情况 +下使用。请先咨询安全方é¢çš„专家。 +. + +.gpg.keygen.size +请输入密钥的尺寸 +. + +.gpg.keygen.size.huge.okay +请回甓yesâ€æˆ–“no†+. + +.gpg.keygen.size.large.okay +请回甓yesâ€æˆ–“no†+. + +.gpg.keygen.valid +请输入æ示所è¦æ±‚的数值。 +您å¯ä»¥è¾“å…¥ ISO æ—¥æœŸæ ¼å¼(YYYY-MM-DD),但是出错时您ä¸ä¼šå¾—到å‹å¥½çš„å“应 +――系统会å°è¯•å°†ç»™å®šå€¼è§£é‡Šä¸ºæ—¶é—´é—´éš”。 +. + +.gpg.keygen.valid.okay +请回甓yesâ€æˆ–“no†+. + +.gpg.keygen.name +请输入密钥æŒæœ‰äººçš„åå— +. + +.gpg.keygen.email +请输入电å邮件地å€(å¯é€‰é¡¹ï¼Œä½†å¼ºçƒˆæŽ¨è使用) +. + +.gpg.keygen.comment +请输入注释(å¯é€‰é¡¹) +. + +.gpg.keygen.userid.cmd +N 修改姓å。 +C 修改注释。 +E 修改电å邮件地å€ã€‚ +O 继ç»äº§ç”Ÿå¯†é’¥ã€‚ +Q ä¸æ¢äº§ç”Ÿå¯†é’¥ã€‚ +. + +.gpg.keygen.sub.okay +如果您å…许生æˆå钥,请回甓yesâ€(或者“yâ€)。 +. + +.gpg.sign_uid.okay +请回甓yesâ€æˆ–“no†+. + +.gpg.sign_uid.class +当您为æŸæŠŠå¯†é’¥ä¸ŠæŸä¸ªç”¨æˆ·æ ‡è¯†æ·»åŠ ç¾å时,您必须首先验è¯è¿™æŠŠå¯†é’¥ç¡®å®žå±žäºŽ +ç½²åäºŽå®ƒçš„ç”¨æˆ·æ ‡è¯†ä¸Šçš„é‚£ä¸ªäººã€‚äº†è§£åˆ°æ‚¨æ›¾å¤šä¹ˆè°¨æ…Žåœ°å¯¹æ¤è¿›è¡Œè¿‡éªŒè¯ï¼Œå¯¹å…¶ +他人是éžå¸¸æœ‰ç”¨çš„ + +“0†表示您对您有多么仔细地验è¯è¿™æŠŠå¯†é’¥çš„问题ä¸è¡¨æ€ã€‚ + +“1†表示您相信这把密钥属于那个声明是主人的人,但是您ä¸èƒ½æˆ–æ ¹æœ¬æ²¡æœ‰éªŒ + è¯è¿‡ã€‚如果您为一把属于类似虚拟人物的密钥ç¾å,这个选择很有用。 + +“2†表示您éšæ„地验è¯äº†é‚£æŠŠå¯†é’¥ã€‚例如,您验è¯äº†è¿™æŠŠå¯†é’¥çš„指纹,或比对 + 照片验è¯äº†ç”¨æˆ·æ ‡è¯†ã€‚ + +“3†表示您åšäº†å¤§é‡è€Œè¯¦å°½çš„验è¯å¯†é’¥å·¥ä½œã€‚例如,您åŒå¯†é’¥æŒæœ‰äººéªŒè¯äº†å¯† + é’¥æŒ‡çº¹ï¼Œè€Œä¸”é€šè¿‡æŸ¥éªŒé™„å¸¦ç…§ç‰‡è€Œéš¾ä»¥ä¼ªé€ çš„è¯ä»¶(如护照)ç¡®è®¤äº†å¯†é’¥æŒ + 有人的姓åä¸Žå¯†é’¥ä¸Šçš„ç”¨æˆ·æ ‡è¯†ä¸€è‡´ï¼Œæœ€åŽæ‚¨è¿˜(通过电å邮件往æ¥)éªŒè¯ + 了密钥上的电å邮件地å€ç¡®å®žå±žäºŽå¯†é’¥æŒæœ‰äººã€‚ + +请注æ„上述关于验è¯çº§åˆ« 2 å’Œ 3 的说明仅是例å而已。最终还是由您自己决定 +当您为其他密钥ç¾å时,什么是“éšæ„â€ï¼Œè€Œä»€ä¹ˆæ˜¯â€œå¤§é‡è€Œè¯¦å°½â€ã€‚ + +如果您ä¸çŸ¥é“应该选什么ç”案的è¯ï¼Œå°±é€‰â€œ0â€ã€‚ +. + +.gpg.change_passwd.empty.okay +请回甓yesâ€æˆ–“no†+. + +.gpg.keyedit.save.okay +请回甓yesâ€æˆ–“no†+. + +.gpg.keyedit.cancel.okay +请回甓yesâ€æˆ–“no†+. + +.gpg.keyedit.sign_all.okay +如果您想è¦ä¸ºæ‰€æœ‰ç”¨æˆ·æ ‡è¯†ç¾åçš„è¯å°±é€‰â€œyes†+. + +.gpg.keyedit.remove.uid.okay +如果您真的想è¦åˆ é™¤è¿™ä¸ªç”¨æˆ·æ ‡è¯†çš„è¯å°±å›žç”“yesâ€ã€‚ +所有相关认è¯åœ¨æ¤ä¹‹åŽä¹Ÿä¼šä¸¢å¤±ï¼ +. + +.gpg.keyedit.remove.subkey.okay +如果å¯ä»¥åˆ 除这把å钥,请回甓yes†+. + +.gpg.keyedit.delsig.valid +这是一份在这把密钥上有效的ç¾å;通常您ä¸ä¼šæƒ³è¦åˆ 除这份ç¾å, +å› ä¸ºè¦ä¸Žè¿™æŠŠå¯†é’¥æˆ–拥有这把密钥的ç¾å的密钥建立认è¯å…³ç³»å¯èƒ½ +相当é‡è¦ã€‚ +. + +.gpg.keyedit.delsig.unknown +这份ç¾åæ— æ³•è¢«æ£€éªŒï¼Œå› ä¸ºæ‚¨æ²¡æœ‰ç›¸åº”çš„å¯†é’¥ã€‚æ‚¨åº”è¯¥æš‚ç¼“åˆ é™¤å®ƒï¼Œ +直到您知é“æ¤ç¾åä½¿ç”¨äº†å“ªä¸€æŠŠå¯†é’¥ï¼›å› ä¸ºç”¨æ¥ç¾å的密钥å¯èƒ½ä¸Ž +其他已ç»éªŒè¯çš„密钥å˜åœ¨ä¿¡ä»»å…³ç³»ã€‚ +. + +.gpg.keyedit.delsig.invalid +这份ç¾åæ— æ•ˆã€‚åº”å½“æŠŠå®ƒä»Žæ‚¨çš„é’¥åŒ™çŽ¯é‡Œåˆ é™¤ã€‚ +. + +.gpg.keyedit.delsig.selfsig +è¿™æ˜¯ä¸€ä»½å°†å¯†é’¥ä¸Žç”¨æˆ·æ ‡è¯†ç›¸è”系的ç¾å。通常ä¸åº”åˆ é™¤è¿™æ ·çš„ç¾å。 +äº‹å®žä¸Šï¼Œä¸€æ—¦åˆ é™¤ï¼ŒGnuPGå¯èƒ½ä»Žæ¤å°±ä¸èƒ½å†ä½¿ç”¨è¿™æŠŠå¯†é’¥äº†ã€‚å› æ¤ï¼Œ +åªæœ‰åœ¨è¿™æŠŠå¯†é’¥çš„第一个自身ç¾åå› æŸäº›åŽŸå› å¤±æ•ˆï¼Œè€Œæœ‰ç¬¬äºŒä¸ªè‡ªèº«ç¾ +å—å¯ç”¨çš„情况下æ‰è¿™ä¹ˆåšã€‚ +. + +.gpg.keyedit.updpref.okay +用现有的首选项更新所有(或选定的)ç”¨æˆ·æ ‡è¯†çš„é¦–é€‰é¡¹ã€‚æ‰€æœ‰å—å½±å“çš„è‡ªèº«ç¾ +å—çš„æ—¶é—´æˆ³éƒ½ä¼šå¢žåŠ ä¸€ç§’é’Ÿã€‚ + +. + +.gpg.passphrase.enter +请输入密ç :这是一个秘密的å¥å + +. + +.gpg.passphrase.repeat +请å†æ¬¡è¾“入上次的密ç ,以确定您到底键入了些什么。 +. + +.gpg.detached_signature.filename +请给定è¦æ·»åŠ ç¾å的文件å +. + +.gpg.openfile.overwrite.okay +如果å¯ä»¥è¦†ç›–这个文件,请回甓yes†+. + +.gpg.openfile.askoutname +请输入一个新的文件å。如果您直接按下了回车,那么就会使用显示在括 +å·ä¸çš„默认的文件å。 +. + +.gpg.ask_revocation_reason.code +您应该为这份åŠé”€è¯ä¹¦æŒ‡å®šä¸€ä¸ªåŽŸå› ã€‚æ ¹æ®æƒ…境的ä¸åŒï¼Œæ‚¨å¯ä»¥ä»Žä¸‹åˆ—清å•ä¸ +选出一项: + “密钥已泄æ¼â€ + 如果您相信有æŸä¸ªæœªç»è®¸å¯çš„人已å–得了您的ç§é’¥ï¼Œè¯·é€‰æ¤é¡¹ã€‚ + “密钥已替æ¢â€ + 如果您已用一把新密钥代替旧的,请选æ¤é¡¹ã€‚ + “密钥ä¸å†è¢«ä½¿ç”¨â€ + 如果您已决定让这把密钥退休,请选æ¤é¡¹ + â€œç”¨æˆ·æ ‡è¯†ä¸å†æœ‰æ•ˆâ€ + å¦‚æžœè¿™ä¸ªç”¨æˆ·æ ‡è¯†ä¸å†è¢«ä½¿ç”¨äº†ï¼Œè¯·é€‰æ¤é¡¹ï¼›è¿™é€šå¸¸ç”¨è¡¨æ˜ŽæŸä¸ªç”µåé‚® + 件地å€å·²ä¸å†æœ‰æ•ˆã€‚ + +. + +.gpg.ask_revocation_reason.text +您也å¯ä»¥è¾“入一串文å—,æè¿°å‘布这份åŠé”€è¯ä¹¦çš„ç†ç”±ã€‚请尽é‡ä½¿è¿™æ®µæ–‡ +å—简明扼è¦ã€‚ +键入一空行以结æŸè¾“入。 + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/help.zh_TW.txt b/doc/help.zh_TW.txt new file mode 100644 index 0000000..5665b70 --- /dev/null +++ b/doc/help.zh_TW.txt @@ -0,0 +1,245 @@ +# help.zh_TW.txt - zh_TW GnuPG online help +# Copyright (C) 2007 Free Software Foundation, Inc. +# +# This file is part of GnuPG. +# +# GnuPG is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# GnuPG is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see <https://www.gnu.org/licenses/>. + + +.gpg.edit_ownertrust.value +在這裡指派的數值完全是看妳自己決定; 這些數值永é ä¸æœƒè¢«åŒ¯å‡ºçµ¦å…¶ä»–人. +我們需è¦å®ƒä¾†å¯¦æ–½ä¿¡ä»»ç¶²çµ¡; 這跟 (自動建立起的) 憑è‰ç¶²çµ¡ä¸€é»žé—œä¿‚也沒有. +. + +.gpg.edit_ownertrust.set_ultimate.okay +è¦å»ºç«‹èµ·ä¿¡ä»»ç¶²çµ¡, GnuPG 需è¦çŸ¥é“哪些金鑰是被徹底信任的 - +那些金鑰通常就是妳有辦法å˜å–到ç§é‘°çš„. å›žç” "yes" 來將這些 +金鑰è¨æˆè¢«å¾¹åº•ä¿¡ä»»çš„ + +. + +.gpg.untrusted_key.override +如果妳無論如何想è¦ä½¿ç”¨é€™æŠŠæœªè¢«ä¿¡ä»»çš„金鑰, è«‹å›žç” "yes". +. + +.gpg.pklist.user_id.enter +輸入妳è¦éžé€çš„訊æ¯æŽ¥æ”¶è€…的使用者 ID. +. + +.gpg.keygen.algo +è«‹é¸æ“‡è¦ä½¿ç”¨çš„演算法. + +DSA (äº¦å³ DSS) 是數ä½ç°½ç« 演算法 (Digital Signature Algorithm), +祇能用於簽署. + +Elgamal æ˜¯ç¥‡èƒ½ç”¨æ–¼åŠ å¯†çš„æ¼”ç®—æ³•. + +RSA å¯ä»¥è¢«ç”¨ä¾†ç°½ç½²åŠåŠ 密. + +第一把 (主è¦çš„) 金鑰一定è¦å«æœ‰èƒ½ç”¨æ–¼ç°½ç½²çš„金鑰. +. + +.gpg.keygen.algo.rsa_se +通常來說用åŒä¸€æŠŠé‡‘鑰簽署åŠåŠ 密並ä¸æ˜¯å€‹å¥½ä¸»æ„. +這個演算法應該祇被用於特定的情æ³ä¸‹. +è«‹å…ˆè¯çµ¡å¦³çš„安全專家. +. + +.gpg.keygen.size +請輸入金鑰的尺寸 +. + +.gpg.keygen.size.huge.okay +è«‹å›žç” "yes" 或 "no" +. + +.gpg.keygen.size.large.okay +è«‹å›žç” "yes" 或 "no" +. + +.gpg.keygen.valid +請輸入æ示裡所è¦æ±‚的數值. +妳å¯ä»¥è¼¸å…¥ ISO æ—¥æœŸæ ¼å¼ (YYYY-MM-DD), 但是ä¸æœƒå¾—到良好的錯誤回應 - +å之, 系統會試著把給定的數值ä¸æ–·æˆè‹¥å¹²ç‰‡æ®µ. +. + +.gpg.keygen.valid.okay +è«‹å›žç” "yes" 或 "no" +. + +.gpg.keygen.name +請輸入金鑰æŒæœ‰äººçš„åå— +. + +.gpg.keygen.email +請輸入é¸ç”¨ (但強烈建è°ä½¿ç”¨) çš„é›»å郵件ä½å€ +. + +.gpg.keygen.comment +請輸入é¸ç”¨çš„註釋 +. + +.gpg.keygen.userid.cmd +N 修改姓å. +C 修改註釋. +E 修改電å郵件ä½å€. +O 繼續產生金鑰. +Q ä¸æ¢ç”¢ç”Ÿé‡‘é‘°. +. + +.gpg.keygen.sub.okay +如果妳覺得產生åé‘°å¯ä»¥çš„話, å°±å›žç” "yes" (æˆ–è€…ç¥‡è¦ "y"). +. + +.gpg.sign_uid.okay +è«‹å›žç” "yes" 或 "no" +. + +.gpg.sign_uid.class +當妳在æŸæŠŠé‡‘鑰上簽署æŸå€‹ä½¿ç”¨è€… ID, å¦³é¦–å…ˆå¿…é ˆå…ˆé©—è‰é‚£æŠŠ +金鑰確實屬於那個使用者 ID 上å«é‚£å€‹åå—的人. 這å°é‚£äº›çŸ¥é“ +妳多å°å¿ƒé©—è‰çš„人來說很有用. + +"0" 表示妳ä¸èƒ½æ出任何特別的主張來表明 + 妳多仔細驗è‰é‚£æŠŠé‡‘é‘° + +"1" 表示妳相信這把金鑰屬於那個主張是主人的人, + 但是妳ä¸èƒ½æˆ–沒有驗è‰é‚£æŠŠé‡‘é‘°. + 這å°é‚£äº›ç¥‡æƒ³è¦ "個人的" é©—è‰çš„人來說很有用, + å› ç‚ºå¦³ç°½ç½²äº†ä¸€æŠŠæ“¬ä¼¼åŒ¿å使用者的金鑰. + +"2" 表示妳真的仔細驗è‰äº†é‚£æŠŠé‡‘é‘°. + 例如說, 這能表示妳驗è‰äº†é€™æŠŠé‡‘鑰的指紋和 + 使用者 ID, 並比å°äº†ç…§ç‰‡ ID. + +"3" 表示妳真的åšäº†å¤§è¦æ¨¡çš„é©—è‰é‡‘鑰工作. + 例如說, 這能表示妳å‘金鑰æŒæœ‰äººé©—è‰äº†é‡‘鑰指紋, + 而且妳é€éŽé™„帶照片而難以å½é€ 的文件 (åƒæ˜¯è·ç…§) + 確èªäº†é‡‘é‘°æŒæœ‰äººçš„姓å與金鑰上使用者 ID 的一致, + 最後妳還 (é€éŽé›»å郵件往來) é©—è‰äº†é‡‘鑰上的 + é›»å郵件ä½å€ç¢ºå¯¦å±¬æ–¼é‡‘é‘°æŒæœ‰äºº. + +請注æ„上述關於ç‰ç´š 2 å’Œ 3 的例å "祇是" 例å而已. +最後, 還是得由妳自己決定當妳簽署其他金鑰時, +甚麼是 "漫ä¸ç¶“心", 而甚麼是 "超級謹慎". + +如果妳ä¸çŸ¥é“應該é¸ç”šéº¼ç”案的話, å°±é¸ "0". +. + +.gpg.change_passwd.empty.okay +è«‹å›žç” "yes" 或 "no" +. + +.gpg.keyedit.save.okay +è«‹å›žç” "yes" 或 "no" +. + +.gpg.keyedit.cancel.okay +è«‹å›žç” "yes" 或 "no" +. + +.gpg.keyedit.sign_all.okay +如果妳想è¦ç°½ç½² *所有* 使用者 ID çš„è©±å°±å›žç” "yes" +. + +.gpg.keyedit.remove.uid.okay +如果妳真的想è¦åˆªé™¤é€™å€‹ä½¿ç”¨è€… ID çš„è©±å°±å›žç” "yes". +所有的憑è‰åœ¨é‚£ä¹‹å¾Œä¹Ÿéƒ½æœƒå¤±åŽ»! +. + +.gpg.keyedit.remove.subkey.okay +如果刪除這把åé‘°æ²’å•é¡Œçš„è©±å°±å›žç” "yes" +. + +.gpg.keyedit.delsig.valid +é€™æ˜¯ä¸€ä»½åœ¨é€™æŠŠé‡‘é‘°ä¸Šæœ‰æ•ˆçš„ç°½ç« ; 通常妳ä¸æœƒæƒ³è¦åˆªé™¤é€™ä»½ç°½ç« , +å› ç‚ºè¦è·Ÿåˆ¥çš„金鑰建立起信任連çµ, æˆ–ç”±é€™æŠŠé‡‘é‘°æ‰€ç°½ç½²çš„é‡‘é‘°æ†‘è‰ +會是一件相當é‡è¦çš„事. +. + +.gpg.keyedit.delsig.unknown +é€™ä»½ç°½ç« ç„¡æ³•è¢«æª¢é©—, å› ç‚ºå¦³æ²’æœ‰ç¬¦åˆçš„金鑰. 妳應該延緩刪除它, +直到妳知é“哪一把金鑰被使用了; å› ç‚ºé€™æŠŠä¾†ç°½ç½²çš„é‡‘é‘°å¯èƒ½é€éŽ +其他已經驗è‰çš„金鑰建立了一個信任連çµ. +. + +.gpg.keyedit.delsig.invalid +é€™ä»½ç°½ç« ç„¡æ•ˆ. 把它從妳的鑰匙圈裡移去相當åˆç†. +. + +.gpg.keyedit.delsig.selfsig +這是一份和這個金鑰使用者 ID ç›¸ç¹«çš„ç°½ç« . 通常 +æŠŠé€™æ¨£çš„ç°½ç« ç§»é™¤ä¸æœƒæ˜¯å€‹å¥½é»žå. 事實上 GnuPG +å¯èƒ½å¾žæ¤å°±ä¸èƒ½å†ä½¿ç”¨é€™æŠŠé‡‘鑰了. 所以祇有在這 +æŠŠé‡‘é‘°çš„ç¬¬ä¸€å€‹è‡ªæˆ‘ç°½ç« å› æŸäº›åŽŸå› 無效, 而第二 +個還å¯ç”¨çš„情æ³ä¸‹çº”這麼åš. +. + +.gpg.keyedit.updpref.okay +變更所有 (或祇有被é¸å–的那幾個) 使用者 ID çš„å好æˆç¾ç”¨çš„å好清單. +所有å—åˆ°å½±éŸ¿çš„è‡ªæˆ‘ç°½ç« çš„æ™‚é–“æˆ³è¨˜éƒ½æœƒå¢žåŠ ä¸€ç§’é˜. + +. + +.gpg.passphrase.enter +請輸入密語; 這是一個秘密的å¥å + +. + +.gpg.passphrase.repeat +è«‹å†æ¬¡è¼¸å…¥æœ€å¾Œçš„密語, 以確定妳到底éµé€²äº†äº›ç”šéº¼. +. + +.gpg.detached_signature.filename +è«‹çµ¦å®šç°½ç« æ‰€è¦å¥—用的檔案å稱 +. + +.gpg.openfile.overwrite.okay +如果覆寫這個檔案沒有å•é¡Œçš„è©±å°±å›žç” "yes" +. + +.gpg.openfile.askoutname +請輸入一個新的檔å. 如果妳直接按下了 Enter, 那麼 +就會使用é è¨çš„檔案 (顯示在括號ä¸). +. + +.gpg.ask_revocation_reason.code +妳應該為這份憑è‰æŒ‡å®šä¸€å€‹åŽŸå› . +æ ¹æ“šæƒ…å¢ƒçš„ä¸åŒ, 妳應該å¯ä»¥å¾žé€™å€‹æ¸…å–®ä¸é¸å‡ºä¸€é …: + "金鑰已經被洩æ¼äº†" + 如果妳相信有æŸå€‹æœªç¶“許å¯çš„傢伙å–得了妳的ç§é‘°çš„話, + å°±é¸é€™å€‹. + "金鑰被代æ›äº†" + 如果妳把妳的金鑰æ›æˆæ–°çš„了, å°±é¸é€™å€‹. + "金鑰ä¸å†è¢«ä½¿ç”¨äº†" + 如果妳已經撤回了這把金鑰, å°±é¸é€™å€‹. + "使用者 ID ä¸å†æœ‰æ•ˆäº†" + 如果這個使用者 ID ä¸å†è¢«ä½¿ç”¨äº†, å°±é¸é€™å€‹; + 這通常用來表示æŸå€‹é›»å郵件ä½å€ä¸å†æœ‰æ•ˆäº†. + +. + +.gpg.ask_revocation_reason.text +妳也å¯ä»¥è¼¸å…¥ä¸€ä¸²æ–‡å—來æ述為甚麼發佈這份撤銷憑è‰çš„ç†ç”±. +請讓這段文å—ä¿æŒç°¡æ˜Žæ‰¼è¦. +éµå…¥ç©ºç™½åˆ—以çµæŸé€™æ®µæ–‡å—. + +. + + + +# Local variables: +# mode: fundamental +# coding: utf-8 +# End: diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi new file mode 100644 index 0000000..30e28bd --- /dev/null +++ b/doc/howto-create-a-server-cert.texi @@ -0,0 +1,274 @@ +@node Howto Create a Server Cert +@section Creating a TLS server certificate + + +Here is a brief run up on how to create a server certificate. It has +actually been done this way to get a certificate from CAcert to be used +on a real server. It has only been tested with this CA, but there +shouldn't be any problem to run this against any other CA. + +We start by generating an X.509 certificate signing request. As there +is no need for a configuration file, you may simply enter: + +@cartouche +@example + $ gpgsm --generate-key >example.com.cert-req.pem + Please select what kind of key you want: + (1) RSA + (2) Existing key + (3) Existing key from card + Your selection? 1 +@end example +@end cartouche + +I opted for creating a new RSA key. The other option is to use an +already existing key, by selecting @kbd{2} and entering the so-called +keygrip. Running the command @samp{gpgsm --dump-secret-key USERID} +shows you this keygrip. Using @kbd{3} offers another menu to create a +certificate directly from a smart card based key. + +Let's continue: + +@cartouche +@example + What keysize do you want? (3072) + Requested keysize is 3072 bits +@end example +@end cartouche + +Hitting enter chooses the default RSA key size of 3072 bits. Keys +smaller than 2048 bits are too weak on the modern Internet. If you +choose a larger (stronger) key, your server will need to do more work. + +@cartouche +@example + Possible actions for a RSA key: + (1) sign, encrypt + (2) sign + (3) encrypt + Your selection? 1 +@end example +@end cartouche + +Selecting ``sign'' enables use of the key for Diffie-Hellman key +exchange mechanisms (DHE and ECDHE) in TLS, which are preferred +because they offer forward secrecy. Selecting ``encrypt'' enables RSA +key exchange mechanisms, which are still common in some places. +Selecting both enables both key exchange mechanisms. + +Now for some real data: + +@cartouche +@example + Enter the X.509 subject name: CN=example.com +@end example +@end cartouche + +This is the most important value for a server certificate. Enter here +the canonical name of your server machine. You may add other virtual +server names later. + +@cartouche +@example + E-Mail addresses (end with an empty line): + > +@end example +@end cartouche + +We don't need email addresses in a TLS server certificate and CAcert +would anyway ignore such a request. Thus just hit enter. + +If you want to create a client certificate for email encryption, this +would be the place to enter your mail address +(e.g. @email{joe@@example.org}). You may enter as many addresses as you like, +however the CA may not accept them all or reject the entire request. + +@cartouche +@example + Enter DNS names (optional; end with an empty line): + > example.com + > www.example.com + > +@end example +@end cartouche + +Here I entered the names of the services which the machine actually +provides. You almost always want to include the canonical name here +too. The browser will accept a certificate for any of these names. As +usual the CA must approve all of these names. + +@cartouche +@example + URIs (optional; end with an empty line): + > +@end example +@end cartouche + +It is possible to insert arbitrary URIs into a certificate; for a server +certificate this does not make sense. + +@cartouche +@example + Create self-signed certificate? (y/N) +@end example +@end cartouche + +Since we are creating a certificate signing request, and not a full +certificate, we answer no here, or just hit enter for the default. + +We have now entered all required information and @command{gpgsm} will +display what it has gathered and ask whether to create the certificate +request: + +@cartouche +@example + These parameters are used: + Key-Type: RSA + Key-Length: 3072 + Key-Usage: sign, encrypt + Name-DN: CN=example.com + Name-DNS: example.com + Name-DNS: www.example.com + + Proceed with creation? (y/N) y +@end example +@end cartouche + +@command{gpgsm} will now start working on creating the request. As this +includes the creation of an RSA key it may take a while. During this +time you will be asked 3 times for a passphrase to protect the created +private key on your system. A pop up window will appear to ask for +it. The first two prompts are for the new passphrase and for re-entering it; +the third one is required to actually create the certificate signing request. + +When it is ready, you should see the final notice: + +@cartouche +@example + Ready. You should now send this request to your CA. +@end example +@end cartouche + +Now, you may look at the created request: + +@cartouche +@example + $ cat example.com.cert-req.pem + -----BEGIN CERTIFICATE REQUEST----- + MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW + h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC + Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW + GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm + DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n + xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq + hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs + ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN + b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ + hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D + bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk + VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3 + k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU= + -----END CERTIFICATE REQUEST----- + $ +@end example +@end cartouche + +You may now proceed by logging into your account at the CAcert website, +choose @code{Server Certificates - New}, check @code{sign by class 3 root +certificate}, paste the above request block into the text field and +click on @code{Submit}. + +If everything works out fine, a certificate will be shown. Now run + +@cartouche +@example +$ gpgsm --import +@end example +@end cartouche + +and paste the certificate from the CAcert page into your terminal +followed by a Ctrl-D + +@cartouche +@example + -----BEGIN CERTIFICATE----- + MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl + [...] + rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs + Rtct3tIX + -----END CERTIFICATE----- + gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found + gpgsm: certificate imported + + gpgsm: total number processed: 1 + gpgsm: imported: 1 +@end example +@end cartouche + +@command{gpgsm} tells you that it has imported the certificate. It is now +associated with the key you used when creating the request. The root +certificate has not been found, so you may want to import it from the +CACert website. + +To see the content of your certificate, you may now enter: + +@cartouche +@example + $ gpgsm -K example.com + /home/foo/.gnupg/pubring.kbx + --------------------------- + Serial number: 4C + Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...] + Subject: /CN=example.com + aka: (dns-name example.com) + aka: (dns-name www.example.com) + validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51 + key type: 3072 bit RSA + key usage: digitalSignature keyEncipherment + ext key usage: clientAuth (suggested), serverAuth (suggested), [...] + fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57 +@end example +@end cartouche + +I used @option{-K} above because this will only list certificates for +which a private key is available. To see more details, you may use +@option{--dump-secret-keys} instead of @option{-K}. + + +To make actual use of the certificate you need to install it on your +server. Server software usually expects a PKCS\#12 file with key and +certificate. To create such a file, run: + +@cartouche +@example + $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem +@end example +@end cartouche + +You will be asked for the passphrase as well as for a new passphrase to +be used to protect the PKCS\#12 file. The file now contains the +certificate as well as the private key: + +@cartouche +@example + $ cat example-cert.pem + Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...] + Serial ...: 4C + Subject ..: /CN=example.com + aka ..: (dns-name example.com) + aka ..: (dns-name www.example.com) + + -----BEGIN PKCS12----- + MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu + [...many more lines...] + -----END PKCS12----- + $ +@end example +@end cartouche + +Copy this file in a secure way to the server, install it there and +delete the file then. You may export the file again at any time as long +as it is available in GnuPG's private key database. + + diff --git a/doc/howtos.texi b/doc/howtos.texi new file mode 100644 index 0000000..bd48de0 --- /dev/null +++ b/doc/howtos.texi @@ -0,0 +1,15 @@ +@c Copyright (C) 2007 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@node Howtos +@chapter How to do certain things + +This is a collection of small howto documents. + +@menu +* Howto Create a Server Cert:: Creating a TLS server certificate. +@end menu + + +@include howto-create-a-server-cert.texi diff --git a/doc/instguide.texi b/doc/instguide.texi new file mode 100644 index 0000000..bf99a5c --- /dev/null +++ b/doc/instguide.texi @@ -0,0 +1,77 @@ +@c instguide.texi - Installation guide for GnuPG +@c Copyright (C) 2006 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@node Installation +@chapter A short installation guide + +Unfortunately the installation guide has not been finished in time. +Instead of delaying the release of GnuPG 2.0 even further, I decided to +release without that guide. The chapter on gpg-agent and gpgsm do +include brief information on how to set up the whole thing. Please +watch the GnuPG website for updates of the documentation. In the +meantime you may search the GnuPG mailing list archives or ask on the +gnupg-users mailing list for advise on how to solve problems or how to +get that whole thing up and running. + +** Building the software + +Building the software is described in the file @file{INSTALL}. Given +that you are already reading this documentation we can only give some +extra hints. + +To comply with the rules on GNU systems you should have build time +configured @command{gnupg} using: + +@example +./configure --sysconfdir=/etc --localstatedir=/var +@end example + +This is to make sure that system wide configuration files are searched +in the directory @file{/etc} and variable data below @file{/var}; +the default would be to also install them below @file{/usr/local} where +the binaries get installed. If you selected to use the +@option{--prefix=/} you obviously don't need those option as they are +the default then. + + +** Notes on setting a root CA key to trusted + +X.509 is based on a hierarchical key infrastructure. At the root of the +tree a trusted anchor (root certificate) is required. There are usually +no other means of verifying whether this root certificate is trustworthy +than looking it up in a list. GnuPG uses a file (@file{trustlist.txt}) +to keep track of all root certificates it knows about. There are 3 ways +to get certificates into this list: + +@itemize +@item +Use the list which comes with GnuPG. However this list only +contains a few root certificates. Most installations will need more. + +@item +Let @command{gpgsm} ask you whether you want to insert a new root +certificate. This feature is enabled by default; you may disable it +using the option @option{no-allow-mark-trusted} into +@file{gpg-agent.conf}. + +@item +Manually maintain the list of trusted root certificates. For a multi +user installation this can be done once for all users on a machine. +Specific changes on a per-user base are also possible. +@end itemize + +@c describe how to maintain trustlist.txt and /etc/gnupg/trustlist.txt. + + +@c ** How to get the ssh support running +@c +@c XXX How to use the ssh support. + + +@c @section Installation Overview +@c +@c XXXX + + diff --git a/doc/mkdefsinc.c b/doc/mkdefsinc.c new file mode 100644 index 0000000..b8fbed6 --- /dev/null +++ b/doc/mkdefsinc.c @@ -0,0 +1,367 @@ +/* mkdefsinc.c - Tool to create defs.inc + * Copyright (C) 2015 g10 Code GmbH + * + * This file is free software; as a special exception the author gives + * unlimited permission to copy and/or distribute it, with or without + * modifications, as long as this notice is preserved. + * + * This file is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY, to the extent permitted by law; without even the + * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + */ + +/* This tool needs to be build with command line supplied -D options + for the various directory variables. See ../am/cmacros.am. It is + easier to do this in build file than to use fragile make rules and + a template file. */ + + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <time.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +#define PGM "mkdefsinc" + +/* We include config.h after all include files because the config.h + values are not valid for the build platform but we need some values + nevertheless. */ +#include "config.h" +/* When building for Windows the -D macros do not have appropriate + values. We provide replacements here. */ +#ifdef HAVE_W32_SYSTEM +# undef GNUPG_BINDIR +# undef GNUPG_LIBEXECDIR +# undef GNUPG_LIBDIR +# undef GNUPG_DATADIR +# undef GNUPG_SYSCONFDIR +# undef GNUPG_LOCALSTATEDIR +# define GNUPG_BINDIR "INSTDIR/bin" +# define GNUPG_LIBEXECDIR "INSTDIR/bin" +# define GNUPG_LIBDIR "INSTDIR/lib/" PACKAGE_NAME +# define GNUPG_DATADIR "INSTDIR/share/" PACKAGE_NAME +# define GNUPG_SYSCONFDIR "APPDATA/GNU/etc/" PACKAGE_NAME +# define GNUPG_LOCALSTATEDIR "APPDATA/GNU" +#endif /*HAVE_W32_SYSTEM*/ + + +#if USE_GPG2_HACK +# define gpg2_suffix "2" +#else +# define gpg2_suffix "" +#endif + + +static int verbose; + + +/* The usual free wrapper. */ +static void +xfree (void *a) +{ + if (a) + free (a); +} + + +static char * +xmalloc (size_t n) +{ + char *p; + + p = malloc (n); + if (!p) + { + fputs (PGM ": out of core\n", stderr); + exit (1); + } + return p; +} + + +static char * +xstrdup (const char *string) +{ + char *p; + + p = xmalloc (strlen (string)+1); + strcpy (p, string); + return p; +} + + +/* Return a malloced string with the last modification date of the + FILES. Returns NULL on error. */ +static char * +get_date_from_files (char **files) +{ + const char *file; + const char *usedfile = NULL; + struct stat sb; + struct tm *tp; + int errors = 0; + time_t stamp = 0; + char *result; + + for (; (file = *files); files++) + { + if (!*file || !strcmp (file, ".") || !strcmp (file, "..")) + continue; + if (stat (file, &sb)) + { + fprintf (stderr, PGM ": stat failed for '%s': %s\n", + file, strerror (errno)); + errors = 1; + continue; + } + if (sb.st_mtime > stamp) + { + stamp = sb.st_mtime; + usedfile = file; + } + } + if (errors) + exit (1); + + if (usedfile) + fprintf (stderr, PGM ": taking date from '%s'\n", usedfile); + + tp = gmtime (&stamp); + if (!tp) + return NULL; + result = xmalloc (4+1+2+1+2+1); + snprintf (result, 4+1+2+1+2+1, "%04d-%02d-%02d", + tp->tm_year + 1900, tp->tm_mon+1, tp->tm_mday); + return result; +} + + +/* We need to escape file names for Texinfo. */ +static void +print_filename (const char *prefix, const char *name) +{ + const char *s; + + fputs (prefix, stdout); + for (s=name; *s; s++) + switch (*s) + { + case '@': fputs ("@atchar{}", stdout); break; + case '{': fputs ("@lbracechar{}", stdout); break; + case '}': fputs ("@rbracechar{}", stdout); break; + case ',': fputs ("@comma{}", stdout); break; + case '\\':fputs ("@backslashchar{}", stdout); break; + case '#': fputs ("@hashchar{}", stdout); break; + default: putchar (*s); break; + } + putchar('\n'); +} + + +int +main (int argc, char **argv) +{ + int last_argc = -1; + char *opt_date = NULL; + int monthoff; + char *p, *pend; + size_t n; + + /* Option parsing. */ + if (argc) + { + argc--; argv++; + } + while (argc && last_argc != argc ) + { + last_argc = argc; + if (!strcmp (*argv, "--")) + { + argc--; argv++; + break; + } + else if (!strcmp (*argv, "--help")) + { + fputs ("Usage: " PGM " [OPTION] [FILES]\n" + "Create defs.inc file.\nOptions:\n" + " -C DIR Change to DIR before doing anything\n" + " --date STRING Take publication date from STRING\n" + " --verbose Enable extra informational output\n" + " --help Display this help and exit\n" + , stdout); + exit (0); + } + else if (!strcmp (*argv, "--verbose")) + { + verbose = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "-C")) + { + argc--; argv++; + if (argc) + { + if (chdir (*argv)) + { + fprintf (stderr, PGM ": chdir to '%s' failed: %s\n", + *argv, strerror (errno)); + exit (1); + } + argc--; argv++; + } + } + else if (!strcmp (*argv, "--date")) + { + argc--; argv++; + if (argc) + { + opt_date = xstrdup (*argv); + argc--; argv++; + } + } + else if (!strncmp (*argv, "--", 2)) + { + fprintf (stderr, PGM ": unknown option '%s'\n", *argv); + exit (1); + } + } + + if (opt_date && *opt_date) + { + time_t stamp; + struct tm *tp; + + if (*opt_date == '2' && strlen (opt_date) >= 10 + && opt_date[4] == '-' && opt_date[7] == '-') + { + opt_date[10] = 0; + } + else if ((stamp = strtoul (opt_date, NULL, 10)) > 0 + && (tp = gmtime (&stamp))) + { + p = xmalloc (4+1+2+1+2+1); + snprintf (p, 4+1+2+1+2+1, "%04d-%02d-%02d", + tp->tm_year + 1900, tp->tm_mon+1, tp->tm_mday); + xfree (opt_date); + opt_date = p; + } + else + { + fprintf (stderr, PGM ": bad date '%s'\n", opt_date); + exit (1); + } + } + else + { + xfree (opt_date); + opt_date = argc? get_date_from_files (argv) : NULL; + } + if (!opt_date) + { + opt_date = xstrdup ("unknown"); + monthoff = 0; + } + else + { + const char *month = "?"; + + switch (atoi (opt_date+5)) + { + case 1: month = "January"; break; + case 2: month = "February"; break; + case 3: month = "March"; break; + case 4: month = "April"; break; + case 5: month = "May"; break; + case 6: month = "June"; break; + case 7: month = "July"; break; + case 8: month = "August"; break; + case 9: month = "September"; break; + case 10: month = "October"; break; + case 11: month = "November"; break; + case 12: month = "December"; break; + } + n = strlen (opt_date) + strlen (month) + 2 + 1; + p = xmalloc (n); + snprintf (p, n, "%d %n%s %d", + atoi (opt_date+8), &monthoff, month, atoi (opt_date)); + xfree (opt_date); + opt_date = p; + } + + + fputs ("@c defs.inc -*- texinfo -*-\n" + "@c Common and build specific constants for the manuals.\n" + "@c This file has been created by " PGM ".\n\n", stdout); + + fputs ("@ifclear defsincincluded\n" + "@set defsincincluded 1\n\n", stdout); + + + fputs ("\n@c Flags\n\n", stdout); + +#if USE_GPG2_HACK + fputs ("@set gpgtwohack 1\n\n", stdout); +#endif + + fputs ("\n@c Directories\n\n", stdout); + + print_filename ("@set BINDIR ", GNUPG_BINDIR ); + print_filename ("@set LIBEXECDIR ", GNUPG_LIBEXECDIR ); + print_filename ("@set LIBDIR ", GNUPG_LIBDIR ); + print_filename ("@set DATADIR ", GNUPG_DATADIR ); + print_filename ("@set SYSCONFDIR ", GNUPG_SYSCONFDIR ); + print_filename ("@set LOCALSTATEDIR ", GNUPG_LOCALSTATEDIR ); + print_filename ("@set LOCALCACHEDIR ", (GNUPG_LOCALSTATEDIR + "/cache/" PACKAGE_NAME)); + print_filename ("@set LOCALRUNDIR ", (GNUPG_LOCALSTATEDIR + "/run/" PACKAGE_NAME)); + + p = xstrdup (GNUPG_SYSCONFDIR); + pend = strrchr (p, '/'); + fputs ("@set SYSCONFSKELDIR ", stdout); + if (pend) + { + *pend = 0; + fputs (p, stdout); + } + fputs ("/skel/." PACKAGE_NAME "\n", stdout); + xfree (p); + + fputs ("\n@c Version information a la version.texi\n\n", stdout); + + printf ("@set UPDATED %s\n", opt_date); + printf ("@set UPDATED-MONTH %s\n", opt_date + monthoff); + printf ("@set EDITION %s\n", PACKAGE_VERSION); + printf ("@set VERSION %s\n", PACKAGE_VERSION); + + fputs ("\n@c Algorithm defaults\n\n", stdout); + + /* Fixme: Use a config.h macro here: */ + fputs ("@set GPGSYMENCALGO AES-128\n", stdout); + + fputs ("\n@c Macros\n\n", stdout); + + printf ("@macro gpgname\n%s%s\n@end macro\n", GPG_NAME, gpg2_suffix); + printf ("@macro gpgvname\n%sv%s\n@end macro\n", GPG_NAME, gpg2_suffix); + + + /* Trailer. */ + fputs ("\n" + "@end ifclear\n" + "\n" + "@c Loc" "al Variables:\n" + "@c buffer-read-only: t\n" + "@c End:\n", stdout); + + if (ferror (stdout)) + { + fprintf (stderr, PGM ": error writing to stdout: %s\n", strerror (errno)); + return 1; + } + + return 0; +} diff --git a/doc/mksamplekeys b/doc/mksamplekeys new file mode 100755 index 0000000..cd56b21 --- /dev/null +++ b/doc/mksamplekeys @@ -0,0 +1,10 @@ +#/bin/sh +# Generate a samplekeys.asc + +keys='1E42B367 99242560 87978569 4F25E3B6 5B0358A2 57548DCD B2D7795E 1CE0C630' + +for i in $keys; do + gpg --list-keys $i | awk '{ if ( $0 != "") print " " $0; else print $0; }' +done +echo +gpg --export-options export-minimal --export -a $keys diff --git a/doc/opt-homedir.texi b/doc/opt-homedir.texi new file mode 100644 index 0000000..07993d2 --- /dev/null +++ b/doc/opt-homedir.texi @@ -0,0 +1,25 @@ +@c This option is included at several places. +@item --homedir @var{dir} +@opindex homedir +@efindex GNUPGHOME +@efindex HKCU\Software\GNU\GnuPG:HomeDir +Set the name of the home directory to @var{dir}. If this option is not +used, the home directory defaults to @file{~/.gnupg}. It is only +recognized when given on the command line. It also overrides any home +directory stated through the environment variable @env{GNUPGHOME} or +(on Windows systems) by means of the Registry entry +@var{HKCU\Software\GNU\GnuPG:HomeDir}. + +On Windows systems it is possible to install GnuPG as a portable +application. In this case only this command line option is +considered, all other ways to set a home directory are ignored. + +@efindex gpgconf.ctl +To install GnuPG as a portable application under Windows, create an +empty file named @file{gpgconf.ctl} in the same directory as the tool +@file{gpgconf.exe}. The root of the installation is then that +directory; or, if @file{gpgconf.exe} has been installed directly below +a directory named @file{bin}, its parent directory. You also need to +make sure that the following directories exist and are writable: +@file{ROOT/home} for the GnuPG home and @file{ROOT@value{LOCALCACHEDIR}} +for internal cache files. diff --git a/doc/qualified.txt b/doc/qualified.txt new file mode 100644 index 0000000..c0e4da5 --- /dev/null +++ b/doc/qualified.txt @@ -0,0 +1,243 @@ +# This is the list of root certificates used for qualified +# certificates. They are defined as certificates capable of creating +# legally binding signatures in the same way as a handwritten +# signatures are. Comments like this one and empty lines are allowed +# Lines do have a length limit but this is not a serious limitation as +# the format of the entries is fixed and checked by gpgsm: A +# non-comment line starts with optional whitespaces, followed by +# exactly 40 hex character, whitespace and a lowercased 2 letter +# country code. Additional data delimited with by a whitespace is +# current ignored but might late be used for other purposes. +# +# Note: The subversion copy of this file carries a gpg:signature +# property with its OpenPGP signature. Check this signature before +# adding entries: +# svn pg gpg:signature qualified.txt | gpg --verify - qualified.txt +# to create a new signature: +# f=qualified.txt; gpg -sba $f && svn ps gpg:signature -F $f.asc $f + +#******************************************* +# +# Belgium +# +# Need to figure out a reliable source. +#******************************************* + + + +#******************************************* +# +# Germany +# +# The information for Germany is available +# at http://www.bundesnetzagentur.de +#******************************************* + +#Serial number: 32D18D +# Issuer: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde +# fÈur Telekommunikation und Post/C=DE +# Subject: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde +# fÈur Telekommunikation und Post/C=DE +# validity: 2001-02-01 09:52:17 through 2005-06-01 09:52:17 +# key type: 1024 bit RSA +# key usage: certSign crlSign +#[checked: 2005-11-14] +EA:8D:99:DD:36:AA:2D:07:1A:3C:7B:69:00:9E:51:B9:4A:2E:E7:60 de + + +#Serial number: 00C48C8D +# Issuer: /CN=7R-CA 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde +# fÈur Telekommunikation und Post/C=DE +# Subject: /CN=7R-CA 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde +# fÈur Telekommunikation und Post/C=DE +# validity: 2001-10-15 11:15:15 through 2006-02-15 11:15:15 +# key type: 1024 bit RSA +# key usage: certSign crlSign +#[checked: 2005-11-14] +DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B de + + +#Serial number: 01 +# Issuer: /CN=8R-CA 1:PN/O=Regulierungsbehörde für +# Telekommunikation und Post/C=DE +# Subject: /CN=8R-CA 1:PN/O=Regulierungsbehörde für +# Telekommunikation und Post/C=DE +# validity: 2004-11-25 14:10:37 through 2007-12-31 14:04:03 +# key type: 1024 bit RSA +# key usage: certSign +# policies: 1.3.36.8.1.1:N: +# chain length: unlimited +#[checked: 2005-11-14] +42:6A:F6:78:30:E9:CE:24:5B:EF:41:A2:C1:A8:51:DA:C5:0A:6D:F5 de + + +#Serial number: 02 +# Issuer: /CN=9R-CA 1:PN/O=Regulierungsbehörde für +# Telekommunikation und Post/C=DE +# Subject: /CN=9R-CA 1:PN/O=Regulierungsbehörde für +# Telekommunikation und Post/C=DE +# validity: 2004-11-25 14:59:11 through 2007-12-31 14:56:59 +# key type: 1024 bit RSA +# key usage: certSign +# policies: 1.3.36.8.1.1:N: +# chain length: unlimited +#[checked: 2005-11-14] +75:9A:4A:CE:7C:DA:7E:89:1B:B2:72:4B:E3:76:EA:47:3A:96:97:24 de + + +#Serial number: 2A +# Issuer: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE +# Subject: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE +# validity: 2005-08-03 15:30:36 through 2007-12-31 15:09:23 +# key type: 1024 bit RSA +# key usage: certSign +# policies: 1.3.36.8.1.1:N: +# chain length: unlimited +#[checked: 2005-11-14] +31:C9:D2:E6:31:4D:0B:CC:2C:1A:45:00:A6:6B:97:98:27:18:8E:CD de + + +#Serial number: 2D +# Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE +# Subject: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE +# validity: 2005-08-03 18:09:49 through 2007-12-31 18:04:28 +# key type: 1024 bit RSA +# key usage: certSign +# policies: 1.3.36.8.1.1:N: +# chain length: unlimited +#[checked: 2005-11-14] +A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D de + + +# ID: 0x5B4757B0 +# S/N: 0139 +# Issuer: /CN=12R-CA 1:PN/O=Bundesnetzagentur/C=DE +# Subject: /CN=12R-CA 1:PN/O=Bundesnetzagentur/C=DE +# validity: 2007-05-25 11:01:44 through 2012-05-25 10:56:07 +# key type: 2048 bit RSA +# key usage: certSign +# policies: 1.3.36.8.1.1:N: +# chain length: unlimited +# [checked: 2008-06-25] +44:7E:D4:E3:9A:D7:92:E2:07:FA:53:1A:2E:F5:B8:02:5B:47:57:B0 de + +# ID: 0x46A2CC8A +# S/N: 013C +# Issuer: /CN=13R-CA 1:PN/O=Bundesnetzagentur/C=DE +# Subject: /CN=13R-CA 1:PN/O=Bundesnetzagentur/C=DE +# validity: 2007-05-29 11:02:37 through 2012-05-29 10:55:54 +# key type: 2048 bit RSA +# key usage: certSign +# policies: 1.3.36.8.1.1:N: +# chain length: unlimited +# [checked: 2008-06-25] +AC:A7:BE:45:1F:A6:BF:09:F2:D1:3F:08:7B:BC:EB:7F:46:A2:CC:8A de + + +# +# D-Trust root certificates. Probably by shifting a lot of Euros to +# laywer companies, German CAs achieved to get the permission to +# create their own legally binding root certificates - independent of +# the Bundesnetzagentur. The main problem with this is that it is +# hard to figure out what qualified root certificates are actually +# active. There is now no way to be sure whether a signature is a +# qualified one. A pettifogger's way of validating certificates. +# + +#Serial number: 00B95F +# Issuer: /CN=D-TRUST Qualified Root CA 1 2006:PN/O=D-Trust GmbH/C=DE +# Subject: /CN=D-TRUST Qualified Root CA 1 2006:PN/O=D-Trust GmbH/C=DE +# aka: info@d-trust.net +# aka: (uri http://www.d-trust.net) +# validity: 2006-04-27 12:40:54 through 2011-04-27 12:40:54 +# key type: 2048 bit RSA +# key usage: certSign crlSign +# policies: 1.3.6.1.4.1.4788.2.30.1:N: +# chain length: unlimited +#[checked: 2007-01-31 by phone 030-259391-0 and callback by Mrs. Enke] +E0:BF:1B:91:91:6B:88:E4:F1:15:92:22:CE:37:23:96:B1:4A:2E:5C de + + +#Serial number: 00B960 +# Issuer: /CN=D-TRUST Qualified Root CA 2 2006:PN/O=D-Trust GmbH/C=DE +# Subject: /CN=D-TRUST Qualified Root CA 2 2006:PN/O=D-Trust GmbH/C=DE +# aka: info@d-trust.net +# aka: (uri http://www.d-trust.net) +# validity: 2006-04-27 12:40:54 through 2011-04-27 12:40:54 +# key type: 2048 bit RSA +# key usage: certSign crlSign +# policies: 1.3.6.1.4.1.4788.2.30.1:N: +# chain length: unlimited +#[checked: 2007-01-31 by phone 030-259391-0 and callback by Mrs. Enke] +98:2A:75:67:0F:F8:28:4A:94:E0:9D:23:D8:E7:62:C8:BD:A4:54:04 de + + +# +# S-Trust root certificates. +# + +#Serial number: 00DF749F80AA51F0EDC0CB1FC183E97EE2 +# Issuer: /CN=S-TRUST Qualified Root CA 2006-001:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart +# /ST=Baden-Wuerttemberg (BW)/C=DE +# Subject: /CN=S-TRUST Qualified Root CA 2006-001:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart +# /ST=Baden-Wuerttemberg (BW)/C=DE +# validity: 2006-01-01 00:00:00 through 2010-12-30 23:59:59 +# key type: 2048 bit RSA +# key usage: certSign crlSign +# chain length: 1 +#[checked: 2007-01-31 by phone 0711-782-0 Mr. Brommer] +7D:DC:76:1C:FD:AF:4C:E0:3A:B5:3A:DD:C9:FA:13:35:19:A3:DE:C9 de + +#Serial number: 00BC098E0402E92956B8D7DE74977E26F7 +# Issuer: /CN=S-TRUST Qualified Root CA 2007-001:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart +# /ST=Baden-Wuerttemberg (BW)/C=DE +# Subject: /CN=S-TRUST Qualified Root CA 2007-001:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart +# /ST=Baden-Wuerttemberg (BW)/C=DE +# validity: 2007-01-01 00:00:00 through 2011-12-30 23:59:59 +# key type: 2048 bit RSA +# key usage: certSign crlSign +# chain length: 1 +#[checked: 2007-01-31 by phone 0711-782-0 Mr. Brommer] +7A:3C:1B:60:2E:BD:A4:A1:E0:EB:AD:7A:BA:4F:D1:43:69:A9:39:FC de + + +# ID: 0xA8FEA3CA +# S/N: 00B3963E0E6C2D65125853E970665402E5 +# Issuer: /CN=S-TRUST Qualified Root CA 2008-001:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE +# Subject: /CN=S-TRUST Qualified Root CA 2008-001:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE +# validity: 2008-01-01 00:00:00 through 2012-12-30 23:59:59 +# key type: 2048 bit RSA +# key usage: certSign crlSign +# chain length: 1 +#[checked: 2007-12-13 via received ZIP file with qualified signature from +# /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag +# /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg] +C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA de + +# ID: 0x3A7D979B +# S/N: 00C4216083F35C54F67B09A80C3C55FE7D +# Issuer: /CN=S-TRUST Qualified Root CA 2008-002:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE +# Subject: /CN=S-TRUST Qualified Root CA 2008-002:PN +# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE +# validity: 2008-01-01 00:00:00 through 2012-12-30 23:59:59 +# key type: 2048 bit RSA +# key usage: certSign crlSign +# chain length: 1 +#[checked: 2007-12-13 via received ZIP file with qualified signature from +# /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag +# /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg"] +D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B de + + +#******************************************* +# +# End of file +# +#******************************************* diff --git a/doc/samplekeys.asc b/doc/samplekeys.asc new file mode 100644 index 0000000..034af39 --- /dev/null +++ b/doc/samplekeys.asc @@ -0,0 +1,920 @@ + pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31] + uid Werner Koch <wk@gnupg.org> + uid Werner Koch <wk@g10code.com> + sub 2048R/C193565B 2011-11-07 [expires: 2013-12-31] + sub 1024D/77F95F95 2011-11-02 + + pub 4096R/99242560 2002-01-28 + uid David M. Shaw <dshaw@jabberwocky.com> + sub 2048R/A1BC4FA4 2012-01-10 [expires: 2017-01-31] + sub 2048R/6F410A43 2012-01-10 [expires: 2017-01-31] + + pub 1024D/87978569 1999-05-13 + uid Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> + uid Marcus Brinkmann + uid Marcus Brinkmann <mb@g10code.de> + uid Marcus Brinkmann <mb@g10code.com> + uid Marcus Brinkmann <brinkmd@debian.org> + sub 1024R/08AEA692 2006-04-14 + sub 1024R/FCD2A293 2006-04-14 + sub 1024R/233A942F 2006-04-14 + sub 2048g/C3AF90C1 1999-05-13 + + pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31] + uid Werner Koch (dist sig) + sub 2048R/AC87C71A 2011-01-12 [expires: 2019-12-31] + + pub 1024D/5B0358A2 1999-03-15 [expired: 2011-07-11] + uid Werner Koch <wk@gnupg.org> + uid Werner Koch <wk@g10code.com> + uid Werner Koch + uid Werner Koch <werner@fsfe.org> + + pub 1024D/57548DCD 1998-07-07 [expired: 2005-12-31] + uid Werner Koch (gnupg sig) <dd9jn@gnu.org> + + pub 1024D/B2D7795E 2001-01-04 + uid Philip R. Zimmermann <prz@mit.edu> + uid Philip R. Zimmermann <prz@acm.org> + uid [jpeg image of size 3369] + uid [jpeg image of size 3457] + uid Philip R. Zimmermann <prz@philzimmermann.com> + sub 3072g/A8E92834 2001-01-04 + + pub 1024R/1CE0C630 2006-01-01 [expired: 2011-06-30] + uid Werner Koch (dist sig) <dd9jn@gnu.org> + + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQGiBDbtSOkRBACURhKnGIFyXIeX61GAY9hJA5FgG4UalV55ohdz4whBgDzDGLE3 +XYlO8HCn4ggKilll6MOwY0yZeg6PEU9Y3SqTzpQSV6qj2M7MgcS8xOpi6bNCu0iy +ZUik0KklUXMdI8e/CVmBpQJT9CofbD1dsP6z4dC6z3jil0+5Wbfw6yIXzwCgy/7F +agq5mN0H760/JEiiXILS1n0D/3H26lTaxo1vGput9Td1FQN7Vn6YDP0/To5ipsOO +DROV3zyUwF5QleY+8zTFJA3qD5KxRfA726WELOF1mB6Mw44UdkPniOoGdMH5oSx6 +qnNnlVZBBu3U+e1qfQwLQjHu0WX4Z2q00DKpWLThGv7Loh5NKi6OfTbMhfHoevCA +zQnmA/wKc6J8GqthENThKXxZaei3Ep0t+PlBmbUzuAYCXZhI6/0KyD6emyQ7LYIa +Pv9qEfMkMLhxicG0v/AAwOCBRKS3bkqc6wAYaO0bjUHJvem3HkWPux82t83+6YPy +RnVjm/mwt0uEyKSvt7Md2DVrO3lEcKRkRHiYuf0nonPhl5Rs5bQaV2VybmVyIEtv +Y2ggPHdrQGdudXBnLm9yZz6IawQTEQIAIwIXgAIZAQULBwoDAgMVAgMDFgIBAh4B +BQJGtcWFBQkXLil/ABIHZUdQRwABAQkQXeJJllsDWKJBTACfQI8TnuVIxE88u2na +pOMyUfoWZSMAn2t47LUMuyDEHRcYvEBiP/SRVvsrtBxXZXJuZXIgS29jaCA8d2tA +ZzEwY29kZS5jb20+iGMEExECACMCGwMCHgECF4AFCwcKAwIDFQIDAxYCAQUCRrXF +kQUJFy4pfwAKCRBd4kmWWwNYomksAJ4q+Lv3fDvzDJl4JcOmzWHPsPg2QQCdHcj5 +DwCCM7YnRLiE58ApHdrg11S0C1dlcm5lciBLb2NoiGMEExECABsDCwoDAxUDAgMW +AgECF4AFAka1xZEFCRcuKX8AEgdlR1BHAAEBCRBd4kmWWwNYokHUAKCKSLq+i1yH +rG8ZXqJRk+d4SyanGwCeKFwqqRr3tbae+m4iK+EcyY+BR2a0HVdlcm5lciBLb2No +IDx3ZXJuZXJAZnNmZS5vcmc+iGMEExECACMCGwMCHgECF4AFCwcKAwIDFQIDAxYC +AQUCRrXFkQUJFy4pfwAKCRBd4kmWWwNYomC9AKCOTnRhGus67gV2k+8K2SwytYDq +VQCfcaEJKu8EBd0sx3F024GX/RNwnZq5AaIEQF3aTxEEAP9SgfIbIPL6BQ1nqobl +sTYoiwWPL48uBZPjkDfy8XsVR5V9aRQlggC4x4/MD3Ip5AUgReI7PcHnp4m3vcVL +XPl+/7i7hAwd84iKzgN8I8VW0EevflcNm7nbWEnpjaGxJWFbhSLI1DmqnafoU8nZ +gGp2QoE+flgGDd559C3SiHRTAKDbqgS3EDhTbwfS+bAhW5Xi8/2CPwP9HueeuW9M +/cyt8UvliLsj2eYMEIy7CeSLO13XfnqCjcnHK+b59/ADd99dpMaq3gKj7Aj1RIsR +V2qWDJpDNXVxP7Cy+FzxelQsytPQOV8H8AkB+RgmSyfxlNRUkC3sQU6jR9IwmPD4 +iB5fp/SqUpn++77TAArXqsfHbmlnwcuU1EAD/i7CEhxLBYS1N77hwxL8DWCqjpi+ +1PKG+6dc0BQFIU3uUhbzLGfqEobUDhveqgtlsvoEZ/lR8RgMv/uOjXEgiATQyTEa +7s3M2vjXlpLjXjzklma3Lqmcam3dEf/5OR02yZif6hPU/x8f/VQle0kKNKdOCV1+ +dlo8aJH2UIZRRIvtiJcEGBECAA8CGwIFCQcbVgAFAkR1rB0AUkcgBBkRAgAGBQJE +dawTAAoJEGB4TpQBClft2RMAn1XiL/bC9hByZInCJTaCd8WS8kYCAKCfpAWwLIxk +fwAeD/RI+2p00nQfvAkQXeJJllsDWKKx7QCguc4/HiEs64Ey5p6Yihy67X8E0YsA +nRXMFdXVP7ww8uldljPiD1TgyurpiEYEEBECAAYFAjc3I8UACgkQ9u7fIBhLxNmH +ZQCglWbPDznIcnOxdDW+k7YgA9+/n00An1ZjSiJipverUxLEFHAbSBWI0IntiEYE +EBECAAYFAjc6+aMACgkQdQ9klcidkz6GiwCdGe0KSP/vSyEZM/GClQXvjMD4RvMA +oJwyTIdcjPZbQizDeAO3btn2CCwTiEYEEBECAAYFAjgUDhkACgkQYAeQgHPH80+I +2gCdHeTAPusmEfN2bdkijpW1gpxBvGoAn1kzL7Mg7tC4pqlqw2fV3kRUy1a5iEYE +EBECAAYFAjgqYh4ACgkQ4/JYVBKPDnkPkACgmzk7HMlJ1h0qw6OHyMtDE4RI4ToA +ni+Cm+01pHfzh0EnFQTvLE1M9PtoiEYEEBECAAYFAjnKOw4ACgkQK7tDpvCerwqu +XwCfbW9xGF2AHQakBPakh61xKmC8WEEAn3TytfY5qrTjxIj2HZFKN5QuQpYSiEYE +EBECAAYFAjnKiy8ACgkQF6ZBbfeUj9ombQCfYQYxpipdMGBxbNd8jbL9RDmH3nMA +oITmZnDJwXzpHNuSLY8o3c5YhHXziEYEEBECAAYFAjnKnXcACgkQNfZhfFE679le +7gCggQjsjFhjaIO1lWHfPusn0dqdhRYAn3rOW0XSeh64V9o+VItH2LZngmNAiEYE +EBECAAYFAjnLMigACgkQUaz2rXW+gJcIVgCfRRq0G2fCcZOFoey9uZGAkWctKsQA +oLw6lUhdeZDgULrDC7OQRIk7CnMtiEYEEBECAAYFAjnPp1IACgkQkVrMRaj0wv0I +qwCfWGMeiZ58ysuZCAP9IsX3aKcSPtcAoJno1COOjAMhoWjUiHctgLZX9+gTiEYE +EBECAAYFAjnQ39UACgkQbyOLwk/aWgxfIwCfb/GeMAD8w84hq5/aUQMCvVqUYqAA +n07SKuWYsZLEUuPWIgYY0yoByJxviEYEEBECAAYFAjnSCrEACgkQv+EgZWshSJq8 +jACfdf20dqs3IWOPHgFMdYb5VF+WkJUAn05quvyHB3Xug8csxWg6RwSfQBTBiEYE +EBECAAYFAjpMy0UACgkQ7UaByb89+bRUrQCg6aozpYiCEDPVAHe54/8/q48FLP8A +niviG9fjxInPaSKB+LXRmQjc2jLZiEYEEBECAAYFAjqJgd8ACgkQYogE2yD8bPYG +agCggMsqGJN61JuOQkY5MiKb4UPQpBwAniNYwQb+hlEzJF7qnPECh0MAxq8OiEYE +EBECAAYFAjrBCNQACgkQt1anjIgqbEu30gCdEsSeFtJ5KziD5l/CvAhVZt9lnQUA +nRrmbV8HkndXp3+DNoREgscZk/rliEYEEBECAAYFAjrB0SkACgkQ0vCiU5+ISsiP +kgCeOFayt7NkcymwTC2UKNjjyukNDvAAoLq/bOTNZECtztYIMDQ2VrzZ3m6KiEYE +EBECAAYFAjr1eYsACgkQ7A6vcTZ3gCXdrQCgllIx6G2DkKSGKBhYCgsyywFBXLUA +n2PJGrCOov0LS8jCMD2Xo4T7qfsjiEYEEBECAAYFAjr1mwEACgkQLBigKrTF83+E +4ACffa4yaJ6Pj4uFZY7dVuiOfkuoTE8AniIdw0DVkHBuxlNp9PAglhztyE+oiEYE +EBECAAYFAjtFbTsACgkQ53XjJNtBs4ex3wCfXLPNscM4Uxtmy0/t5Ygg9lDWEQAA +nR39P9eJtEeBtMPfbEGYc10ABqjkiEYEEBECAAYFAjtF2QAACgkQI/q1+wgWzBuJ +gACeIak+A98IheVSowXG4J6jzBA439MAn2IFA8EB/EkQ1rn7OEmFNX++PNZyiEYE +EBECAAYFAjtF8RYACgkQJ4bCRH+KQBfSwgCaAvm7pL+LioYj/oKDBQ1pJAj+UqMA +n10W8RKrYblMZ4L11R2TO9xOvFn6iEYEEBECAAYFAjtIDxYACgkQBgac8paUV/DL +WACgifbHtSi50JxmSr18WofeVcVcAXUAoJs99aH6/t9gkO34ajXjiIQxc0qMiEYE +EBECAAYFAjtIJ18ACgkQ11ldN0tyliUx5gCggbhG1uzvdgHNY8oCt4cc6TfHUREA +oJuRw8q2kbztnt8TQ4mjiTINcBXziEYEEBECAAYFAjtJwaAACgkQUI/TY7yTaDkP +jgCcDSJQUZBBP/5OvW48Q3BUkUkRSQkAn1Mjqe4WTFEEA8HK5h+KDcqR0aZIiEYE +EBECAAYFAjtKFVcACgkQliSD4VZixzSYCgCeJpt98LMq02q9W1bK5iPUvCkcsSYA +n1dqFcoXctXVnMj53z8zfAaW0BcwiEYEEBECAAYFAjtLFwcACgkQDqdWtRRIQ/XM +GQCdH1u9tmtUYY3ExVLdT/H2IIQCU3MAoI69Y4Z17RDh4Bj2gmJwmEAmfDwbiEYE +EBECAAYFAjtMF8oACgkQ1w1fWGA80Hj2mwCfazudYZSMmQWO85xZvg0uTB3rhZQA +n3DSyrvXxIpmv0CcnBtUQu5N21kSiEYEEBECAAYFAjtRuWUACgkQ5DsVPMtGficb +LACeNpRJOS9AZ7q7bhX2sBJglKLloTsAoLm5FTnY6iAySfPZZlwAVeE6zMJwiEYE +EBECAAYFAjtSxD8ACgkQO/YJxouvzb1F7ACfVp8vhxAWCeRZN3InlvYLrxFTng4A +n1QO6+D3QUjX+0YRNZ3tpZDTSd6QiEYEEBECAAYFAjtXQl8ACgkQeRYvNvf2qtkl +NwCfcg4Tss3C9Nf6NiyOAHhXO4JLhtkAn055IHb4i2IO5TQLSQi0tk4ktZVfiEYE +EBECAAYFAjtnOlkACgkQwAsNNiHlPr2cagCg07IN1/MaXn+8yd4Ncp9/723gEBgA +njNCoGAAccbvCCVE29sXBNAvUo8MiEYEEBECAAYFAjuYRI4ACgkQkC29kYw4qQpq +wACfcyB4krJFqyeHoKzRYDqW8JDUdvcAn2pa3UDeKM7FVe8LgCQyz0McM4JqiEYE +EBECAAYFAjwH+10ACgkQ2tKwXV88MYVF8gCeMoYaFN7v/VDmuYt+G1BXDxzcuusA +nR8fAcIyBjSffB0yEIwaA7O9X7ZxiEYEEBECAAYFAjwIEdIACgkQaliC34RARgJ9 +zgCfS1K0bROVSB+9wX4g+xEE0phEAToAn3etSLME5hzsisIRMjUsGbBDe7+aiEYE +EBECAAYFAjwjtVQACgkQRHJT9Ar9DKjv+QCbBE3lRMzyKxTbPUd9v+nB8EVqv4cA +n0DxPkAIkuriAuwtOjCypTDNydyxiEYEEBECAAYFAjxdq0AACgkQ7vDbNLMhJgNw +vwCeMc0QmOS0ctJOX1J9a3DWkMyUdf4An3iIslZ7stkMOi1VdyE5fR2YDvNFiEYE +EBECAAYFAjxw4+MACgkQGM0lpSLzivNlngCeLdkkRkcyHVKttl6Z9IQExE+gaNsA +nRko+7BQOu5jXMfGarg1rE2zDhsFiEYEEBECAAYFAjxxJxIACgkQscRzFz57S3Pk +JwCg3qepdTsiNKuGYC6a1RlJZTBqkiEAn2G6ypvCpWAL43LWbMbyyf/rYxSoiEYE +EBECAAYFAjxxQYIACgkQOhqmNZCaVAYvbACgz9mXzo/nC64mx03IFgL8oFuBAhIA +oL91NILXxGYrkaOnM+2Ci20UvA3ZiEYEEBECAAYFAjxzeIMACgkQo+C50no0+t5J +7QCgpSCgGQ8eMefvsDsF0DlEZzuAHNoAoK1TFwuK7ZowUQJyWp1tKDtNDbx3iEYE +EBECAAYFAjx+gfMACgkQjjtznt0rzJ3/dgCgnDMnLna3yPskxeVf32wDbTHLxf0A +njWCw4lfYauS0LumGv9uHN9PaErhiEYEEBECAAYFAjyAY8EACgkQ14NrbAzZIOdE +PgCgt5DiZfRFkvzAPecRDCIp3pOdUwkAnjj1CDE+Kzg2RiK9Z73QM8B0J4driEYE +EBECAAYFAjyBd5kACgkQ/3vbrZlD49+lmwCfS9apz+gEHsRV6ELS4NtCLvrJsRkA +n3AexpisdP+8KwolieJwaVPitN2giEYEEBECAAYFAjyMzCQACgkQhbmQdcKRDkGo +iACaAqrwXn6kf3aD7wss1rgQmrCtJKIAoIU6uifoxBubp2+YjW6kjbnkFMD0iEYE +EBECAAYFAjyXNDoACgkQoegCcNp0M5aGrgCeLBRQ8CAVzPO8OTz2TMFqYLIbFrcA +oK2qJqojmF2+THtFCHz0hhiBAekNiEYEEBECAAYFAjyXNjgACgkQg2i7WWb7wYxz +xwCfcrZ5yTwjn9Sh1S/yL3MBKBs8uxUAn0pC4GgIsbbaxcf1QA5AYwFiPcPEiEYE +EBECAAYFAjyxODEACgkQJXt5TsZsoD0pVgCfTIJ88OFNFlnUFoNZemDdbd4ZqEsA +n1y5ZyCl5SYkqFTGiVtkgtIIEhK7iEYEEBECAAYFAjyxguAACgkQeuuK7Uc6ScnB +gACfUlQrrDUb78b93JEvThA/f1ZankIAni448ZxagzPjnj/vH33yK14agnq0iEYE +EBECAAYFAjyxj4MACgkQocWSfM5dzg4qigCdHrjYquNu2aphWggG5E0G6zCW5MEA +n1NQJmKkTEUsbanbVOBx1G5wvYkeiEYEEBECAAYFAjyyhzsACgkQVlEzpFDUq7k9 +9gCeMJc5KvC2gAHgCVjv6Hn7AKgY+rMAnRFIrjunb1Sh77542URoWAVmuPN0iEYE +EBECAAYFAjzyIFQACgkQX1807qC7Pev9PgCfcW15D2cS4UTkn11BSqn+pgrA4KIA +oKzLDc78X3OFDzVXTOvk8V89OshGiEYEEBECAAYFAj1uHIwACgkQKMb1a4F8NWhP +PQCaAprFvggEHBTVR+KWzm0Z3l9ijLIAnAw2QtJ1Mlnz0ctNwSJwORM87/ARiEYE +EBECAAYFAj2ERksACgkQ1DyzBZX+yjSzyACgjUKL3CH2UYciEAarZU9H0ZYIIWQA +nA6I1aJ0FgWiF2bd/jgWaBL2jtd4iEYEEBECAAYFAj2F5U4ACgkQdZc6ENbQhKbt +/gCfblKSqJohqhaFawtXPs8TX1UqY/sAnjqwumhFN4YAAez36gItTB9BxcmJiEYE +EBECAAYFAj43BmIACgkQkQghntzeiQqeGACfSyyIi1vPniQOq8xLfgjDxFkkVEYA +oJSFbH8uhrwBMa8aOIRkjN9uRdY2iEYEEBECAAYFAj+Q/gMACgkQdt8qX2QD4/2l +hwCgnv3QSQPCGbmTI67mtAxl9d4rZ4UAn1WXmoSknE2WYeqRUb6d4wAhG/jViEYE +EBECAAYFAkCnUpQACgkQt+hxIz4tn22gnwCfTWoR3vhEv0yp1Ks/vz7jow0Tw6QA +n3YXgQn0DS9/9u7AyG5gjh18VLtuiEYEEBECAAYFAkCnUqEACgkQt+hxIz4tn22d +OACgjeYArERuayyqZmozCahsgUyPihMAn0PkgZDTwKgSw690xdLuR2rWJrPQiEYE +EBECAAYFAkGD05gACgkQ9oi/YaVie2EkhgCg582nMvFSTXDb/PdF0+kZTBQTCGQA +mwSEka7EMzOzoCxEefZd+GQmEdcXiEYEEBECAAYFAkGGD60ACgkQ6gnEQD//YGyI +WQCgruyF9KSG2GuqPVQIsizCCV8rjPcAnRQsBzfw9QLM960FP64YWUCqhYkYiEYE +EhECAAYFAj0EW94ACgkQj/Eaxd/oD7Lv2ACfUACXl0hDfGeEdbGjhIa/hSaZCrkA +mwV4SdeJnBoXV22VBEekmTfzHKHEiEYEExECAAYFAjyvU4oACgkQ6pxm6rn41tmE +ewCbB4FZ6z6dmSJ2epBIdeoS8KHLNhEAn2ZcUDKfuFpVVDuV/bMhpjbbHJRIiEYE +ExECAAYFAj0FswMACgkQoWMMj3Tgt2a46gCdFwSWzfEmyuvfjnmNPzCyvdO2R2cA +oJRl1Ibl/2hPXjenl1f08pQLThZAiEYEExECAAYFAj0GRB8ACgkQKb5dImj9VJ8F +HACcDjdyCPMWjSbrXKCVFjDtuapl428AnRSI7e1VYRJcVdGmrAtmu360GrQpiEYE +ExECAAYFAj2J/ScACgkQ74J3yv6ZHpg4ogCgj8BllYTJEQ5sF62Qd2q9o2FNJ8cA +n2K/7zpy9M/Oig+yIYofaN+5fnUUiEYEExECAAYFAj4ykiMACgkQaqtaJwF/Vr1M +mgCfcNfOOm6/woHpEtuFVgYXvUh0tG4AnRTPBwdemHFViOojNJ0glWck/84ciEYE +ExECAAYFAkDa3nAACgkQRTxFSQIw1gIZCQCg/jjaczO/s9GkLq/kftPN8A6kLr8A +oPwGlVzoq5yWxhgCkEMfV+KItmDViEYEExECAAYFAkGE+RcACgkQ3ZHkUS+VgsFX +/ACfRYBeswRWTHOdc4gLefxUVSGbj8wAnA3CWEF3MQOIpJQ5KSFLE2104h5riEYE +ExECAAYFAkGNFPwACgkQ+C5cwEsrK56k8QCguxJO7l5effxWbaYOgeVko8HiQ80A +oKSJGsOZGx1nvQRKeRK/7DrZbB2piEYEExECAAYFAkGqFTYACgkQztt/8ZMtg2MV +MgCfZevJcAcVXa4hUUJSjkWo0j/b9MkAn2HZC4sNs9nMN1PvX95Ge39wfBEKiEYE +ExECAAYFAkIrN0cACgkQi0rEgawecV4jeQCdF+GUDJuQnCaFZqw6sNgZtol0UncA +n1/VQvGDB0Or+JItHnUlCU98URNXiEkEExECAAkFAkGD3AUCBwAACgkQQSganqDi +jRh6lQCgmgm1rqgdF3qYuDQn/S1vFxggwpIAn1htaL3fD6o4LnT/8BIm6K6tPGPW +iEwEEBECAAwFAj0BE/8Fgwa1sWoACgkQFBE43aPkXWatjQCdF96DM2kdreTGbWTK +jTMTuwB3AtYAoOxTFERoyUCn7nTsufD4QpxIkJCiiEwEEBECAAwFAj2GAuUFgwYw +woQACgkQU+KFTgvh8OP+lgCfTLjRfVihRNQQ/MVIuHttesX/s/4An1ZBth8G2EvC +fiOU2KoOjl3MZUJ4iEwEEBECAAwFAj+ObrAFgwQoVrkACgkQCmLlNDenkUkzjQCe +IR3z4h7TMEeNI9Sy5/4Sgclj9WsAoK9yVbdDuWQJQh/ZBUpx0GjxMSW1iEwEEBEC +AAwFAj+SeAcFgwQkTWIACgkQ78vN/2HwW4xfggCgg+yTSXldBhvFoDXoAeOwcC74 +YqkAn0b+tC5AZ2BQkg0vJXZ6tFXuOvhaiEwEEBECAAwFAkCoZL4FgwmwcCoACgkQ +EgljnRFKqFxfngCfbXYSsBtMM5hcUCsnm9IvyCmMhgAAnjtDe7q+5cW/JmzE3ill +B+u8fc9DiEwEEBECAAwFAkC/Rz8FgwmZjakACgkQ2S0k392WXIP5uwCfTlmW1u9U +3nck5mCo6DeTHNTmUvkAn2jnjXhvqKoLfS2ERRwQlFFAw6NRiEwEEBECAAwFAkDb +VF4Fgwl9gIoACgkQ9ijrk0dDIGxiBQCeJIrdN0kFT16KL4COSILMmcjVxygAni6O +inWWNJqCk+k+BNIvKpm+QKm2iEwEEBECAAwFAkDxIncFgwlnsnEACgkQkvv9V4b8 +pZK7gACgwOU8kI9ZBzryS+HxAeWEo4WjeC8Anjl67/wgPGr4XAS/XA1xmWzRwZiP +iEwEEBECAAwFAkGsm40FgwisOVsACgkQLEmBxMM0hsB4NgCeLxvQw1g9MSpWY9+2 +VbSK/4vNd4EAnicGGKdS3Zy48E4GBZr62ZmWjr/iiEwEEBECAAwFAkHCEoIFgwiW +wmYACgkQGFnQH2d7oezd+QCeJzuPIHb2H/PX1R9NYqC6z+63wFsAmgJUX4Ei+WzK +Gs2r8LVtIo03nc/niEwEEBECAAwFAkHCKOAFgwiWrAgACgkQgcL36+ITtpJ6eQCf +Q5aTW9WLJNVWTdp4fi618YDdnNEAn36Vz84EsZ0gpO0Je9S+geCrffj6iEwEEBEC +AAwFAkHCKTAFgwiWq7gACgkQa3Ds2V3D9HOXdgCg91Pqo7tiv00Je9XoTIJq82ug +6gsAn2Q37v0WzuggX1xyzDSR7oxz77owiEwEEBECAAwFAkIi82wFgwg14XwACgkQ +2KgHx8zsInvpsgCfdHcjOaK7aK1MBAYBaWwkK4rfd7kAoKxblxsQzllz7sLvFbK7 +xG2ipuNJiEwEEBECAAwFAkIongEFgwgwNucACgkQLADuUthSlVgXawCcCbstExBn +Vkd/fHvatuzJ3sJ0g0gAn1t1CmnaMwV/HVQlUhfqefYlVN3giEwEEBECAAwFAkJT +jYsFgwgFR10ACgkQlvNNek/0hjUNPgCfRJZleAq/j/4tbek4A3/lhgXJha0An1aT +oz0bp8HSf2NBjW1euvf/4VZCiEwEEBECAAwFAkKYjoAFgwfARmgACgkQTbbnG4Bh +qDBuUgCgyBpzBy8k7OKzjiYrKMGIWZqiMiYAnjHdHdzo6dKcV+J3ef4hl3VcLqDf +iEwEEBECAAwFAkK9MmEFgweboocACgkQr2QksT29OyBNEACfbNEfltwRZ1RmZEkt +9ZTwOJSli5gAn3brUt3vc1JIxs8dlkwHV1fSJpH8iEwEEBECAAwFAkK9RW4Fgweb +j3oACgkQ62zWxYk/rQd1UACgwJNmfL/Cs6bYMFPC1dRrNsf2GtAAnR6K37k2u63F +X1lbg4aSMLCcNviCiEwEEBECAAwFAkLinZ0Fgwd2N0sACgkQ9D5yZjzIjAkhqgCg +j/Uy+2Xvfw9FAwPdWSaC+o4AVUEAoIvJ06LeJppo5EQqEt1mc8bYV1UjiEwEEBEC +AAwFAkLlBZcFgwdzz1EACgkQg2E6UBaCfQMWAwCgk0N+XcWaLDssH7wYu0EtOFW1 +kKUAn3Vq83yrmg+F4TvieNmPhhqTP6W2iEwEEhECAAwFAj5ecYsFgwVYU94ACgkQ +UF6IRyLnX0ugAwCgnZ5NnBWJ3j9/7slzg5Iy/pU6UesAoLaNJiUgVfg+h3uP4vUJ +hum91P/biEwEEhECAAwFAj97CToFgwQ7vC8ACgkQW7P1GVgWeRq/ZACeL6lVKkE1 +iFiC/YonlBzLqNAdVkgAoIBH8VYDXLRIgBpyfSdwc1YxTeDDiEwEEhECAAwFAj+P +7j8FgwQm1yoACgkQKLKVw/RurbuqxACfb1X6tBq7g3z5HgfCXv2sm2gQI5sAn1JL +b8gDxuSRcWMHulGZY0hZJfvyiEwEEhECAAwFAkCn2cEFgwmw+ycACgkQt5wosOl/ +hW1B0wCgiQGkFQEonh2cRtw1xXowakWqx/EAnjp2Du5T+xpOdf4O+JwV5DmtKqW+ +iEwEEhECAAwFAkGE6LYFgwjT7DIACgkQGKDMjVcGpLQO+QCgsc+A/SO9bY78+ul2 +KU+7SCcztq8AnRbnT0G0HnJdQYMffrLF5Ing2fP5iEwEEhECAAwFAkGxhHAFgwin +UHgACgkQAVLWA9/qxLltoQCg24DNLxMnSOcPFPCNLTPkyyjyQu4AoIe0tZDEDS7m +vM6RQaHREvCuFIOZiEwEEhECAAwFAkKWAqQFgwfC0kQACgkQi5YpQ/wkPzzhMQCg +j+rrxz3tJgTrmh3g3+5rIcWEEUYAnjKOFjzGL/7SyFlpehh0Xa3oO69WiEwEEhEC +AAwFAkLrbeoFgwdtZv4ACgkQwm9wFgHGy4MQfQCffyaecfqcThyxP9FNgZ2Uz4pB +wAEAnjMFgtk5JN6gZ+Ztgqe+YyYrGvvuiEwEEhECAAwFAkLw+X4Fgwdn22oACgkQ +WNqWrwuQEUHBCgCgn3XtRj5qJxudfYkec540HnkoerEAnR2x0A8LAA49rsbhCiLZ +lmTaaD67iEwEExECAAwFAj0HTRcFgwaveFIACgkQPGLK2OTUMk2IMgCfUXkZfmZr +MFIiYO8F/naQMBs/94UAn2Xrf2uaISYrPudIbRkxYm+R2NrZiEwEExECAAwFAj14 +eLIFgwY+TLcACgkQ0BqcGU12bN6ruACgi2uFjh4Sy0Kjyd760dvfpa/9jtMAnjHy +PQ0tHYSqSZDD9qaQvb/F3PlMiEwEExECAAwFAj15MRMFgwY9lFYACgkQcFxTidXB +s1halQCgiR5GTSx4fSCqkikzrOOOXAonDVcAnRFQ13dmkjLcRy4E8bxLtm8xPyAd +iEwEExECAAwFAj2DrfMFgwYzF3YACgkQAtbtIeMsT0ugzQCaA50Snyeu82nth0ik +NVnzHD4W0eAAnA9WxGBmmpvWYOq5LOTy2fVe2P+EiEwEExECAAwFAj2F/AoFgwYw +yV8ACgkQ9Wsmo6Y5nnPZcgCfUvxNXjoWYEsAYJz3z+MWDeGrfJQAn3slXF9ced2O +AN3YgYZNTlIC7UUaiEwEExECAAwFAj2IEOQFgwYutIUACgkQg2XL3N1NTv7QVACg +r+C/P7gqGDupYTC21jl07mPfG/cAoLZ9zkmr1YF6Br7szUKksSan6fwtiEwEExEC +AAwFAj2IOwAFgwYuimkACgkQHb1edYOZ4buWMwCff0YYdFZ7gdc1qjCaeXDhCfLe +0OAAn1OJuZ/eKGk+i0V/ScLpOMLn/SCCiEwEExECAAwFAj22wZ4FgwYAA8sACgkQ +VkEm8inxm9HyigCfaNbjyIlHYA9cAv8sLkz5uHRoTe4AnRyDPfAFiBPZZhwJNDlm +TEColXL/iEwEExECAAwFAj72Ip0FgwTAoswACgkQofbulCQLTD21TQCfcKuy3MEj +JRrikDBgKtpIP1at2cQAmwRlZNeKOT0UJ4RNt2piAHqTD47giEwEExECAAwFAj72 +z7wFgwS/9a0ACgkQBYtazUQcX4H/jgCfaQXW+LvjoJacVNYrdxhXUYx2a+4AoMQV +/y+zjcnaNRbZTH6unq4fBDB5iEwEExECAAwFAj8AnloFgwS2Jw8ACgkQMozWs+vC +dRW8xQCeJLRNfZLO7twP4DnAsaP9wNdsI+AAoKChEzuM19HrksvckWmBVafawaPR +iEwEExECAAwFAj8Fq5cFgwSxGdIACgkQTrg06OLM8A+J1wCgmucpP9rc1NjzPHDF +NcQokRbp/REAnRvctW/8AwDaH/btQjPtXgQGCbrPiEwEExECAAwFAj+PlHgFgwQn +MPEACgkQbHYXjKDtmC0gWwCgrfQwM+i6i82wTcXx8LRPVHm//88AnjOiqMYKpGj4 +cpkwdX2nhUlZEyGOiEwEExECAAwFAj+QUxgFgwQmclEACgkQnQioDO2QjWrbcwCe +Nw1qkRaDRy3/fl41K0F7fbCqq58AnRXqq6031t7zmMdmZDvFlB5M6uFXiEwEExEC +AAwFAj+Qbb4FgwQmV6sACgkQlSxWI2ynbPR51wCgkZpbx8pnoqj6mmXrUQgJSce7 +eRMAoJcbGZ0ls3JXAJRD5y0PYzznxLIriEwEExECAAwFAj+RGicFgwQlq0IACgkQ +46aNyqaY2pkmnQCeLsrSrn63Mnhc7lwklc3UHlYHQLwAniZuyemrUEsU0fdQKHda +fHg471iPiEwEExECAAwFAj+SmrkFgwQkKrAACgkQtamfe9tFLSc5AwCfaA0hJcLI +fm1Eek+X2hs01q3f2lMAn04yqK1H85hZ+77goaEBj2YEEiYsiEwEExECAAwFAj+T +KtsFgwQjmo4ACgkQrSAagZQ6Xw5tYQCbBE8yHKPJrUivqIYiVJL8y7voOqAAoJc/ +HBTNTrRSxyjK7nPmyBYlbY8miEwEExECAAwFAj+UBecFgwQiv4IACgkQOiUrvZ0k +S1UvJwCg2Lw5xCu5/pUTEFErcShPUDM3uDIAoNLDQt61O5Wego+ez43N2N8doSqF +iEwEExECAAwFAj+VCZoFgwQhu88ACgkQTDL5CJndlGiZvgCgiM3ez6j21lBLfJnM +IKhGMrMhW/gAn0WLirWDnek/f9iDEMVcGMEnwOOciEwEExECAAwFAj+cMmsFgwQa +kv4ACgkQNgJWU6vgsQY8MQCcDE5hjYq9uHuyC7ZnBg47a5BkVdsAoNxLfUY6DeCe +kwPu3e+3qJsbwib7iEwEExECAAwFAj/UdIUFgwPiUOQACgkQW5ql+IAeqTKRqACf +d21FYGEziCv14kLK2bD6ghb80jUAni5XNqaFLg8i+0bg/MSQVf88ZQKziEwEExEC +AAwFAkDcUg4Fgwl8gtoACgkQzQ+com69o1nN6gCfUXjD5LUESFXa08Px3pbfXidX +AuAAoMJ1/H/oFgcer7t+tACN2vC8GGYsiEwEExECAAwFAkDkGbAFgwl0uzgACgkQ +Hckf8471INHpVQCfV67np1keBn20I5JABN5Swm51B+EAnRxMBVbypQcppBhdWnxQ +adrjhHVqiEwEExECAAwFAkDuoKIFgwlqNEYACgkQyA90Wa3Cns2o+wCgjBXhs2mE +n9HFs5F8WR4AdTpWp0UAnj/Qls/ZRkcy/RAfAN12XgHOkpyciEwEExECAAwFAkEN +p5kFgwlLLU8ACgkQK6gmAsLOgJlWDQCfe7E7rcFCn9xuL5Rh9MDVVueAJY4AoIL6 +CdZIlgg9Lt/HG2dDFgwPwbkGiEwEExECAAwFAkEYu4wFgwlAGVwACgkQ1W4oD4nf +jasGFACgyTFOT3NMOo7DObxulYi+WtYriqUAn1Y740hi4fWeByAn5qoUj8brf24p +iEwEExECAAwFAkEiMZoFgwk2o04ACgkQ+FmQsCSK63O7vwCePBtM5gchuVC3gXAM +O7r1A/le76AAoIMM0oq6wuiHnT/dUAG858Cw09t0iEwEExECAAwFAkGA8OwFgwjX +4/wACgkQsYn2tNI6QchEuQCeN/pbbqMBzHuAfWO/g9QfmlmVIW0An2WQXrXoE3xn +Vp2C85BtML2phOWPiEwEExECAAwFAkGEAf8FgwjU0ukACgkQTjypAm4rQ9yB6ACf +YnJx27fjxYsq+5UfQEemQt2VO3cAnApE8yUw0B3ZpqCyfRo8JQIb/cJUiEwEExEC +AAwFAkGEkIoFgwjURF4ACgkQlPH09zrL0iMiigCcCIbdWZPauTvF4Pn724WxH6Qe +d5EAmwcodEzOE/rElE7fqScRmudd8Ur7iEwEExECAAwFAkGEvnwFgwjUFmwACgkQ +TbPZ7n9FhNqFGgCeNgwyzTJY1OABEu/EoBXEUOENxdMAnA6Ul/yxKQihc39VvKQf +pdwPGUhRiEwEExECAAwFAkGE6B8FgwjT7MkACgkQLMilaHDIrOVJxQCeIJI+GgF1 +UfUOjkYsjkq260Q72OUAoL0ekc/ixpvh4Vs0j1q9Wx0fpQUwiEwEExECAAwFAkGF +RwQFgwjTjeQACgkQDecnbV4Fd/JDbACfW5h+kLB3Y0wokkr/sxy8RFXwp9kAnjMs +2yoVbG2ZbkHQV2ZODRF66zuMiEwEExECAAwFAkGFVkIFgwjTfqYACgkQqI/9z8xh +Hubw1wCfWLT8UnjyRQIuxGPPWjtGVeezdP4An2GJa9XsZW3yv2eOPAsP93+npZtd +iEwEExECAAwFAkGFXLkFgwjTeC8ACgkQT6RVPNdrU1mZHgCgq9+wyMgDr96Ism0g +Y9OxSqMA+88Ani8EIVnKhI6trTzgZLZDrZ5pdzDuiEwEExECAAwFAkGG8eAFgwjR +4wgACgkQbHYXjKDtmC3wYACg1f05WHi83tg/PMHoBkqlngdDIuIAoK7KZ/to5Frk +fNphn6Zo0fozB1n0iEwEExECAAwFAkGHwbsFgwjREy0ACgkQVm02LO4Jd+iS0wCf +bUWuTf4DZrjdua5kNdfvk65gojgAoLHPPvTdAlVKacX/rnPD7c36LfuYiEwEExEC +AAwFAkGH6+oFgwjQ6P4ACgkQTTx8oVVPtMYoQQCfXmZAzk9EjL3qPz50zZgSUO8l +3m4An0Xoqn603NHFaHfbBKdtWGijlgl5iEwEExECAAwFAkGMPFkFgwjMmI8ACgkQ +iSG13M0VqIMbDQCfSxC8XNlseJ9VQ50GJ66KwSDljmMAn33ApYFWTs8qa/EBIQSg +qPlVEBO/iEwEExECAAwFAkGSMFkFgwjGpI8ACgkQ/2R3A0yRcenRkgCbB5vYhB0c +v0S9X1y54Ci1KmaMDNkAnjeOH5rAZQsOQZXoDJPzHNrjYpLciEwEExECAAwFAkGT +rb0FgwjFJysACgkQ1mvqN8E/x7b7ygCaAyFqMIKTMqQYuQ7hnGpMTx7FPmoAoJtf +YoL1pFmVZ5Mhwkv9GFUee+HHiEwEExECAAwFAkGZWWUFgwi/e4MACgkQSvFUKpY6 +VLAkgACgiL8te7hejTXfDXRIOAZeVzd76/cAoJbmj0tdYt2QGc3j/4yMnmXrKPC/ +iEwEExECAAwFAkGc8GEFgwi75IcACgkQV5nlLYTPmpDPdACfbASh9WQ47r2zzcVc +jlfbvsz2VvgAn0KtwOo73pm3e7aPO/mYlLsP4V9iiEwEExECAAwFAkGqMckFgwiu +ox8ACgkQdDpVTOTwh9cWbgCfaMETpI9v6LZgWuTCzE7DceGsuW8AoIcBSwWGF0Xk +XpRYcvXfjvAg57+piEwEExECAAwFAkGrJUQFgwitr6QACgkQzop515gBbccEhwCf +ZhBXUVoNKDbW5mpYGxfKrMfScIgAnj0XoOlYmWWNN1hlKoSQrZSvh4FFiEwEExEC +AAwFAkG3PJoFgwihmE4ACgkQEfLcQ8rmNEIRiwCgpAzSttJZSiGIffSr4/dixsFU +VxAAoIwnyzPthchrUSMR10AvPAu8Czm9iEwEExECAAwFAkG4HyoFgwigtb4ACgkQ +5Vyxg0d4n7u8mQCfdQ++3anppXuhZp6cQIp1DCCz56AAnRA9B/n9ah1wL+IMjoBh +FvgSW7JLiEwEExECAAwFAkG4K9cFgwigqREACgkQ4We9YdVB4USYCgCeLsm06Ov/ +Yoi9lfn4UB0IX3qwBFgAoIPEVT2gGxQYua51y70pjVYG6t4eiEwEExECAAwFAkG4 +Wg0FgwigetsACgkQBMQfNs0khKmYzACfZgUeTlimmFrhBDEV6SsslxvVIGUAoKZR +9c4+kfE0+BJ069AUZBkkeRKGiEwEExECAAwFAkG5dt4FgwifXgoACgkQPrq84hvw +IdMBbgCeJhjUvC1klrCPhWqKhyfoKJE+hWYAnitsOnNDnjkKDdKta+mrdL23iPD5 +iEwEExECAAwFAkHCqnIFgwiWKnYACgkQPG1Ayb4vCvZS9ACfROLs6kU6Z93eoFUJ +l5H1M3U/L3sAoIgAGfCxQ3sADvFiYg11GTGnDzffiEwEExECAAwFAkHq47IFgwht +8TYACgkQvdkzt4X+wX/UgACfeM81+Z/SliH++ZzOmy5ZR9ljTo8AnA5DGAsPAbdU +7j1NN0NXUg53dNvkiEwEExECAAwFAkIIjHoFgwhQSG4ACgkQIqUcje1P4MASOwCe +LyBkToAQ+3Bvup4B9POq1xipZNgAnAui9pLAdwaGAZ8w5PFxuS2GoXxEiEwEExEC +AAwFAkI2qnwFgwgiKmwACgkQ1cW3Q8Sn6j4gRACfQWmnt2z+J0tB79JQ50hNEVrY +uKEAoNAe1Y5xlLlDTSKJmnwjqnN0qaeriFsEExECABsFAjbtSOoFCQzJfIADCwoD +AxUDAgMWAgECF4AACgkQXeJJllsDWKK11gCfUgltInjqS+wGOrxfjiGjJsNmVtYA +oJLaNHln4KYwLlYOo16kdcB7dqUDiF4EExECAB4DCwoDAxUDAgMWAgECF4ACGQEF +AkBd2egFCRNri/8ACgkQXeJJllsDCRDs0gCgy5RdOqhFvwUFYWj+dHb4LGt7xi0A +oKduFxGMuM/loPShQnjvk/VVFesAiIMEExECAEMFAkKVnMMFgwfDOCU2Gmh0dHA6 +Ly93d3cudmFuaGV1c2Rlbi5jb20vcGdwLWtleS1zaWduaW5nLXBvbGljeS5odG1s +AAoJEDAZDowfKNiuNUAAnjPHZE2+qGvOkOkRYAmqCFMXw9euAJ4lr8dHPg0y8xeN +H8M6rSswZaeHT4kAlQMFEDuB4BNSrOsu06QsYQEB6AYD/iRZgJ2U+hTGt879PPwL +W1y7dQFbjMHqbyyM7eml9ZbC+m+jqNvMsniFCR5qvStMgbXuUZGGpd41mL5+vqF0 +wwM00nBQe+rr5grY2oMPCSEJRNtHEamOsbc4GP59nrwbUhA7MKPSrPCvh9bvh+XQ +7MSlar9eVBkqvnYmKdaKI1ioiKIEEwECAAwFAj+WOcoFgwQgi58ACgkQ4WdUde/j +R61yvQQAghvUxGu+fWc6RUEZnrQ8n69FOPRq+od8fiYNF5iSWfBon3hmT8IQi3vR +FbqCcKsd7fn+rl2zZjFU5f7SuzaF8+hODuH7B/jK+bW/dnhpgDRZyvmZMtLpeAOP +h3IkrGEeknV1LeTZcRJnbGTZiSu3LS8E/AVuSXmmj+2tXXBzSFKJARUDBRA3Q97T +UoBXRHZTQB0BAchxB/9iTH4O9RoIshiUysQgMpncn9o9snx+sCO/NiSuAVleHNBP +1d/Kvo6SGLJYoVfbfLPMNVyuZ4jGi8JQjsgVjpAz93nIevhjz7Xwd3JpS9oUvPej +1mdWnUB4AnkKQfN+5+eso9Gk7OC9cWq20lU9tpVMDIlOj8GHR9kYfJ4fBbzdCGbG +5Z9pzo+96gDUMzX5ZrHlChdV4eHJPMi60XeK+mpocQFQH3GBUSTeM3Sy93JoYJLd +AA2ZcwMF5xI8HRx8u0rwCZNXnDTgPaRbDiW7587n3dWn7Pwmxu/CPtCQ4YO+Wdjc +KvHio7CqojtM8/7xuclkp3Wb1pE1s9w929ca9SHdiQEVAwUQOcqYVhpPhku+30gx +AQGDOwgAjoKCGePm8h7g2edNYGosrPTMcZ8PNCMETXMZozgCbEd5oWvotRaZnta2 +CZyj/u5gOrE7z8XR2PNttenuHVDii5y0KwaaTR12/wrp9VJ61wLy/4zncnx/C9Nw +g/Mu9Y2bMS8EuL16yWNrm6YxprWsaaYy7G251NI7cseXcVnuAowzm6k8ovEwCAqV +l4s7EUibNQQCuDgH4idUdr410fDnpUalpvsGYf1wqhs93RbjU7pNEaLmnlz8zESH +Yaev+JpMVAfnw/jjWp97xyCual75xrc/aj93anrobvU/sSKCDbteDzW9xYyjqZGu +2npn+rBR4iUHZf9j/glwT0PVnH/jf4kBHAQTAQIABgUCQQm8qwAKCRAz/XFX/s5m +Tm10B/wK4tRztfYKQVVYYl3rduOE1rEntFEP3yV0H5qkIlPrXNi3j2hgOiUEBNDg +FpuJ9rSz7IZ3GcIGlP2IlT9OicGwpabAtoB81S8rJKkzI+bBLCK2J1xJslIdjk2F +O1u+KjLu1gu3RZYaYPc3bETXXmtECI2h5hNazvDw+QS1JTIkqr/vhl3TY9JAxiLw +NBWn30phh8kRzvRJh1EI584vRVb7nTSd6PYpnpoEskJbXyAc+BV2QLPk95oj52Mw +eGADFNv3uuyUq2WH9H1KP3MnwNReTy++woQfLzobHHMyBr4ccC4uKlqOmBcZ+kkm +EjxrJTRALelu2quUhpR7a0tcqFxSiQGiBBMBAgAMBQJBhRYSBYMI077WAAoJENJk +ZhEZk6qtGSkL/0qaizY3Ix+hwNj+UAN8sGhPLYNGSnPCgLyLMceByJP7fpF96Try +6wIYsVAsXdltuC6wEsDNjIc74FCduAc0HfhnJ5Yu3ciJ/DvR//vlbnE1pp+RysVf +7V3CVNxLgOdfSBd76tgktcfbsh+R+qKR4JtWjojkET+XAOrCDYNj8P3nNxHzzYO9 +UHSBsNzrm46RBFNxtETh0nDxmgzfu6i2vpSwoRMbi/39VGlHJNYoA7itVZfZx8Fe +bJA9KcirRDGtWcofsUhWWfnQA2K+ahPIx+N0xVzuxjKZoXbkSC+LFwzaoYFUE6Oc +FsBkUY40QhCNKIWUX3kSZVUWro6WuwMltQAkXG+03awShgpciqzZ3o+Oro8zmMoE +SJl9c5oUWuIfJwHpvrw7UrArcZLdf6bcOjHlJqGv2XSRJIxeiUtLghPrZF8pqN7j +58yL94QC7PsQLsRkcgGLp9aSv87O7XzGU9nlyOS7wR56pQPClpTO8tm6ckquKh7T +5jIqnszVh2t4yYkCIgQQAQIADAUCQcIpbgWDCJaregAKCRCq4+bOZqFEaCX4D/4k +RmZ8eDsYuKrw8OS0yUK3PI9k4wyBGxUQmuJKgXFRAbCkUpATHvRh6ZXquWFSVbgk +ay3cfbGLfZWiT7TAz+k3eiVStm/Mk88pqlTfu2pUq0/5bpqJF9zt/L/i2aY/030A +4l5gsEccCsdy5F1FXQPbYGFTvjtPJx8hMstAG761HhaOib/A2O8jd7f8elZMGSTu +btsFJ1/K2Po6sy/3ylJlfo/FzgvqTJYju4IPsIrq44D3k4kQDMahU2W4k6crQncV +7w2wqC0zxmuZIuCio1wyvYG3ey/pjNfrOemSuA/gmmN38uBJM+vEQIPnUdJslc9H +2eH4rVKFEQZuqUk+HUdwVQhJKfwaMmSiGj4PeXphtFc6a3lqfhsiN+7lOnzk0dRM +CxZEMgLjIC6pGquJ610zsYGRb/viXDUliNBJod7CeOHRH653/00U9aaqh1Km2He+ +BWmtZt+Kzw10YUm8oox0/E6XlE4EL8p/LP1uv8vbaGzTVxX5NIr9gVhrnOVDHHXt +lFZxatg7ZLuSNkK6oiqsR2ynxk2ysmTQEzyi20UFxnH8ICsUyRyEDbJlbewQPtJR +nknpV6QhsUA6bVytyYYA3RkJqSDojEgAgz5LL+Zhm1Ttz9ccwxJY6/ZevzlScNrF +xPnzmaotfWPgFis0yF+PLZGTuf/gssj8yYMAWhhtBLkBCwRAXdspAQgA0ShUtJWc +P9jGsEvez951crdhRfV1m/LIu0/SYJfjURfd7qlDiAtebN7uUlT3MHSIaBtOMGCh +0yyocgQIxaeGs3y5oiAQw6d+w2N0gLSU+k7IFC0fshZF20b7iDlOTf9Fsc6yuiSc +JRVRMmj1+85llSjAo/kjI9ha5pbblUtGgn9IqN5/e21AL7lN3YI0xaB6luNNe7Jn +2xOFTMJy2It/9UkvbNMrCjOj8echDN6EIjlv/aUuPMEhX7N5V4vDdQYpID3VORRQ +PuQRklIcchX/panY8HAcgQuy093QqxXlkDi9FHlYesBuPDut4/I7nu5n05vuefbl +5w/yeuT4h3GU5wAGKYhPBBgRAgAPBQJAXdspAhsMBQkDWO8AAAoJEF3iSZZbA1ii +EtYAoKCds+DpwNHVbe2TPz3gLClwNChVAJ9wFd8rmSl+Fh8OT53+bC5heS1JJbkB +CwRDuBYiAQgA0VqHgsH+JVSCUGoTO8rRUbzzK5EmUMtO9vyOv+EDyrGhyPh56AfD +405gacgQyyvGOjn92NYTW++8XvptoPvFqvwVCh71ItRfsc7M6Z4sbTK/kDosulO5 +AiQOnxr6tKps61xnL+a16Rr1sMmX8pky1uF9lioDS/G4Tg8tLifWUf34YxO55yB4 +CG6EpwQFDxwrCPQRbprG1PBSrCiQjgas4hxMgx24se7j+gcmLJR9rVMPVnUFPGM6 +NplqI4IV6YxO1E9LQG+EDU3cLqy4IhCB+bprDON3pa9f9p3dOiooEF/jUeDKsrUf +tvCbRBCr1C8CWaZhMbOAfjgeMfJfui3NPwAGKYhPBBgRAgAPBQJDuBYiAhsMBQkD +wRWAAAoJEF3iSZZbA1iiXcsAnjckbTtf8iMojZKLWEXzuct8bh6HAJwMgOI2sWu9 +NrEbOIj0f1liZDIBKrkBDQRHeSljAQgA3i2NQz0mgdjcli3miy02tRtEEyF6dsuh +aS74AvzyM0fCJ0cTYZAQ2rMBQT7nP6AEjUAr10woxbID73NY0ulKUx2NzZ2ZcQer +OTW1tWAz0BNQpJSe97jVPa/GgcTIbK86KlTvz8y6lIXMFqf+rAY8hc+WW/ljYqeC +HfSfno+d+69lCaPxojIdyTloKef0qlE1s8KMLVNddXkTpVEVYesKxtdWW0KhaO6j +GNZQLrfFbeLycSr403ZZbO34UXz8JnMQQ18WcnDzijvFRd1yTyN21cZKChUbjiWS +v3x54IYBGMK74iohtLwyElDk6jhOt4WqLWu9oFFJQ0yRq6K7zTvAvwARAQABiE8E +GBECAA8FAkd5KWMCGwwFCQaf+l0ACgkQXeJJllsDWKIWwQCgwNWVKWyNzlnfuRH5 +4+PNlK5r+O4AoLV0a8jLsSWfDFoXwWdGKrx+w3iguQGiBEd5KNQRBACEzkqU3lt4 +OOnRGk5xg663vf1q4V7x8y+5D9U6c2AuI4oOwtret8VICwoJr9e4ngvY/laoiuqJ +RjyC/MuUXR4yYErTQC/qbGdJI8dshgAlKYA5MuPYUbX8VhrqISZwR1KbKf9gxjgs +i9J5c5LyUSFXSGQDIGGJpxrvGrYpR6R2/wCg/2mC7sXkHx0Y8pQfMjne4hxBO1cD +/0EsYcLUkFl3YM/ysk8IwIzevSRjceolCq8DYjy6YRLn2ItBM3SpK8ZbZEy7mWJn +fsqMTCr6ChwDoC3vkXJxfWWQ3Nl1I7oyJbtJQyHtP9sVFyWEN8ys2krdam87pONe +Es0Y5IrFVJ3vxriTbjNsAME0pnhl4Tv34HPvtTIri3a/A/4/0/JXzUuPHMydHhfv +1RthRuZfiVbnEW75gVopVVhV1jk1sqBbqkPvLerhwHZcssWZYLd62VrFOq9r0Pms +hCyd558uM2XcZQQPDtl26Vd313+TZVLGVmN/7Yn8kjsByEEbyV9DQEs9gKOKlwSh +ewjOrGc5W142ulx2clBuad2pwIiXBBgRAgAPBQJHeSjUAhsCBQkGoUxsAFIJEF3i +SZZbA1iiRyAEGRECAAYFAkd5KNQACgkQzT/NXj1SwoIQ+QCeOqJ3dB9J8t5z0K1y +OfwkMZNdmMwAn0fo/fpNMvry2H87gwlqEri3lrrwWMoAnjz2JUfE7cnoJ3vOmf8a +rsTRYBY7AKC+sA7qOILCPuv280jZcq5FGJizu5kBogQ6VOgnEQQAwk/7RqQbtBB6 +Y3dxtdULZE1mJ4oWQwXXp42FdhL6LYEWQI+YeHsKa6tbv86sxgWKYmC//Y/uVwxX +KFhduG87FJh17Gw0or/lxMkDQ9RlHceMFXBGOazY5AK19Ol7mczm71xVzr6kY+i7 +JHj7cN8S3+bo/IzzdDX+mCp4XxiB0VkAoP9FAK94TCus3AP3oL1kRrJvXSXnA/9f +F1npM7eSSXit33myTv9zMHuNzulTTsZjKRljmE64Yr8jm/2S4C3nal/jHlxxnRq6 +AEWfpMWKv2vcuYzXIrw/hMjfiIjQzw+uK5dNBTWZLMe3Yow/PT2yFCwwrVKabNid +IJOYp0fss4p3/ow8hZ5+VBByNqzxS1G11hyVyXKdFAQAgZMw3XrD4xFV2XU0Uy5N +LH4lhHXATP+RqTbMDJSuAOwOoqiaEjSeKTuUKuj2DsAxahoq9fVhH6E8h1tJMYqZ +1W76uKtrwIUiCjqjRCRsYOA0xCnnH98QnSdJFvHVUqIBwx/3PkOPkRUKv99Wnr9x +w8ttGGssQBPeAViLCpIWjMqIYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbd +tQCcnbwh33TcYQAKCRDHRjY5std5Xle4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACf +U7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpA +bWl0LmVkdT6IqgQQEQIAagUCRef5PDQUgAAAAAAgAAtwcmVmZXJyZWQtZW1haWwt +ZW5jb2RpbmdAcGdwLmNvbXBhcnRpdGlvbmVkBQsJCAcDAhkBGRhsZGFwOi8va2V5 +c2VydmVyLnBncC5jb20FGwMAAAAFHgEAAAAACgkQx0Y2ObLXeV5HSACgjFrFxTBO +tJlEIchRGIAQkfGP40gAn34gLcaPqvzDS+mRQEqQGEc2DKQRtCJQaGlsaXAgUi4g +WmltbWVybWFubiA8cHJ6QGFjbS5vcmc+iJsEEBECAFsFAkXn+Tw0FIAAAAAAIAAL +cHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBncC5jb21wYXJ0aXRpb25lZBkYbGRh +cDovL2tleXNlcnZlci5wZ3AuY29tBR4BAAAAAAoJEMdGNjmy13lemYkAoKcCxXB8 +HSiXXIxTT7mID5EXa4ShAKDdLTSyEKe2BPpaTITWO5iRkFENYdHMf/8AAA06ARAA +AQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAEBAAABAAEAAP/bAEMACgcHCAcGCggI +CAsKCgsOGBAODQ0OHRUWERgjHyUkIh8iISYrNy8mKTQpISIwQTE0OTs+Pj4lLkRJ +QzxINz0+O//bAEMBCgsLDg0OHBAQHDsoIig7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7 +Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O//AABEIAJAAeAMBIgACEQEDEQH/ +xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUE +BAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZ +GiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOE +hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX +2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQID +BAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIy +gQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpT +VFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeo +qaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/ +2gAMAwEAAhEDEQA/AOopcUoNISAMk4FdJ54dqgmuooh8zCqV5qfJSL86yLi52o0s +z4RRkk00iW+xqS6qOdhrNvPEqWiks4dh/CprlL/xC87GO3JjXPXuaypZmkYDO7PX +A/rUua6GsaTe50dx471EviBI0HoRuNVT4113dgSKv1QVz6ctgLj2NaFu3lRbREgZ +unIrO7NuWK6G5Z+OdTDfvvKlC/e+Tb+tdVpXijTtUUKJRDN3jc/yPevNWmcsRIiA +eiilkkhgjE8ODz1Vvu01JkummewghgCCCPUUprhdD8buvl297EjRHhZVOCPqOldv +HKs0ayRncjDIIPUVadzFprcXbig0tFMkjIop5xRTAeOtZuqXZj/coeT1rTzgc9q5 +m7uBNcux6Z4oSCTIua5LxNqpeY2UbfKh+fB6munup1trWWdukaFq88ffI3msfnkO +4k0qj0sXRjd3ZPaxO37x1+U9BjOTW3BokrwB5ULF+Qo4xUGjWokuYlI+QfMfeu7h +tEmVeMVztnYlc4G50GUjIRgB69qrwWQtGyV3knr3FekNo0Lk8HJ98CqUnhvzCQWI +9OOlJyL9mcDdxcNuZyxGQSaggsZZiSm73Nd+PCTOAZSpUe1aFtoVtbKMRru9hSUh ++zPL57W4sSGeN9jdeOK7bwR4lknddKnG5VTMUncexrR1TTYjAwKAjvxXERwHSfEC +eU5QN88Z9DWkXqY1I3R67SVDZzi5s4ph/Ggapq2OMbRS0UxBOwWB2PZTXMYHY5/C +ug1Nytk+O/Fc/mnEmRmeIX2aLPn+LC/rXED5pQM5HfHeur8XSFbCGMfxyZP4CuYg +i82ZIl4PrWVTc6qK906fQo1M+5TnHGB0FdnZMAg57VgaPYi0thgZOK1IruCFyGkG +T2FYPU6oqxsJyR7VaR1xggVRhmjcja4OfSrYUgjHekbLUkcAkAAc1WkK7iRwKkUl +pmA6KKgmba+3oT0pDM+9kBQgc1wviOMLcWr9w5H4V210ecetcf4lKMyZ7E/yqosx +qHW+CriS48M25lzmMtGCe4B4rez6VieDY9nhi0B5J3Hn/eNbldS2POluxpNFKeKK +ZJR1mYLCsXduaxa0NaP+koP9ms3NUtiHuVNVsIby1DXAYopOCh5HvXIaZY3M92kt +v82x84bjIrvb5d+hTbRjy4mYk+5x/jWB4bfzBIxHCkKK5W7ydz0lFRhFI2heqIfL +CMk7L8sfUn2FZytp4UG6nSOcjcVVdx/Kti+gSaxJ2gupBDY5HIpV0NFyY0Q5HPY/ +nWbbRpGNzLkvSYohaalalVzyYdrYzxz3rQ0/Wr2GNhJIkzLznB6e2D/OmHQ5IInj +tQI0kADgkHP6VW/s1rJSVXcMbThsZzUOXY0jGy1Oii1VowWVoSZjhQSRn2FU9S1l +LaVTcCPcOMI+cfyqnrS+RZWsMeQyhQuOhxWLNFcPEHjVpJskuHUFSO2O+aaYS0NW +TxBYsu4Pz2DcZrlvENx5jQSLkAljg+tX2aK3jSO409dsg+d41I2n6Gsu907zpIYI +mwHk+Xc3rxgVcWYyv1PS/DabPDtiOuYQfz5rTqK1iSG2jiRdqxoFA+gqQ11HnsQ9 +KKDRTJMfWwRdIexWs3NburW5mgEi9UrCq1sS9x958+g3UakANHjJ7c//AF6wNARo +kdT3c8Vs3M/l6bcrtLbk6Vm6bEUZcEZzkj3PJrllGzZ6EJ8yR0luqzQtE33WGDWl +BC0MIEo8wjjcvf3rIt5NrHtV0aslupGVZ+wNYtnXFaE9xcW8SFmhlGPy/OqCEz3C +gx7UHzKh7e596jmkNyhuJbhNynKrngfWoYNbRpd4VSE4JU5pJrqW0Ta3C5tlmUfN +CwYD1pbVYLqBXBV1PT1+hqPU9dtp4vLUKrNxtXvTrKCJlCzhoWcZSSM4P0PrRJpg +rhd6dbmInZz9a5xUlfWrMR84mVQfpya6l4ljXDXUjD04/wAKxI2A16BEXIL8ADpm +rppXOevpE7fgdqSjk9Riius8wQ0UhooAJBmJhjqK5ZwVkKnsa6vrXP6pD5NyWxw3 +NOJMijIu+Nl6ZBFUtNOJ/LKBSvXnpV7OaxtQMtjdiUNhJDwfSpqq6NaErSOjbCgO +TwOtc6zyX15N5AcjcSCORiqlxrh8sxxsQyjHJ4zTtEvja36+aTtbqK4nFo9FNN2H +XRulUwO7R5PIOen1qrZ2t19oVo2GByQrAHFdpcrC0fnbAQO5FY0mpWAYo9sg2jlg +OtJM25YrdmDfw3jyb2JLZJADZxir1pql0kIhuWeMqflYdqvfYbO7G+NMA9gcUmrt +bWqQQ8BumBR5EyVtmWodSN1bZyC4ODjp9aXQonuPEhYjKwR7icd6rWhhis1IPQZx +W54UgIhuLphgzSZXP93tW1JanLXl7p0BNIaQmk7ZrpOEUmimk0UCGPcxR/eYVkap +dR3LoEwQtTwaJcTENdy7R3VeTWnb6dBbD9zCAf7zcmqtYWrOeisLucZSBgv95uB+ +tV9V0ZrzSHVRmVAWXHfFddPtETrvJcjt0qsibEDDtzT3QLR3PEgWSTZJnOcHJq/a +ySTSoUPOMsfTFdV4u8HMzHULEDY5yyjsTXF20j2s7pINvY1yNdD0FK6ujttPvjLb +Pas2QDjOc1K2k2t7IZlO0lMdelclHem0VSHI3DPHrWhB4i+zx+WhycYJxWbVjeM0 +9zTiZNJEoZw2PuD6Vzmo3z3t09weDnjHYU271CS7kG7hcmn6bpF7rUwitkOyPl5G +4UfWnGOpE5/cavh60udUvQvITqzdgK9Et4UtbdIU4VFAFUdD0iGzsjEigvnLN0JN +XjG8TcP+DiuqMLI8+c+Z3JCQfxoJpm/byy49cc0oYEZBzTsyAOfpRSE0UAaaoeSx +x7CmOcnipmGUpmMn8KZdiu0WFLMOSf6UxY8AY6EcVclTKkev+FRR7S3lkckZX+oo +uKwkO0qY2AKnjB6fSuX8Q+BLS63T2sWM5JRfvL7j1HtXUMnlvn+E1W1vWYdF0eW8 +nbG3CpxnLHoKzkkzSEmmeRahoF5bTnblowcD/CqsGhahczBI4juY4AHJJrqJ9b1b +UoBIEt7e3B5uGAJ/A02LxdDpeCkpuZen7uIKG9s1h1Onm00LOkfDq5Jjl1GdVXPz +RIckj3NdmLG106xENpCkMeeFUdT61JYXIvrKOcblEg+ZG4ZD3U+4NB3XNzgDKpXT +FJHJKTluRxx7IweQc5qdY3YcnI681KIgAc+9S4AC+/FVcmxWWLggHBHUetNe3Oeu +M+1WGTL59RTudoJ9RTuKxQaFl6Nn2xRVx0LHGO3WinoKxaz+7/KkUfN+FL0GPelP +XIqDQXAYH8arsCrhh1HIq0gyDUTr09RikMHwyBuxrG1nTk1iFdOnyLeTO8jqPTH8 +61S4EZQ/WqMknkK9zNKsaJyzMeFHvTF1PLtctLrTLxtHmOYoYw0RHAcf3qveB9Ht +pnk1m8Uv9nfbBGRxuAyWP0zxUOp6jba34lkvZXcWrfuoz0O0DGfxJrp/C0C6dq0+ +ms4kt7lPOt39wMMPy5/CsVbmsbNvlNvTHAtp3UEK0hYAjHUCrMKMgDA4Y9aiiDPK +6fKFJH3RV8R/0NbbGHUg/eM5GT1qdUbyxuPIp+ADT153Ci4WIn4YfiKXZlSO9D9v +rT1I3YpgLgAZ7GimTMfLIHWihIGz/9mITgQQEQIABgUCOlaPIgASCRDHRjY5std5 +XgdlR1BHAAEBB9EAoJKfHe2geEWwIBoiwJGSYV0jgef2AJsEMoiq8ESPJtydoFb6 +Jm59yMDOx9HM1/8AAA2SARAAAQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAEBAAAB +AAEAAP/bAEMACgcHCAcGCggICAsKCgsOGBAODQ0OHRUWERgjHyUkIh8iISYrNy8m +KTQpISIwQTE0OTs+Pj4lLkRJQzxINz0+O//bAEMBCgsLDg0OHBAQHDsoIig7Ozs7 +Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O//A +ABEIAI8AdQMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJ +Cgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgj +QrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFla +Y2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 +uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQAD +AQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncA +AQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYn +KCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeI +iYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri +4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APZqKKKACiiigArI1vxLpuhR +k3Uu6XHyxL94/wCH41leNvFx0K3+x2OHv5R1yMRL6n3rx+8vJbqV5priaaVjmSQv +gA/WpcuxpCF9WdzqXxN1KdythFFbpnHTe38v6Viy+ONecDzNRljycjaSv9BXOW7R +vz5LZH8e8k1YWABi7AMW68n+XOazb8zZRt0Oss/GWsRMrnUJHGfuybWB/Ouz0Xxv +Z3yLHe/6PKf4iPlP+FeRCPyBlfmGeUIxmr1hKGby/MO3se4NCbQpRTPdkdZFDowZ +T0IOQadXlVnrF/oUnmpOVjz8yHlWH0rvtA1+LW4SQmyRRkjsR6itFK5jKNjXoooq +iAooooAKKKKACs7XtVTRdHnvmwWRcIp/iY9BWjXAfFe98nTLO3D43yF2HcgcD+dJ +7Dirs811PUZr2+kuLiRpppHJZjwoNFhYJeS4blBz6DNZ7yZYBRjPX1Nb2lsYkBJx +nqawm7I7acbs049OtzGEAx06Y4qnd6Dfo5azDSpjjHatWCTKcjJ+uK17RsoMGsE2 +jdo4628Navd3A8+MQoM5LV0lt4Ulhj/dSorEYLlMn9a34V3Hgc1oxRKUz3IrVNsw +nZHBaj4a1d4yJpkuUHIKjaam8I6lNoOsql0SYD8rEjBXPrXatHg89a57XdPhFzBc +FQFZgjkDpnoaak0ybJqx6OCGAIOQeQaWsPwndyT6V9nmbdJat5e7+8v8J/L+Vbld +CdzkaswooopiCiiigAryP4sXhk1yG2YAJBCMYPJJ5/LpXqOp6jBpWnT31ycRwruP +v6CvBfGOrXGvai+phFRXwNoJO0DtUya2NacG/eMyCMzTABScVtwK0cYUc56+1R6T +ZGKxSaTBLc7gcip5ZNo/d7Qc/Mx6Z/CuaTuzuhZK5q2TsFAbvW/bw4VSmMe3auPt +dat4f3U0sZY9Dtb+orptN1izkiAW4jyeMZqOWw+a5u2uYwZW4CjmrsbFYxxkEfnW +eZUNoioykSsMkHtVxZ/3xj7BeD2NWjCWpO0ikY/pWP4o2/8ACPXLjG5QCv1yMVqM +ecday/EboNKKPyHcfpzTJRb8CO7+fvGDtGfqCRXYVzXguDbYyzMPncgE9/Wulroj +sc0twoooqiQooooA5D4lyEeG44gxHm3C5+gBNeSM6SOqoActgDPFerfEuKSXS7Mo +CQJiDj1K8V5hHaG1uoonI3ck4Oc1zzfvM7qX8NI04t6KPK7LtwRnNUbnSNRuyZYp +NqZOfLUZHNXhMA+1Rn6VrafIlsFaZmiBJwGGB+dY3sb2Oat9Hv8Aztkl2rwYPDxK +5/pVG1e5t9QWMxlHyMBOM/SvSN9swztQse+BXKXcEU+t4gKu5OCVPC8+vrT5u4or +U14p7lLdbmWJo2YcFOAp9T/9akn8TXdthUnEz4ycRjIrbkso20+2Q8IrhT9M1gX3 +giKe5Z9xRWO4PGcEGkhNrsamm+K0udqXFnNGx43qmQT9O1S+I5VuYLSOF1IaT5vb +pWUbPU9KmQRXP2y2GAY3++vuGro9PtBqOr2izhkjQF9gHUA5wf8APetI6uxjNWVz +ptCtmtdHgR12uV3MPc/5FaNFFdRxBRRRQAUUUUAY3ivTptT0GWG2XdMhDqo6tjsP +wrx++tpbfUlWZHRlA+Vhgj8K95ryr4hWLQ+IWuCciaMFRj8/5VlOPU6KM/snI/af +9Iyc8H16V1elX/mQhGxt9D0rjJMxuGbIye9SDUWgZjIjhMcBeg9P51g43O1ySRva +/r1nBIlrb2qAt/rJtg+Ue3v71Dol1YDU1aBgEx0Fc7NN/aJ3RoWDdqdb6XcWS/a2 +ZwvUD/CjlVhKX3Hr6CGezCBwQ45x296ZazvNAeBIyMUYr6g1xml38qXkK3UkwhUA +4D4z9a0bO7XSdcdY5t1tdnzEJPc9VNK5HIdPKY3VB5RLBhxtrV0e3VblnbG9U6D3 +P/1hWYLnzcY4z0Fa2hN5y3M38Jk2L7gf/rrWna5z1LqJrUUUV0HMFFFFABRRWLrH +i/QdDB+3ajErj/lmh3N+Q6fjQBtVxfxKsd2jpqSD57ZtrY/un/6/86wNW+OFjCzR +6Vpks7dnmbaD+Az/ADrnbn4j634hD6ffLBDb3SsPLSPBAxkck561L2NIp3ObuL5R +ICWGRnnoOvWt3S/Lmj2vhy6/NyDniuMvM29wUxjnnFbeh3wUrHgZHzMx6ZrOUbo3 +jN8xqnTYoLpsRxMno3H61u6Y9jJGtv8Av4lz90ESKD7BhxTbQW2pKC64xxnua0LH +w+sMxkaQlUbIH8q5/U6XLsSPpdzJ5uBDchlO12XY4PbpxWLDaXF5KtrJhPLOSVOd +uD2966fUtRTTbUgNvkPCL6+9c5pV8glkk3gsXxge5p2ZPMdOpkS3/d5MgXCDuW7V +2el2f2DTorfuBlvqetefSa9a6N5Wo6gjyW0br8sfJLdv8a7bRPFGjeIIw2nXqSPj +Jib5XH/ATXRTVkclZ3ehr0UUVqYBRRRQB4X4o+KOq6sjQWrfYrc9om+Y/Vq89uLm +S5kJYk5PJ9abM7M2KfDEFG49e1I0J7eFIgGIy/8AKnW9xt1OGRunmDP0pjMQv1qB +wTu9c0PUd7Gzqtp5xJUDeORnvWdZ3LWpaOQbexBFaUF2Ly1D5y6/K49xUUyxzfLK +vPY//XrKLa0Z0Tin7yNax8Qw2xTcfu9/73at238XKIjhlye3oa8+azK/ccHjqTjN +SJBNEoXeAAc53d6HCL1JU5JWsdPqeuPNJgyAlSOSc4qCxmdLgysxVF6tj/OTWZp8 +CXLZbdIByWA2g1Y81pb6RQNsUXyqi9Ae5+v+FWoWRPNc0b6/e/lPmjEarhYz0ArG +UyWF4JLWV42Q7kKtgjn1rRc4+8B9fWs3U488gHlMH6VRJ6R4X+Kk0Spa60puEHAn +UfOPqO/+eteladrGnatEJLG7inBGcK3I+o6ivmG3kbcNxrZtb6a1cSQTPGwOQy5B +oJ5Uz6Sorxaw+I+vWsHltcibHQypuI/Gii5PIzzSOHzHLEfKDUpXHWrEQR418rkU +jp64plWKrkgUkMZkD45xzSyKT0FVpgyplSQV5yOMUiSxC0llPv6ISNw9K3rdbWZQ +0hGMVz1leG4PkXBBLDCt7+hretpbf7GUbBY+vUVFSPVG1KXQaZbWN2VYI3PZj/jT +IIE1BmKOrRo20qn9f8/nWdeThEl2pgE8kkcmrvhrbHpczgjc0nIzjp/k1pCCTJlU +b0NG/uE0+xbylA/hUDuT/wDrqDTofLt1ycluST3J61T1Nmmv4oecp87Z9egrQtip +iHXHpmqk9SYkrLjnP5dqpXwBRDz3HTpV5xwcDrz3qtdJutmPdSDUlGNgqxB9etXF +f5eD7ioJVBAPQ06Elhx1NIS0ZZWQjIVT+C0UkYTLBsDnrxzRQWZSiaKX90C2T0He +r+fMGMdOopYFWMg9Tjk0w8OfemQtBjqMHBHFMijEkgTseOalbj86ZBxcL6ZoF1Mb +YUd1yQUPFamnvLLK754xwP8AaPeql0uy+kAx1NbGmRCOxV+mfmP41UVdkIgvo3li +EbkZ5YDqVpPD9z5MktjLgCXlMj+Idvy/lViXBuUBbqoxn1zWbO2BKV4LMApHbpzV +PR3AvWwM080553sdp9hwKvwyeVIBnCt1J9ahtItkKKPTFEuVcccNUGiNItkZJPPb +0pgUMrqedwxUdtMJIyrH7vf1FQm9bP7kDj+Nun5UhlKcYU4A4psLfNnOOvSluO+e +ST2qKHJkAHfigV9TQgQ7TkEf1/SirWEiRcjJIooGf//ZiJsEEBECAFsFAkXn+Tw0 +FIAAAAAAIAALcHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBncC5jb21wYXJ0aXRp +b25lZBkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29tBR4BAAAAAAoJEMdGNjmy13le +vlgAoMqGHGUHYglUc1q0ONVSbBqREwqgAKDm0Wb8gOEgOc4LMyrMUjFQDE+9ibQt +UGhpbGlwIFIuIFppbW1lcm1hbm4gPHByekBwaGlsemltbWVybWFubi5jb20+iKEE +EBECAGEFAkXn+Tw0FIAAAAAAIAALcHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBn +cC5jb21wYXJ0aXRpb25lZAULCQgHAxkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29t +BR4BAAAAAAoJEMdGNjmy13leaBkAni74iLTyTIzFwexRyQIQaKO3Gda9AKDIot/K +YfOdMe8YD4f5Di2KsiAnR7kDDQQ6VOgnEAwAzB13VyQ4SuLE8OiOE2eXTpITYfbb +6yUOF/32mPfIfHmwch04dfv2wXPEgxEmK0Ngw+Po1gr9oSgmC66prrNlD6IAUwGg +fNaroxIe+g8qzh90hE/K8xfzpEDp19J3tkItAjbBJstoXp18mAkKjX4t7eRdefXU +kk+bGI78KqdLfDL2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmP +QFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24 +rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhO +SdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18 +F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsC +RtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQ +e5jkVO48MSohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7 +zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpOmERjo4F/n5 +YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8b +x6jCHoO43QjUzbqRfBMHZqWVJyoIIZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n +24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+av +ZvF2oLvpwH4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZ +l01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8SorfqVkakne +6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6IVAQYEQIADAUCOlToJwUb +DAAAAAASCRDHRjY5std5XgdlR1BHAAEB5W0AoPjfnyN286hffnwedCebBR1RzO4W +AJ9PvQHw5eZ3J6+A+0XjA5WKCGcEUZkBogQ1oh4eEQQA/pdK4Oafa1uDN7Cr5nss +4bNpg8YUSg01VVJ08KTCEdpCAPaU+NzaP3KD2ow74WU2gzP70s9uSGQ2Vie4BLvO +kaaBHba/3ivBrg3ILFrxbOfmKQg8Fhtncd/TBOwzfkkbxBNcVJuBPRtjZ3dlDbS4 +IPNsIIv2SuCIfQmA8qNGvWsAoIrJ90b2fzERCZkKtfkoyYA8fnNrBADhJ8RmIrKi +CnDk3Tzk04nu6O8fp3ptrmnO7jluvDfsEVsYRjyMbDnbnjCGu1PeFoP2HZ+H9lp4 +CaQbyjWh2JlvI9UOc72V16SFkV0r8k0euNQXHhhzXWIkfz4gwSbBkN2nO5+6cIVe +KnsdyFYkQyVs+Q86/PMfjo7utyrcWLq1CAQAou3da1JR6+KJO4gUZVh2F1NoaVCE +PAvlDhNV10/hwe5mS0kTjUJ1jMl56mwAFvhFFF9saW+eAnrwIOHjopbdHrPBmTJl +OnNMHVLJzFlqjihwRRZQyL8iNu2mfarn9Mr28ut5BQmp0CnNEJ6hl0Cs7l2xagWF +tlEK2II144vK3fG0J1dlcm5lciBLb2NoIChnbnVwZyBzaWcpIDxkZDlqbkBnbnUu +b3JnPohhBBMRAgAhAheABQkOFIf9BQJBvGheBgsJCAcDAgMVAgMDFgIBAh4BAAoJ +EGi3q4lXVI3NBJMAn01313ag0tgjrGUZtDlKYbmNIeMeAJ0UpVsjxpylBcSjsPE8 +MAki7Hb2R5iOBEO3+scBBADQmRl6K1zJAyqTbEZ3/mYahzj5g3BCjw5KZXAi9jxQ +Aje0GiuEXqFr2eJqplTi92V1OdcxTSPWg9yQCE6BE9o69oRmFhRMXQX/XmmIAXl2 +RlDp2yZdVSQ81gxlOmRzacD4gAIGI6bKAYGQsW5e8dFbWLpI3PbyJEf9RlxguL/a +IQAggVZQmbQmV2VybmVyIEtvY2ggKGRpc3Qgc2lnKSA8ZGQ5am5AZ251Lm9yZz6I +vAQTAQIAJgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQJNLYy3BQkKVE5hAAoJ +EFO2INAc4MYw8HgD/RTUMlH0tuRa4GzwqjoomgosxUjqJg0kGEC2bd3FZ5TEDXp5 +gNZb9v0uTkqeO1Ja4Y56prswKxeeTIeQ7zwoT0hwzeYWeF8U3apqB3+dFyGX0w+x +06B/+6DuPvYCW/ZXyzbxHXQdON/DJJ7+iZdbAreqfyi7o3sgP4TAJXuLZ7a7mQMq +BEd5F8MRCACfArHCJFR6nkmxNiW+UE4PAW3bQla9JWFqCwu4VqLkPI/lHb5pxHff +8Fzy2O89BxD/6hXSDx2SlVmAGHOCJhShx1vfNGVYNsJn2oNK50in9kGvD0+mVACf +y5MyPV8mtMcOM2p18wWVuMd2geYbdNYgArfn/DNpU/59M6eCUphXkYEDcECBqZRK +jSB1JNEnqHAM+gc5fc4VlYdZ+HYBrEZTX/ZLPZg5kffR7XyA6IgqWPSY0PrYxDOx +GujyeStpyZhmkT7ezVzoKBI+ylj3bpKOrkuKLjB3W5TngCLLYvTR/g7yzNygt/+u +rpzNO85KsGLBVDkkShSswiPIett0ZFB/AOD8DawpLNUTX2c6zM6d0gKfS8/DTrxX +6PS5A5ZzB/4xEBpnjnCr2RjnbTi4lcNLg+b25c9lrbT1SXytrUifUQbcOEkCefk+ +X7JPoU/x3Db1DuC94LAaMFfU2o6GWPTzBNtEBBtGpg4Ms5Q1w1g1gDREpKM3mGIP +ycLKXhB+Jfi8pF+qvBqRiA3xnWZALZP009ZfLY+8nMB06u/59zKcLyz+h/zjCmpI +JdFr5xQotm6ztK8Qms1GG1MOVPQ1vCUCHiSwIa7V1KtllYIIsHqR7sIXuTSmiLJ4 +8Tq1NY59nE1hD7JicccghyPeX52onFfEw5qHEPJoXhcOjxSua2x9U9i7cpJnzLKn +IBhdZa7TQht7/jL4C75Sy+fExeESng8PCACUBT+zUUzALezGOZGvxn82OM6rR/l2 +mV9WXepKEB+IDPG1JBwqfl1f80/mI8hhwkr2LYryhd5u+cecRy71993dPSnAYDay +sG/+sIVxYz9M4doWQVhSe9EOJngWcvYP5bCWDybmlBYQJgCkrFUqMvQTJOCklpqb +jQm/uxXaWum9dSAxp5YeHCKqBILUnjBVLoarmV0bcWXwotZiXFd3WpnBHjE/QSny +cFh334+brR8KTSnmS+v6I+B6W+VOcyzHt+8WpXuo1YS4okCmZv6fzIlf6HcVJOJT +8dpqpzyMhqn4YYT0LbRC9orc2Kox0hzaios9K0EoKf5MRQEMsAHAdM0MtBpXZXJu +ZXIgS29jaCA8d2tAZ251cGcub3JnPoh0BBMRCwAkAhsDBQkUsIqNAh4BAheABQsH +CgkCBRUIAgoDBQJHeR6XAhkBAAoJEPKthaweQrNnl2MA31DaryNMaxT+O5dPrAQQ ++Y/GfR/RcoE+GblWTscA3j3/V2ELjY2vjEFKmRLWW74pTBOc3+cFDKN7FbS0HFdl +cm5lciBLb2NoIDx3a0BnMTBjb2RlLmNvbT6IcQQTEQsAIQIbAwUJFLCKjQIeAQIX +gAULBwoJAgUVCAIKAwUCR3kegAAKCRDyrYWsHkKzZ/pEAN98mmysmPc9bo1aMXCx +e0TnNJkrF++bK0VyI8U4AODSsIJ1dRjdUC+myh+BuwBU4JiTEI1i8sKYLmNxuQEN +BEfjtM8BCACswr5+/Tz6nDawIXQNC2TvXtNLIeZyafx7ud0ZcQHFlbL+xBahmsoq +vn+CaQIfc7Sn+xJmGKN8LNN4SUU7QBIVpIC9pdxCqFSeMRwjiJzcotsjt9KqiqC+ +QnyrB8gWi9vyMw7+0FCA2ZgA4NMGWcurnMki9O+moQB48Fl133RIaILq80ANnTgP +k9uXdl1c3BqS/XL54tziOdg9wCSqx/xTv8KWkZxoAM8sLQqnWU3qVgFdFXpBekRr +SqHYlPg8a7v3zWEVW8qMF28KVvPoTwjdpKfLxpxQXpsFFX78f2TaVb3GsPv4Tehs +FcnnkJY4vjKehLr2KLZfJVDHJbP5rtmXABEBAAGIXwQYEQsADwUCR+O0zwIbDAUJ +BxqNoQAKCRDyrYWsHkKzZy6pAN9gOveX0ZsU3EBlK/8dJcpxnkwnKzlMt99Bg9Bf +AN9HNXqKYrIYmYjq0BoNUCAsM2V3rgsM/bCtw57MuQENBE64FVgBCAChkCmMrdCK +W/PWuBQs2/lcTqz3i33KOUCynyj1aOzen9HUJVHymJnN4dZTjq3ARlSTuCSoJmQw +cmom0wjDS2L9qqCnUctdyIoFxTetnMP3JkBhJ4j5IxtwkTznWa0SgEjvBdNUkLTB +G/3lgfMFoqlQNh1or07wsHS+LlvaxvFnqMozssKqYLC9mTVqWfXvTeRsCzYLvZ6j +y4rqbJnDIJzHgqV3K6cyqA5NcZqoWj8OQNUbS+sVCU8nkYkDYQA7wm2nwolEfROS +dFtSTmL49PNQS1V3MUdLUb7SfsDmwfm59SDmJUp4iw3F535P/ei+G5cBYzHO0jN0 +nzUH/sfM7njjABEBAAGIXwQYEQgADwUCTrgVWAIbDAUJBAqORwAKCRDyrYWsHkKz +Z6TKAN0WMNFzexmPvciaqa2LyUVUI/ht3suw/tlVSGDCAN9tCWF1UFBrQORgcrpg +QBfNKPkUdAxxyiDrXfZ1uQGiBE6xTIYRBACUIwMLqbWeRx0ArcxXzzhqKs7n9qQI +mFPQJaN3ovFszbtKt6axbsdJpSg5I1dJek+CS10NwDvLpjxxe14ab379kfA2heBh +adOlaOTnSout7SII0tylPVXRwwR6/kH/Zhc6KiD/uhucj62Mb/LtXjVs3MBx4p6F +IVtKLmHLPsQBkwCghsFvzxBF2yHVEqa0d1VeyO6+V2kD/Ryn/CZbBYR9YwYq+0KT +mLoDKXxPpgdGO2pnCcwWs1uMSyy6WRDRekMZFwDI73a62nXayXuHwNaXg5IQWHqu +cVUk+sgjxhBdqGsByEHsy1zkDMMUWaAmq8l2nxYRWfH6cuX2yFpGJ8dRJ0vB233T +2n7UIWbwKEOXv55kTthu8RYZA/4k0DQMcWo1LEIXOzrrsKeJzuincGRpQ3XfM25H +VpWl6nFQSGSTot+KIeZA43tAdUCq+2r9M7Sy/LLycB4WGVapxdfzi26ihuaewKjB +rXfsJdhX9IPslWPLlf9vpxuzawi3Lft4kuOh9+fFAe835rN/4m3G1NeExN52EFAC +B2UEZoihBBgRCAAJBQJOuBAJAhsCAFIJEPKthaweQrNnRyAEGREIAAYFAk64EAkA +CgkQTwVA1Xf5X5WSmgCcDkxOYVuRygzg3g5jBvdgYx+gAPQAn2PZ7SISj1+Ex9xK +gob3GywuilRM6PQA4M1p2bpqMYCXLUihqb54tJurEd9KRAQc7GEyIWMA32rgu6Kt +I67rm5HVudOYX5n3b76owi4SQfj8uc2ZAaIENzr33REEAMP/kWLCNIB9I6cXdWOn +bG7qXTl/nZk/1OR4WvNWv506xD/7ziI8fN69us4oLUlwQ6/s6zE4dfF7tgmCzqIL +C3BOmsoXczHrOjknee0u1pqFrnxREDgdftvGmixcsyNF1ujKZwj2CVUt5lazK+PD +Mto1i9I4raWTLHIxsuYuGn0rAKCMKQk42UYBZr+xn5W/gRlVLhJzpQQAwWdF///l +RyNc2UwKS/FYRp+27dhAf7uSDXUNsHNvZtc6kAfE961Of/+XLFZU71uotsOIAxyA +JSETcb73TzSD17f42CF0MDP/1AwHOSDdAxDl0+azJJXpf5sO8lWH3o4mOVuEsWIY +hltw+Mm8CmEO5WrUAQR2JhlizxP2AI8XShYD/i6llnWeSlenJSqeNwJFJO94QzLx +p5fGf1b9jPsGo+uvzGySXQYFFvz7tjSRmrMVUivKt+hF4/aTQdCvBVa8ertngDRH +a1o/TDv3HIUN7AtyN3rdTeevKqp1zrv+5ldclRyX0vLEHNrabTE53m+7rJlwBefj +s4lDnEu7pMEhF5yctBBNYXJjdXMgQnJpbmttYW5uiF0EExECABUFAjc6990DCwoD +AxUDAgMWAgECF4AAEgkQwKTLuYeXhWkHZUdQRwABAUDLAJoDM2syf9ExRqVyMhaY +hl3szCi/YACeNiHcMaH5q0bI8j7ZUtsiwCfQYUW0IE1hcmN1cyBCcmlua21hbm4g +PG1iQGcxMGNvZGUuZGU+iF8EExECABcFAjxw+b0FCwcKAwQDFQMCAxYCAQIXgAAS +CRDApMu5h5eFaQdlR1BHAAEBjmYAni0grvGxgcgSuXK3vzLErIkfFK+jAJ9OfvRc +1QinOAydyujUX5roXM/opLQhTWFyY3VzIEJyaW5rbWFubiA8bWJAZzEwY29kZS5j +b20+iGYEExECAB4FAjx7ebMCGwMGCwcKAwQCAxUDAgMWAgECHgECF4AAEgkQwKTL +uYeXhWkHZUdQRwABAZRBAJ4oxvVUX6skfJud8oKoYvy0l/ArGQCePXVckzHYxtiu +H7NsDTesxWN2Jx20JU1hcmN1cyBCcmlua21hbm4gPGJyaW5rbWRAZGViaWFuLm9y +Zz6IXQQTEQIAFQUCNzr52QMLCgMDFQMCAxYCAQIXgAASCRDApMu5h5eFaQdlR1BH +AAEBtf8AnjtHrp2rije+hsx7cuo4eFcR1Z5QAJ9O9XRuyEFfcwhshjneWE6eqQ29 +VLQ2TWFyY3VzIEJyaW5rbWFubiA8TWFyY3VzLkJyaW5rbWFubkBydWhyLXVuaS1i +b2NodW0uZGU+iGAEExECABgDCwoDAxUDAgMWAgECF4AFAj+BZzACGQEAEgdlR1BH +AAEBCRDApMu5h5eFaSl5AJ0Ymtg3+5PTlP6Ct1yL7PM15vJt9gCaArY6MzRMuQNJ +l5KNWAoTHq0bvCW4jgREQA/wAQQApRHPoIKN7SmmizSUkBPgurFEI46l0JxYDnp4 +DARYqOVK+/rIvAyvYiqJYJOh7iGBR+jHgphb1EYnCqHJWDFRihsfJnN4qu2sASK1 +OI++EY+V4l43jLov4x4IB/dG3/6LhzXE07B1+ZM4sHk3allWKOwII3YeXJL+nGKp +YPP/g0kAIPyqo2OIRgQQEQIABgUCN3h2NAAKCRBxLclYPcV2908zAJ0dMP3LNzuR +QGhcPmlUg5PblCT+sgCfZaCC32pvlr3hfjKxp7rF7A73/d2IRgQQEQIABgUCN3kc +ugAKCRA3QH4JLnqqzSKoAJ4qqxovpy5gT3P4jkR7N4/MjJzdqACfcaeVP0QGINoj +7ZUTmNBF5Kb6mC+IRgQQEQIABgUCN48TeQAKCRCp5mf/Jsx4U4JIAKDZRZuT2sMc +jBpVwdMjTbVru4hrhwCfYB+jtkyriI+32JaCKAS5HtRd7lyIRgQQEQIABgUCO0D/ +zAAKCRB5Fi829/aq2WTIAJ9OEmXw2BBDtB/Puf6ZBt2dSevAGwCfYcsuOLrk/avu +ab3BJZW5JchGLWiIRgQQEQIABgUCO0EF7wAKCRA79gnGi6/NvQ4wAKDUH14G5McC +JruDtw+dz6emMPnZ/QCgqFy3xJus0vpN3Q0YrpU6SfeDTEiIRgQQEQIABgUCO0hv +PQAKCRDndeMk20Gzh6BaAKCccntGS2Zzs3oxm2gI3XQ5xRa0RQCfSYnn7bU74hs1 +XGTWIusfZiFN7imIRgQQEQIABgUCO0s2UAAKCRAOp1a1FEhD9fzwAJ9X45AvZ+oC +31mRYg/Ydua7ZcfDagCffhjd8Rr2MOaCZK5CuhP4ciSnCPmIRgQQEQIABgUCO0tY +WwAKCRArSuypsSI1rW6GAJ4gdCjvjQX+7R+o30eGrWXwfaCRGACg1LAC49VDdxqA +ikFcQT2Fsp2APcOIRgQQEQIABgUCO1LAVAAKCRDx0szISXoXbSUcAJ9WVudDIL4a +eRKOprfqzDIMMtnCeQCbBLlreYUISQYZ+9OGY4Ib84ogH6CIRgQQEQIABgUCO2Ma +vAAKCRCPH9/JvOCUNrfcAJ0fcUOOpxX/4UM2WQi1Vjb7SrsTdwCdGwoAGuHqsKge +YYP8rjTxMxW8IaiIRgQQEQIABgUCPG5gRgAKCRCHlTgeG764SuljAJ92YRNmzOU9 +hmhfxYfE6RCFVUNxSgCdEPVMI6/xKZ/+e2IrfpZmzH51YoyIRgQQEQIABgUCPHEX +qwAKCRCbLIdocvHyDQ9vAJ9WeR5bPibJKeg24iHxhK2B2HI2jwCgltQ7aWIRStrl +eD82t+ylopb8eHGIRgQQEQIABgUCPHFApQAKCRA6GqY1kJpUBu8ZAJ9G0kygdwR5 +euu/ecLZkXaBSmeteACeNq4DtiCRuV0Yf/v463Bo87b7AUmIRgQQEQIABgUCPHSu +sgAKCRDRo+6vr9EKz5t8AKCHtAqPb5Sn+oMI8+GJMvQYl72MggCfZvdt2M454BTB +geO4Kipkt1OCCGKIRgQQEQIABgUCPHtynQAKCRBu+K/ChldKymIsAJ4ro0p160Gd +njRgvpl00qCwRFps4wCdGZNu3WhTuhlIH8DPdm7ul1t2Xk+IRgQQEQIABgUCPH1C +sgAKCRAsGKAqtMXzfz60AJ4koQfDOgTB7MN6zriL8TnN12wL+QCgmMe7mxdXlsrL +kzexsq1GQeOGfECIRgQQEQIABgUCPIy9rwAKCRCFuZB1wpEOQbQiAKCJzIEDwVHk +t8FtpKuvxwr+X/kv4gCgq5dNDmWaJs9eHYJaB0bM/NevYiiIRgQQEQIABgUCPQbH +fQAKCRCMu0FTEUuvES6iAJ4ibjCcUMk2gRtY6jtVje/Dl6wTDQCfeXBPKZm9AhDG +sd45pt6sCUXmmY+IRgQQEQIABgUCPSjG0gAKCRB8O3lwiMfB9zCqAJ4/Ho5zFCow +uZKHusCbXPS1SU9EaQCgiM1uAe2vQi0OX8/IT0Eb7FkT/6OIRgQQEQIABgUCPSjG +3QAKCRAnZWjXXGFTreolAKCbr6n47EhyhjuPY9jaymTCeuwkXQCdH537q71id7kC +Kq7g0kGVh6fCmLuIRgQQEQIABgUCPTGQJwAKCRAYzSWlIvOK84htAJ49rr2AcpdD +wuQHccxS5F16eXZPKQCePWM2VZ4ZDATDwDtEpv0COt7wb7OIRgQQEQIABgUCPTLl +zgAKCRBQj9NjvJNoOWUjAKDeB+RBE29XDELNe3xri9Y6DLVS7gCeOVB/2RPgGS0l +gHX3vXQxTmUJ5ACIRgQQEQIABgUCPTaM/QAKCRCRCCGe3N6JCj9DAJ9BDquzVMvF +ihqNSlfxGZ+cailIlACcC42fqA6wUqitA1Isi44zhCFPVZiIRgQQEQIABgUCPTxw +FgAKCRCEYzW4IcBlmNdQAKCJ15kf5PDXvT3cJ2EhThOROKppkQCbBvh4rCKKYW0X +pPBr//iSVCrmuH6IRgQQEQIABgUCPU+IfgAKCRBUj1nrnBQ1XX9FAJ4qbcHZVpWA +hRXylv6Z8w3fBRxlsgCghzOxChhMVUgYIEvOfn8OEnwaKCaIRgQQEQIABgUCPVL2 +RQAKCRCVM3R1+L9kOn6/AJ9ZKI+fBhPMVvUx7A/jFjlEO5ggvACdGZmSmdki35D4 +mmyDE9ksxcNaYr6IRgQQEQIABgUCPbTjDwAKCRBSkvdD69WTawxfAKCUnSC8uKox +hm0JZYgQqqVhNrIU3QCdGzCxj1dtm3YggG/gpUU1H/jd9M2IRgQQEQIABgUCPbwJ +iwAKCRCo3Z2A3JKuMHSdAJ9hMiqw5RgAz7k8WpTVfSZd5ZNy8wCffbK1wkp9UP8o +meEETdPWxvhN0DKIRgQQEQIABgUCPbyU/QAKCRA2z7pEeJFrhFJYAJ9/BgtMAuXu +dqbGpRAi17W4UnuUzwCfeKZKw7Zkh34g83OMHEx2ck5AceCIRgQQEQIABgUCPcs7 +sgAKCRAJlJH3kbDTt5kgAJwIQwk4cwiwHmC5ibmqhHYFLF7gTACfQqqBeE8WGhoy +wq74tQTcJpNVrEuIRgQQEQIABgUCPjG3zQAKCRDu8Ns0syEmA4p6AJ9KBwB3kDZ4 +CpIDs7GFmtMspapy2QCdFMP71wvOY05J1dJp0FXatoD4yumIRgQQEQIABgUCPkr0 +6gAKCRCYdolhntEBv6MxAKDAiKl2k0xQiMSp7+BfhGwfNDnZEgCfe0gz3y6oicwD +Fxupb4xw2q8N13SIRgQQEQIABgUCP1Dl8gAKCRCRWsxFqPTC/WQTAJ9+RxaatsQP +8FhzO17uEq6F8OEeHwCeJRQj8dOAZ7ILLEYmhNN9ZWULr9GIRgQQEQIABgUCQXwB +uQAKCRAYWdAfZ3uh7KpxAJ9x8sTY388xFY8y6MtF2fmUOYT/fwCaAy1My1JHNny1 +541cwZZvIGZAHEOIRgQQEQIABgUCQXwSYAAKCRCBwvfr4hO2kqwoAJ9hLkZBAvwI +lb16HU0FpEuWEtw3JQCdGZGkg/wAdXX22uHsPniatWYRR9aIRgQQEQIABgUCQXwS +uAAKCRBrcOzZXcP0c3EqAJ0b51eUrICrJilaIFEQT9dBjHls/wCeOIZPbvwjh4kn +rVhz0+jyB+9r1HqIRgQQEQIABgUCQijQAAAKCRC2a/Z7cQPF2uAPAKCzq0rT3s4C +HZ4X0g3Od92un95K0gCfcyRb+3mCA3Hl7KwTQFRmyl4hAPSIRgQQEQIABgUCQlwq +uAAKCRAqi8QAwEbAOXs9AJ4yAtnzkeAOJWlrQnPA3mngr/pbrgCg4c6DaNEnYr7q +j17zGGU2eyxYsYiIRgQQEQIABgUCRBFyYwAKCRASdiQXzwUI7BlGAJwK5GVXfn/A +LLsVSSdv2eh5ljhBqQCgo+mFUgcUAacqF93ZeUx/fAh525KIRgQSEQIABgUCPSdf +QgAKCRALDykp34Hug10bAKCA38i3rxWMNjcn6eDmZQfSFGR+bQCfW0pc7+7Ge7wY +olYGG2HXculOvoSIRgQSEQIABgUCPxlx4wAKCRAzCwOLbGN0bdwCAKCwpt+fKPdZ +LF6nvUxIMqhKLmjvmACaAu3ilm5zHvszp3KppCHvdvt0SHqIRgQSEQIABgUCQYvg +pAAKCRDbw+v8M+P+VrEkAJ4tDhIqFNU6qKMU1tnehaHBrPnmfgCfW8iL2gQmqa7i +9ICwMXo8HRSK1PqIRgQTEQIABgUCPQTnuAAKCRBxXtagfnuKyQiOAJ4v0SAy4nuA +yQQ+b3DkJV5EPwdG6ACfRrPJQjOUSeTHdViJT72iy33+mKWIRgQTEQIABgUCPTSZ +ewAKCRA5tmKor+OBaZx3AJ9kazJCCLkcFkvqJW4SNva6izmEHACfejk8wb/R5y0J +PezIKyJNLjExKAuIRgQTEQIABgUCPbVlCgAKCRDLlpiUTMcIXW8/AJ9Iw81alQa9 +0fD2nGt2Bq5IPwee1QCeNrs4yUu/toFnb0giD23zassyVDOIRgQTEQIABgUCPbZD +TAAKCRCy038ItUwJMFMPAJ9F6QMf9WFRCAJf2wVIfL0DVX10PgCfWahBLYdkJv27 +aSxttfvTzQkIpsKIRgQTEQIABgUCPbxvfwAKCRAuLPZ7d5amC5GcAKCpYhwL/bZR +WBarhQelKDciWEUVXgCff2rJBPkwpR4Dnl/7QLrVVk3lYMqIRgQTEQIABgUCPb3M +ywAKCRAp+ORlZ4iWXwrVAJ938BI08jD7EpDAAh2ZUcEyiU5/jACfUSRhcPh+Ejn3 +Bcs0JdujkMVA5WuIRgQTEQIABgUCPc1V/AAKCRDvZ/vHYouOaYrIAKCJbxnpyvFV +nYxB3SfSKs27FUMm2gCfX0dKQUEBf1UqtIi89FDX4rXLOBeIRgQTEQIABgUCPkmO +ewAKCRDeeq9ulMCcf/ZWAKDlaEU4DExCNpjxa4rra2lN9l9tzgCfScBPnkvZ0yDp +onBXCi9zbrQkE1CIRgQTEQIABgUCP4RQfAAKCRDFFK+OS6QBw3j7AKDcsSW5owo8 +IuLDyhRdwdDH9oJ9sQCgrRFU01mFCC2oVXZ467uz5pR5QiKIRgQTEQIABgUCQXJ5 +DAAKCRBPe/KEr/sMFwv/AJ4oDTbBtsExmUj8mhMJNoWMDcc74QCePV5asFsdMqdz +Ucc0d0e5aHI3KM2IRgQTEQIABgUCQjOU+gAKCRDki2W1SzlPfgQBAKCZgdRoadGr +QovOm5y3K78SwVSUDgCeO7IW40mpIqqe1fPbOOb6B9CWVHWIRgQTEQIABgUCRBCu +jwAKCRC+wkwE2qiYkkwiAKCBPhcfnyjyWA4ZdmKA3RSsibm9zgCfSBo+g9ijeFDI +YWIQTFxDEe6QBZiISQQYEQIACQUCREAP8AIbIAAKCRDApMu5h5eFaRjYAJ9nCwn+ +e4V1HXcb2zwYLVl+Fsj8QwCfX4N/EISa6nyvfs/sy9qWexqhq3SIXQQTEQIAFQUC +Nzr5wQMLCgMDFQMCAxYCAQIXgAASCRDApMu5h5eFaQdlR1BHAAEBtxUAn2cup2ei +tiSd6fI5zYz/ipwoAX+iAJ91rpgQfUY372Ajy+xJDloRkSdtTYkAlQMFEDh7ZIdM +J+1lNufNCQEB3BkEAIo/Xtch42Hs3lVlYVoY4NO6hH3P1eT1UObuSlu81tM7UvEb +UyGmiWiPJS5yTFeoI+XMffdRs2i+Ppw9B5/l6Q2nDRpzur05XpeMa73ESXrQuXQ+ +pHf772/piolcB2yvmxeIYgc27K3idk9B1BFSqEs9VqW4axDtoeTd3z3Ryg4eiQEi +BBABAgAMBQJCnMwFBQMAEnUAAAoJEJcQuJvKV618yWkH/jZ+OnuBruybI9IgThAj +hUxwmMLwrQV2EogCdqjW1UOBvcxwltuZzHJpwsaE+SyEl27r06cOcErwzpSLCbQ7 +wH1SuPEl16qDCeUv9KI+pySiZZTAhhxCIYwh8r1llZO/WaYreYJWlAXxv5mKrNO3 +5uirmEPGbepAdEpfIoHRP36M0ZKFIHiIzVG1ai769CV89UwkY0JpcM6nND4Ivx2+ +XW1QYer94VytBCzeo72jXp8c9sgxiICbCO4NnraHxyxkI4P6SpAJ6Bx7O/xHrXmP +eDsM/+UsDO1N3X0NqyqtBX/lNVDaZ58kDozHP8UjgxQOUatrwdB3qBpqMQV0I7wf +j4uJAhwEEAECAAYFAkF8E18ACgkQquPmzmahRGifEhAAqM1mxUkeVWt7s+8nMV/A +mugk9EVMjxV4Bnzh9U270irFtTH26r/0y9UTSNch2bQHeYvDRiwgbK/2yQ2fx2DX +bxo1hio5JXBRYzA4hhf0OHNwmEi5dyWxcqLyF9lXdhVsXz6CxXQUUC/ACZHGUl4J +EhVD2qpGdh1Bg286AjPR+7vbUnJg2I4QZ4ZVkLhaMucI6W2sQInWbXBuMnHF30Lb +iWSr8j8BKdExVG9cNoSlu2pEtIvsB3GaV5UtqqrNs/wbMtGKjWEdiuqgZm21ZLlo +gRmGrQ8rkgQ9F8qBNYXLhV/dqreinzGIFebI3MIhhP3YuwcNSm2X1uFCob5STGLQ +i53H5Ef+qjzQNluMQIdkA5JUnkfltILE3th/Ne8vbne/u8TpzAtLvkBhaly80QNj +u+6DHzRb4vtwb8UvZCPvDwT/2lP3u4hmBpzoLr7Gar/DSyGxF9+wHytN8OxvlnYV +vFrrHlyI0M7IabBOCTWNL0cn2igrGlY6pEuDZt317Atyi+9hc2QSwIWfuudMXHtd +Q8LIan3xj2K8/Vg0QueOQHU6dnc8N/15x/xjCco2bPZkgc1LCeDJC6PsztLQILjZ +y9jpa9R9+H5gCZIA09QtYniwZkZUoro8n3f8TRJ7oCgMyeKsKKwEVaZS0YYWLbkw +/rcVpMQ1Jjp7tugzJ7paUEq4jgREQBAUAQQA029FKgKXodEFSgPOlXcNBXGwo+// +7A9hLYDGFhZuqUMf/Y/+6JtoDJGhBWif6spUHItD9+VXY5QU7sLe2uG5yx6nXDDC +JnyNUYs4hqxp1OHV7qYs0P45IGWbPg3vSSjNxtLtE5dtPjbqs/6yMg5IcUart7kQ ++wpM2G+rBtxJyZEAIMLgSz2I5wQYEQIACQIbAgUCRpSgCAConSAEGQECAAYFAkaU +oAEACgkQ+4hivfzSopNxrAP/ZD7HGr1MBsR0LsXmPA6TBf5GAcWNnLqY/yQhMpms +WaQORKwbdJN8tD9pjT8tRS5gDvM5q/DO/3oa8IpzM2GbjWOqO6XO5XcbUbC503DO +KUXzP/SyqoV8+LxceVuULpW/drlJ7eKgZnqUopBQCGo3xAxkY5fdW9+0mvP535F1 +mcQJEMCky7mHl4VpM8IAn0Gmksoyxst1iMhrjFcy3ZZrmh7UAJ9tcqbZYa4HL3r1 +A0yOoC8qJnpr77iOBERAEC4BBADXA5qVc88MN8XM04C/HpCvk6/YYsLxIbS5FLT7 +QkFcRFa4ux7xdFO/E+XqefRMfSPJXxowZlLSdU9XBV0Z22MrP/hzDvAxG1HaIkUy +3rd/pkf3pNqMJ+2r6qJGgkjtca95+iptNna6ex/R8lJTgvkCoT+hb7XYSKXeB4u1 +kMiVHQAg9VSME4hJBBgRAgAJBQJEQBAuAhsMAAoJEMCky7mHl4VpotcAniMkQ0sW +FzItgpmWEUpJjnQLRvrZAJ9Csnyw/w2412Bi1KiAFN372fPFFrkCDQQ3Ovl2EAgA +pyy7xIHSUEE7Fht3+hfSaKukfrCZAIT2n4YCxQDzimP3ET5t5vuFaUEsZ4OZ8NYu +h6XsCwPu9UJyIru7/cjlcM9YTntMgmG3QXil9Dnyn3QQraqojGtWSaPwvnWiHLSu +i3ZW6SU7/7ZKViPtr7ACl/A9T2GQEIqahApsw1uR5fUL07pwA7BrdsvKF37lnBUq +1uwVc7Tx2QSZHSDuLT6M7MpVl1MDMTa4uD/ebnxTL2DdQzGGDi1tZmtLQexxZ1le +gCOj9zDecLq61plLLnzaDGkZd/gPsOOZQ5b0DCQNs9kW4cLJhGuk79D7iRC8pOQM +iLqbfDU/14abt6rt2zda7wADBQf+PwMGpa1cLabUb72eyP1tS5i0Lk4wrKL0xGLB +usJ2WRH+ruFGCm+iPGK6Lozr2zmtoEgNr7eTaYAdUep9H7tAL6fgpNchcc6s3gYc +PqOUQPCdWvKWprAwUCAJG60PuKlM998n0blweo8u4Emjns/j25H4Nn6WmeCqvhdN +Exb2T3lGQzkjsadRT7XdOPngDNOGLix7WV4phCNYFhAtuL/8w4VnwSk94B0/ic0J +QsdE2PTCLHhTuHAQFYoed0VKtArKnCi0ixOejJ+Z7Yl0Ctyvnfa0Pz7eaJU0ep3Y +GJFgidBEIaxVosrMSzv2zEyt4Gm/aqn4sItZnpXhAxoieict2YhOBBgRAgAGBQI3 +Ovl2ABIJEMCky7mHl4VpB2VHUEcAAQGcPQCeJ/VW6/5dtHDAc6dTK/K2xYlZ4xgA +n37xvFpYHgPw0OCrNhLNyCkJZ0XVmQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQ +P6Q7JoyxtaG6/ckAKWHYrqFTQk3IUe8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8 +E9tYQqAOlpSA25bOb30cA2ADkrjgjvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//Id +ShFFVQj+QHmXYBJggWyEIil8Bje7KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x +8jpwh4V/yEODJKATY0Vj00793L8uqA35ZiyczUvvJSLYvf7STO943GswkxdAfqxX +bYifiK2gjE/7SAmB+2jFxsonUDOB1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIh +ABEBAAG0Fldlcm5lciBLb2NoIChkaXN0IHNpZymJAT4EEwECACgFAk0ti4ECGwMF +CRDdnwIGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECSbOdJPJeO2PlMIAJxP +tFXf5yozPpFjRbSkSdjsk9eru05shKZOAKw3RUePTU80SRLPdg4AH+vkm1JMWFFp +wvHlgfxqnE9rp13o7L/4UwNUwqH85zCwu7SHz9cX3d4UUwzcP6qQP4BQEH9/xlpQ +S9eTK9b2RMyggqwd/J8mxjvoWzL8Klf/wl6jXHn/yP92xG9/YA86lNOL1N3/PhlZ +zLuJ6bdD9WzsEp/+kh3UDfjkIrOcWkqwupB+d01R4bHPu9tvXy8Xut8Sok2zku2x +VkEOsV2TXHbwuHO2AGC5pWDX6wgCE4F5XeCB/0ovao2/bk22w1TxzP6PMxo6sLkm +aF6D0frhM2bl4C/uSsq5AQ0ETS2LgQEIAKHwucgbaRj0V7Ht0FnM6RmbqwZ7IFV2 +lR+YN1gkZaWRRCaJoPEZFKhhPEBX1bDVwr/iTPaPPEtpi7oQoHk65yeLrhtOmXXp +NVkV/5WQjAJIrWn+JQ3z/ZejxHULhzKsGg5FC6pRYcEyzRXHtv4BO9kBIKNVirZj +EkQG4BnIrQgl6e2YFa47GNMqcQH7nJdwG1cGQOZOIDQQM41gBzwoSrStMA6DjHku +kFegKfcSbSLArBtYNAwTwmW7RqOMEJwlo0+NYx2Yn75x66bYwdlsP0FLOgez/O/I +xoPRxXr0l4e+uj6dFHqvBi04dx6JsPmXEyeAyLiCWSh7Rwq8uIhBUBUAEQEAAYic +BBABAgAGBQJNLY0EAAoJEFO2INAc4MYwRk8EAIuasyOnCbJW8jpfk3g2VZy1dBZj +7g4PHaI70K1Qz8X3piI8WWaDCwlTPJcvAAtiT6yGHzdONAt+N7GiHNLU7TsMJlTL +suxv1HsdtgnVh/9BwTKRuIBbjrkJlvUEA4xHYdQ4MFNoAFqJ1+eGZTMm1rLPtjQo +pEcDH5VVLqR+ewWriQElBBgBAgAPBQJNLYuBAhsgBQkQ3Z8CAAoJECSbOdJPJeO2 +uxIIAJE2B8aQPQ6o6LBijX/4rJaetAu6xW9Jg7DyE3rqB5TcE7yJDQqjL6bRApjW +RaNofB7CmDxl5tjgTawds0gL1KnKLLPb2wAnaKe9/j/gx6lOCnE2LDj5ebKQKQ3U +B9WG8xNBczNFs7lnBG0+mOwyvWPm9fWzpTf9HFIAi2kCQK7UYZNM4fSvXY5yFz+6 +b5AYDI7pZSP8iJnUxfu2hdbRIKjwNKXzPlDsqYlYXpNAsrUuS7hshUbUe7CjX/RY +dza8Jp3kHEeOCjLxOwotOa9hBla2eNa9AZXZQ4AFhZxpy61ldBDY88IhjsuWm5L/ +jkJdZtPlj6bFjfLt1vPhoX7y7IKZAgsEPFTJeQEQAKCDq/E0+KCD0VDPXgKQ+1H9 +0SrewKMrWvj7ajJ6hGej6mpnpntl+mGAD+rnCjB4UAY6DXsoPZZd6ChDmldsW8/7 +D2P3ObeDn1fNNFLNmBJx6VOJs+crLqDyvwYMBjohCtpHqnF7jb3v83Oeq9G8qlO3 +mDVc/kvKNUGwS/0cBgkTW/LLXSpJBG0TPdC6dTN8Qs0LiSJg0xk6eaBoV5bgA8gi +FYO2uvGpbc5+OnUrgMCGpydrKt+9hs62qHSzEnbjqS9VzcFz2kfrAPD/K5vZ164+ +roFkEsEnCu27/bSoPSexn2Kz/mPRovUxm5WavvEpip56HLMnVZ2kkrnaqeD2dq1h +51L4Z58oMjDUmrumlA1Z9V25M0hMVMXQmzCCCNC4+opPxN3kYLLBBY3+QYdunoR3 +JuJRdn71+nh56TRQHkz6ytLBuQXiFDSYGuqWxqiOLgK5eNzRz5nHUPSkZ+qoEKa8 +RXW0u6XdTyHRPNHiilQDyYsp6BCnlyOH90fPvNM8PFWBKvduUn0XEjVnr22H/6Mm +PerqOije5b/nLypAKvN1ILOz5MMRbC5xm0ki4iFNy3wAw9j8DK349/2Nd8j7FJCD +PevsS7mj6sS7Tb9y2Fo5zhvcpgO02SMsqzOCJ7G3UFg6rTpH5jKHaqCyD1rPOR+5 +2++nCEKknsQ7Fx1o/dvHAAYptCVEYXZpZCBNLiBTaGF3IDxkc2hhd0BqYWJiZXJ3 +b2NreS5jb20+iQI5BBMBAgAjAhsDAh4BAheABQJPDEnABgsJCAcDAgYVCgkICwIF +FgIDAQAACgkQ22mNcZkkJWBi3Q//beukI1Sq42RbUPYFwk5p9o+tj2J4kS8Z5ZRJ +NBNy0qrkXTCKChfA5kCYGDb8jsU9qivN/jpma2RerZ77Az8NBap1WRLR4EhjXR6x +/2F/r4I3++9tNkG89SGR7IJlVMQsIEwtN0wsY0C2N646i+1Lc4f6qVLu158/v6mU +zFPR4EP6jLB+yDqKMbZJqfhicW2jXyiflrk6OGGC5WbKfVKqOG1FyYB+2NlmtG8s +SdD9hE9uADS8VGdp9hoaEv1LxL8miugx9y2cDbzvwYyFGWOb6kITRaz6wroWaUq9 +xMZYY5PG48vedXRx5dcSCORcTeM7raJmwVfvL1q+YqDgJGiQgKVsEoaMOQOLIXuX +yvmbUDtY6pepxIDcnLVZCtXTHY3LVdGwnTQMxKXmgJygRJ1PFegJJLgtSHBK9haa +Pzad6iXc98ZL2wZ39thl10LzAyzbVHvQJfnu3lDOOawSBZOK4DZeFeViUpF7cpAD +w3llk8lYtXMsNFq10KDIzFSu4eKBO0fkajlss7ZrJN1YlxWcHbIrpINW3TNEny0d +4cFypshQj2cl6+c9yfVBCNM5M5mm7YMu7f9voJ+tAq/LnfqqQEZJv49bIu+0aVRt +GElefd27b7tRE/6weFpxoyBk2OTkU+RrjBr/rdp7O0nhWbJAA//l8PP6++aYNnS9 +/vfdjE+5AQ0ETwxJ3QEIAMVOEC6RP/3MNhri2/v5PwG8SaLM2ZUxpnX+TtRMocqc +dPo2zlOYgRCSYn/CYS01BKwt86o5smDTQ9R8Nm2pvSgcQeyZSVSsnEEWJ84oTQMC +nNllMpGytxT1XcpPVZUj0ttBzpc/3QvzWhMz//bKG5F3lUYtDgpoMQDt4IPMnlNs +NJyrIOxuYB7aGuZKDfL3hf6DR6ClrFrHJDOOULXOTuiAb9TmvCc2oIrpxMN8g41H +tjSHstWumMj7+0NuFaQthQBpj9ZWA6X6dgB84ea9Wd7enlKvTkqtKdB6de6P5QUy +1HWt/7mTDOZfvTVsaoibqQHjgMG2OJ/R/wdChDML0GUAEQEAAYkDRAQYAQIADwUC +TwxJ3QIbAgUJCYPP8wEpCRDbaY1xmSQlYMBdIAQZAQIABgUCTwxJ3QAKCRD+p4p6 +obxPpHxhB/9sNDyAsCSX6s1QPAecgJDGxhdIrE3Z5Bx+O+DVG1cGlBIh3UpojPmx +xyqF8koTqsAInLK2D8CeEqg8IB/IjI/LhiQf/Mby57gB46jeThfecdcyhh97kHPh +Xj9Gea2u82YXIYYlVjD9VbsKggoSLFmda6YgPFd6KMbkwaIFgCNDK4GFVITq7HdH +HDJCS5Iec/KnhnQNMHkFdQcycUwaiNSuvIK54LLex2MAL/RoLpYNEmwxApyWlagh +rJe6aRh44FHboBT9lAd7pJ1P2CXEdirrG+WM+DVE7dluJF0bTQ94WtpRyMyCQSv0 +7qBZVUtU/oUe2curJymo3Pv+zxcevmVkTAEQAIKfiBMRDuXfLaGPDBW32OgOReVu +4MysBKJSrvh+x1xD0BO/z/1bZFKMYf71ayf7sBq58o+rMjPUH9ulzTPL8U4F3oA2 +DtP/YSmJixPqB29MqifIZHrhLZwbEjYyysanohZU5YfwenMKdCnjFuCfGbAoSkUA +kyqioXHkHUmBf/qt/v73JNHu7QQOMmJ88PT7f+EYNykcTkd8tANojiZH/Vaem/Nq +fEPFqem6MwEjzyJDwNff1NUeeQLnT+LeAOeC2cWUZel5VbbUzxIWYFTfijplP1Qa +nihFY3D0Yu2weJzpWbKfyTKPJMVOwQS1RwDFZxnPxlXJxvaIOeWQjMHEKsYP+LZy +mH/JG5FMc6UX9duaFZ9fCmivT6OXc2XlWbTLaK5Ux/uneXg/pA5ZcTG75RFjya/p +vXzioeFCieNrecn2M13aEZkuAPcdMlrwAVzX9WaMKi6BUBtcIIEVoohZHzq+SzO2 +bR10H4tfU1T6+PewAcZ9dYGc8sSgGrbiBiW4DbdkP5oR3BUDO1EJYcHhsFY7+nn+ +384XXXBd9BZQKvHHkeot38T9PFTB8tk1ClfnUD9CUTl/4zPTwbe2NQNaSwLJJ7yR +3/4V3jTY3ogZSqu1+GTPschRBwD5JSm8y7eBbjzbRXqLmTEO3hjZSrE1w1iBJFuC +3n+ouAqeAvRr/aazuQENBE8MSi8BCACvl2RV6ve1i8nr++fKneCgMLTh5nxKSBaq +iYpT2dlGwpAdyBU46aij9hH/b6oYAB0CxxrgMxNaBOpGVxUENFQ1qK6bfW1KIndu +YFJVqh4J6pAByz8Pu2BOdk0POarB3JDH51kE+QYZeyt+jgbO4+UYmorPQGiexeMj +rKhJNQLjnHzLlYNptwCgaSatubDrk6+p7x5dHPRTk1cqjYA1IJ+wgK7iXO/TOo2d +DYmYZ6T2n9Pr0q5IksWYjM+sfpnsaH+Y4KQ1TfXBlxvKU+gAZTi0PFZE4lQKEvp3 +lSxklxBVcvVDJyfSGQ0C9FeqU/sgLDrfKljVxck1dFKeIWsgYbG7ABEBAAGJAiUE +GAECAA8FAk8MSi8CGwwFCQmDz6EACgkQ22mNcZkkJWAlZw//duQCqkLqI83OH+vy +5z/52d+9Ca2u3tANvudrT5z9XyRWtuVevhRmYy8ClnnmEoCb66yGZ13RtnBjxDf2 +1fz6daNSc4lbSrpOySjCkdKP86wUipuCX+uFzsVdivb2PtvZ3C383RCeA7Ys1jNM +F54jfwlCKaIPiNwIUggWOXiGFCs0UB0mlp12DcDZh9/lWEAGrSt3Q1JgcHjUGbNb +mrJD7NIsBZqjRp3i0WgSd4oDY3svpGOL0Ixz0Zsitqz5XRSJxgBqb8VKytF8W53Y +HrW4IfQFbn93CbxG40PcmWoU/s3qxFfdC9DrK/sGejWTlg37luVPPlWz9i9lC5kA +f12M9veUKESC+uyCf1wEoK9mLMVPl3l8v2X5BzVT3CxberXV5IHIXoa5sATkor+O +2S/TVKdo16IOqhSaK3JDH4ETH4s08bX0C/XYVKrRXCT1xPCQid27fcvzC6Dj8Q41 +Z+cjFQbrzXWkNCJ/OD/qkPmmtKH51EUBiToR2Q67ubUtioV9+dwtAclrwSvSHcfK +qRPLGGeqhZaR0cENfjEBfp+sG42QmzD1KIPFyPaWJpEjsWcqIRxcm8MI69iI2NSR +6dbXTgHHcf1HHZFL1/TJNmT52GqDal3MG8iSDnn8gYd+S3hCSmsO4wHhK/UIN6X2 +/CAeQoHDpRcWLPhqVIHekxZNmOM= +=K9om +-----END PGP PUBLIC KEY BLOCK----- diff --git a/doc/scdaemon.texi b/doc/scdaemon.texi new file mode 100644 index 0000000..98fa70c --- /dev/null +++ b/doc/scdaemon.texi @@ -0,0 +1,777 @@ +@c Copyright (C) 2002 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@include defs.inc + +@node Invoking SCDAEMON +@chapter Invoking the SCDAEMON +@cindex SCDAEMON command options +@cindex command options +@cindex options, SCDAEMON command + +@manpage scdaemon.1 +@ifset manverb +.B scdaemon +\- Smartcard daemon for the GnuPG system +@end ifset + +@mansect synopsis +@ifset manverb +.B scdaemon +.RB [ \-\-homedir +.IR dir ] +.RB [ \-\-options +.IR file ] +.RI [ options ] +.B \-\-server +.br +.B scdaemon +.RB [ \-\-homedir +.IR dir ] +.RB [ \-\-options +.IR file ] +.RI [ options ] +.B \-\-daemon +.RI [ command_line ] +@end ifset + + +@mansect description +The @command{scdaemon} is a daemon to manage smartcards. It is usually +invoked by @command{gpg-agent} and in general not used directly. + +@manpause +@xref{Option Index}, for an index to @command{scdaemon}'s commands and +options. +@mancont + +@menu +* Scdaemon Commands:: List of all commands. +* Scdaemon Options:: List of all options. +* Card applications:: Description of card applications. +* Scdaemon Configuration:: Configuration files. +* Scdaemon Examples:: Some usage examples. +* Scdaemon Protocol:: The protocol the daemon uses. +@end menu + +@mansect commands + +@node Scdaemon Commands +@section Commands + +Commands are not distinguished from options except for the fact that +only one command is allowed. + +@table @gnupgtabopt +@item --version +@opindex version +Print the program version and licensing information. Note that you cannot +abbreviate this command. + +@item --help, -h +@opindex help +Print a usage message summarizing the most useful command-line options. +Note that you cannot abbreviate this command. + +@item --dump-options +@opindex dump-options +Print a list of all available options and commands. Note that you cannot +abbreviate this command. + +@item --server +@opindex server +Run in server mode and wait for commands on the @code{stdin}. The +default mode is to create a socket and listen for commands there. + +@item --multi-server +@opindex multi-server +Run in server mode and wait for commands on the @code{stdin} as well as +on an additional Unix Domain socket. The server command @code{GETINFO} +may be used to get the name of that extra socket. + +@item --daemon +@opindex daemon +Run the program in the background. This option is required to prevent +it from being accidentally running in the background. + +@end table + + +@mansect options + +@node Scdaemon Options +@section Option Summary + +@table @gnupgtabopt + +@item --options @var{file} +@opindex options +Reads configuration from @var{file} instead of from the default +per-user configuration file. The default configuration file is named +@file{scdaemon.conf} and expected in the @file{.gnupg} directory directly +below the home directory of the user. + +@include opt-homedir.texi + + +@item -v +@item --verbose +@opindex v +@opindex verbose +Outputs additional information while running. +You can increase the verbosity by giving several +verbose commands to @command{gpgsm}, such as @samp{-vv}. + +@item --debug-level @var{level} +@opindex debug-level +Select the debug level for investigating problems. @var{level} may be +a numeric value or a keyword: + +@table @code +@item none +No debugging at all. A value of less than 1 may be used instead of +the keyword. +@item basic +Some basic debug messages. A value between 1 and 2 may be used +instead of the keyword. +@item advanced +More verbose debug messages. A value between 3 and 5 may be used +instead of the keyword. +@item expert +Even more detailed messages. A value between 6 and 8 may be used +instead of the keyword. +@item guru +All of the debug messages you can get. A value greater than 8 may be +used instead of the keyword. The creation of hash tracing files is +only enabled if the keyword is used. +@end table + +How these messages are mapped to the actual debugging flags is not +specified and may change with newer releases of this program. They are +however carefully selected to best aid in debugging. + +@quotation Note +All debugging options are subject to change and thus should not be used +by any application program. As the name says, they are only used as +helpers to debug problems. +@end quotation + + +@item --debug @var{flags} +@opindex debug +This option is only useful for debugging and the behavior may change at +any time without notice. FLAGS are bit encoded and may be given in +usual C-Syntax. The currently defined bits are: + +@table @code +@item 0 (1) +command I/O +@item 1 (2) +values of big number integers +@item 2 (4) +low level crypto operations +@item 5 (32) +memory allocation +@item 6 (64) +caching +@item 7 (128) +show memory statistics +@item 9 (512) +write hashed data to files named @code{dbgmd-000*} +@item 10 (1024) +trace Assuan protocol. +See also option @option{--debug-assuan-log-cats}. +@item 11 (2048) +trace APDU I/O to the card. This may reveal sensitive data. +@item 12 (4096) +trace some card reader related function calls. +@end table + +@item --debug-all +@opindex debug-all +Same as @code{--debug=0xffffffff} + +@item --debug-wait @var{n} +@opindex debug-wait +When running in server mode, wait @var{n} seconds before entering the +actual processing loop and print the pid. This gives time to attach a +debugger. + +@item --debug-ccid-driver +@opindex debug-wait +Enable debug output from the included CCID driver for smartcards. +Using this option twice will also enable some tracing of the T=1 +protocol. Note that this option may reveal sensitive data. + +@item --debug-disable-ticker +@opindex debug-disable-ticker +This option disables all ticker functions like checking for card +insertions. + +@item --debug-allow-core-dump +@opindex debug-allow-core-dump +For security reasons we won't create a core dump when the process +aborts. For debugging purposes it is sometimes better to allow core +dump. This option enables it and also changes the working directory to +@file{/tmp} when running in @option{--server} mode. + +@item --debug-log-tid +@opindex debug-log-tid +This option appends a thread ID to the PID in the log output. + +@item --debug-assuan-log-cats @var{cats} +@opindex debug-assuan-log-cats +@efindex ASSUAN_DEBUG +Changes the active Libassuan logging categories to @var{cats}. The +value for @var{cats} is an unsigned integer given in usual C-Syntax. +A value of 0 switches to a default category. If this option is not +used the categories are taken from the environment variable +@code{ASSUAN_DEBUG}. Note that this option has only an effect if the +Assuan debug flag has also been with the option @option{--debug}. For +a list of categories see the Libassuan manual. + +@item --no-detach +@opindex no-detach +Don't detach the process from the console. This is mainly useful for +debugging. + +@item --listen-backlog @var{n} +@opindex listen-backlog +Set the size of the queue for pending connections. The default is 64. +This option has an effect only if @option{--multi-server} is also +used. + +@item --log-file @var{file} +@opindex log-file +Append all logging output to @var{file}. This is very helpful in +seeing what the agent actually does. Use @file{socket://} to log to +socket. + +@item --pcsc-shared +@opindex pcsc-shared +Use shared mode to access the card via PC/SC. This is a somewhat +dangerous option because Scdaemon assumes exclusivbe access to teh +card and for example caches certain information from the card. Use +this option only if you know what you are doing. + +@item --pcsc-driver @var{library} +@opindex pcsc-driver +Use @var{library} to access the smartcard reader. The current default +on Unix is @file{libpcsclite.so} and on Windows @file{winscard.dll}. +Instead of using this option you might also want to install a symbolic +link to the default file name (e.g. from @file{libpcsclite.so.1}). +A Unicode file name may not be used on Windows. + +@item --ctapi-driver @var{library} +@opindex ctapi-driver +Use @var{library} to access the smartcard reader. The current default +is @file{libtowitoko.so}. Note that the use of this interface is +deprecated; it may be removed in future releases. + +@item --disable-ccid +@opindex disable-ccid +Disable the integrated support for CCID compliant readers. This +allows falling back to one of the other drivers even if the internal +CCID driver can handle the reader. Note, that CCID support is only +available if libusb was available at build time. + +@item --reader-port @var{number_or_string} +@opindex reader-port +This option may be used to specify the port of the card terminal. A +value of 0 refers to the first serial device; add 32768 to access USB +devices. The default is 32768 (first USB device). PC/SC or CCID +readers might need a string here; run the program in verbose mode to get +a list of available readers. The default is then the first reader +found. + +To get a list of available CCID readers you may use this command: +@cartouche +@smallexample + echo scd getinfo reader_list \ + | gpg-connect-agent --decode | awk '/^D/ @{print $2@}' +@end smallexample +@end cartouche + +@item --card-timeout @var{n} +@opindex card-timeout +If @var{n} is not 0 and no client is actively using the card, the card +will be powered down after @var{n} seconds. Powering down the card +avoids a potential risk of damaging a card when used with certain +cheap readers. This also allows applications that are not aware of +Scdaemon to access the card. The disadvantage of using a card timeout +is that accessing the card takes longer and that the user needs to +enter the PIN again after the next power up. + +Note that with the current version of Scdaemon the card is powered +down immediately at the next timer tick for any value of @var{n} other +than 0. + +@item --enable-pinpad-varlen +@opindex enable-pinpad-varlen +Please specify this option when the card reader supports variable +length input for pinpad (default is no). For known readers (listed in +ccid-driver.c and apdu.c), this option is not needed. Note that if +your card reader doesn't supports variable length input but you want +to use it, you need to specify your pinpad request on your card. + + +@item --disable-pinpad +@opindex disable-pinpad +Even if a card reader features a pinpad, do not try to use it. + + +@item --deny-admin +@opindex deny-admin +@opindex allow-admin +This option disables the use of admin class commands for card +applications where this is supported. Currently we support it for the +OpenPGP card. This option is useful to inhibit accidental access to +admin class command which could ultimately lock the card through wrong +PIN numbers. Note that GnuPG versions older than 2.0.11 featured an +@option{--allow-admin} option which was required to use such admin +commands. This option has no more effect today because the default is +now to allow admin commands. + +@item --disable-application @var{name} +@opindex disable-application +This option disables the use of the card application named +@var{name}. This is mainly useful for debugging or if a application +with lower priority should be used by default. + +@end table + +All the long options may also be given in the configuration file after +stripping off the two leading dashes. + + +@mansect card applications +@node Card applications +@section Description of card applications + +@command{scdaemon} supports the card applications as described below. + +@menu +* OpenPGP Card:: The OpenPGP card application +* NKS Card:: The Telesec NetKey card application +* DINSIG Card:: The DINSIG card application +* PKCS#15 Card:: The PKCS#15 card application +* Geldkarte Card:: The Geldkarte application +* SmartCard-HSM:: The SmartCard-HSM application +* Undefined Card:: The Undefined stub application +@end menu + +@node OpenPGP Card +@subsection The OpenPGP card application ``openpgp'' + +This application is currently only used by @command{gpg} but may in +future also be useful with @command{gpgsm}. Version 1 and version 2 of +the card is supported. + +@noindent +The specifications for these cards are available at@* +@uref{http://g10code.com/docs/openpgp-card-1.0.pdf} and@* +@uref{http://g10code.com/docs/openpgp-card-2.0.pdf}. + +@node NKS Card +@subsection The Telesec NetKey card ``nks'' + +This is the main application of the Telesec cards as available in +Germany. It is a superset of the German DINSIG card. The card is +used by @command{gpgsm}. + +@node DINSIG Card +@subsection The DINSIG card application ``dinsig'' + +This is an application as described in the German draft standard +@emph{DIN V 66291-1}. It is intended to be used by cards supporting +the German signature law and its bylaws (SigG and SigV). + +@node PKCS#15 Card +@subsection The PKCS#15 card application ``p15'' + +This is common framework for smart card applications. It is used by +@command{gpgsm}. + +@node Geldkarte Card +@subsection The Geldkarte card application ``geldkarte'' + +This is a simple application to display information of a German +Geldkarte. The Geldkarte is a small amount debit card application which +comes with almost all German banking cards. + +@node SmartCard-HSM +@subsection The SmartCard-HSM card application ``sc-hsm'' + +This application adds read-only support for keys and certificates +stored on a @uref{http://www.smartcard-hsm.com, SmartCard-HSM}. + +To generate keys and store certificates you may use +@uref{https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM, OpenSC} or +the tools from @uref{http://www.openscdp.org, OpenSCDP}. + +The SmartCard-HSM cards requires a card reader that supports Extended +Length APDUs. + +@node Undefined Card +@subsection The Undefined card application ``undefined'' + +This is a stub application to allow the use of the APDU command even +if no supported application is found on the card. This application is +not used automatically but must be explicitly requested using the +SERIALNO command. + + +@c ******************************************* +@c *************** **************** +@c *************** FILES **************** +@c *************** **************** +@c ******************************************* +@mansect files +@node Scdaemon Configuration +@section Configuration files + +There are a few configuration files to control certain aspects of +@command{scdaemons}'s operation. Unless noted, they are expected in the +current home directory (@pxref{option --homedir}). + +@table @file + +@item scdaemon.conf +@cindex scdaemon.conf +This is the standard configuration file read by @command{scdaemon} on +startup. It may contain any valid long option; the leading two dashes +may not be entered and the option may not be abbreviated. This default +name may be changed on the command line (@pxref{option --options}). + +@item scd-event +@cindex scd-event +If this file is present and executable, it will be called on every card +reader's status change. An example of this script is provided with the +distribution + +@item reader_@var{n}.status +This file is created by @command{scdaemon} to let other applications now +about reader status changes. Its use is now deprecated in favor of +@file{scd-event}. + +@end table + + +@c +@c Examples +@c +@mansect examples +@node Scdaemon Examples +@section Examples + +@c man begin EXAMPLES + +@example +$ scdaemon --server -v +@end example + +@c man end + +@c +@c Assuan Protocol +@c +@manpause +@node Scdaemon Protocol +@section Scdaemon's Assuan Protocol + +The SC-Daemon should be started by the system to provide access to +external tokens. Using Smartcards on a multi-user system does not +make much sense except for system services, but in this case no +regular user accounts are hosted on the machine. + +A client connects to the SC-Daemon by connecting to the socket named +@file{@value{LOCALRUNDIR}/scdaemon/socket}, configuration information +is read from @var{@value{SYSCONFDIR}/scdaemon.conf} + +Each connection acts as one session, SC-Daemon takes care of +synchronizing access to a token between sessions. + +@menu +* Scdaemon SERIALNO:: Return the serial number. +* Scdaemon LEARN:: Read all useful information from the card. +* Scdaemon READCERT:: Return a certificate. +* Scdaemon READKEY:: Return a public key. +* Scdaemon PKSIGN:: Signing data with a Smartcard. +* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard. +* Scdaemon GETATTR:: Read an attribute's value. +* Scdaemon SETATTR:: Update an attribute's value. +* Scdaemon WRITEKEY:: Write a key to a card. +* Scdaemon GENKEY:: Generate a new key on-card. +* Scdaemon RANDOM:: Return random bytes generated on-card. +* Scdaemon PASSWD:: Change PINs. +* Scdaemon CHECKPIN:: Perform a VERIFY operation. +* Scdaemon RESTART:: Restart connection +* Scdaemon APDU:: Send a verbatim APDU to the card +@end menu + +@node Scdaemon SERIALNO +@subsection Return the serial number + +This command should be used to check for the presence of a card. It is +special in that it can be used to reset the card. Most other commands +will return an error when a card change has been detected and the use of +this function is therefore required. + +Background: We want to keep the client clear of handling card changes +between operations; i.e. the client can assume that all operations are +done on the same card unless he call this function. + +@example + SERIALNO +@end example + +Return the serial number of the card using a status response like: + +@example + S SERIALNO D27600000000000000000000 +@end example + +The serial number is the hex encoded value identified by +the @code{0x5A} tag in the GDO file (FIX=0x2F02). + + + +@node Scdaemon LEARN +@subsection Read all useful information from the card + +@example + LEARN [--force] +@end example + +Learn all useful information of the currently inserted card. When +used without the @option{--force} option, the command might do an INQUIRE +like this: + +@example + INQUIRE KNOWNCARDP <hexstring_with_serialNumber> +@end example + +The client should just send an @code{END} if the processing should go on +or a @code{CANCEL} to force the function to terminate with a cancel +error message. The response of this command is a list of status lines +formatted as this: + +@example + S KEYPAIRINFO @var{hexstring_with_keygrip} @var{hexstring_with_id} +@end example + +If there is no certificate yet stored on the card a single "X" is +returned in @var{hexstring_with_keygrip}. + +@node Scdaemon READCERT +@subsection Return a certificate + +@example + READCERT @var{hexified_certid}|@var{keyid} +@end example + +This function is used to read a certificate identified by +@var{hexified_certid} from the card. With OpenPGP cards the keyid +@code{OpenPGP.3} may be used to read the certificate of version 2 cards. + + +@node Scdaemon READKEY +@subsection Return a public key + +@example +READKEY @var{hexified_certid} +@end example + +Return the public key for the given cert or key ID as an standard +S-Expression. + + + +@node Scdaemon PKSIGN +@subsection Signing data with a Smartcard + +To sign some data the caller should use the command + +@example + SETDATA @var{hexstring} +@end example + +to tell @command{scdaemon} about the data to be signed. The data must be given in +hex notation. The actual signing is done using the command + +@example + PKSIGN @var{keyid} +@end example + +where @var{keyid} is the hexified ID of the key to be used. The key id +may have been retrieved using the command @code{LEARN}. If another +hash algorithm than SHA-1 is used, that algorithm may be given like: + +@example + PKSIGN --hash=@var{algoname} @var{keyid} +@end example + +With @var{algoname} are one of @code{sha1}, @code{rmd160} or @code{md5}. + + +@node Scdaemon PKDECRYPT +@subsection Decrypting data with a Smartcard + +To decrypt some data the caller should use the command + +@example + SETDATA @var{hexstring} +@end example + +to tell @command{scdaemon} about the data to be decrypted. The data +must be given in hex notation. The actual decryption is then done +using the command + +@example + PKDECRYPT @var{keyid} +@end example + +where @var{keyid} is the hexified ID of the key to be used. + +If the card is aware of the apdding format a status line with padding +information is send before the plaintext data. The key for this +status line is @code{PADDING} with the only defined value being 0 and +meaning padding has been removed. + +@node Scdaemon GETATTR +@subsection Read an attribute's value + +TO BE WRITTEN. + +@node Scdaemon SETATTR +@subsection Update an attribute's value + +TO BE WRITTEN. + +@node Scdaemon WRITEKEY +@subsection Write a key to a card + +@example + WRITEKEY [--force] @var{keyid} +@end example + +This command is used to store a secret key on a smartcard. The +allowed keyids depend on the currently selected smartcard +application. The actual keydata is requested using the inquiry +@code{KEYDATA} and need to be provided without any protection. With +@option{--force} set an existing key under this @var{keyid} will get +overwritten. The key data is expected to be the usual canonical encoded +S-expression. + +A PIN will be requested in most cases. This however depends on the +actual card application. + + +@node Scdaemon GENKEY +@subsection Generate a new key on-card + +TO BE WRITTEN. + +@node Scdaemon RANDOM +@subsection Return random bytes generated on-card + +TO BE WRITTEN. + + +@node Scdaemon PASSWD +@subsection Change PINs + +@example + PASSWD [--reset] [--nullpin] @var{chvno} +@end example + +Change the PIN or reset the retry counter of the card holder +verification vector number @var{chvno}. The option @option{--nullpin} +is used to initialize the PIN of TCOS cards (6 byte NullPIN only). + + +@node Scdaemon CHECKPIN +@subsection Perform a VERIFY operation + +@example + CHECKPIN @var{idstr} +@end example + +Perform a VERIFY operation without doing anything else. This may be +used to initialize a the PIN cache earlier to long lasting +operations. Its use is highly application dependent: + +@table @strong +@item OpenPGP + +Perform a simple verify operation for CHV1 and CHV2, so that further +operations won't ask for CHV2 and it is possible to do a cheap check on +the PIN: If there is something wrong with the PIN entry system, only the +regular CHV will get blocked and not the dangerous CHV3. @var{idstr} is +the usual card's serial number in hex notation; an optional fingerprint +part will get ignored. + +There is however a special mode if @var{idstr} is suffixed with the +literal string @code{[CHV3]}: In this case the Admin PIN is checked if +and only if the retry counter is still at 3. + +@end table + + + +@node Scdaemon RESTART +@subsection Perform a RESTART operation + +@example + RESTART +@end example + +Restart the current connection; this is a kind of warm reset. It +deletes the context used by this connection but does not actually +reset the card. + +This is used by gpg-agent to reuse a primary pipe connection and +may be used by clients to backup from a conflict in the serial +command; i.e. to select another application. + + + + +@node Scdaemon APDU +@subsection Send a verbatim APDU to the card + +@example + APDU [--atr] [--more] [--exlen[=@var{n}]] [@var{hexstring}] +@end example + + +Send an APDU to the current reader. This command bypasses the high +level functions and sends the data directly to the card. +@var{hexstring} is expected to be a proper APDU. If @var{hexstring} is +not given no commands are send to the card; However the command will +implicitly check whether the card is ready for use. + +Using the option @code{--atr} returns the ATR of the card as a status +message before any data like this: +@example + S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1 +@end example + +Using the option @code{--more} handles the card status word MORE_DATA +(61xx) and concatenate all responses to one block. + +Using the option @code{--exlen} the returned APDU may use extended +length up to N bytes. If N is not given a default value is used +(currently 4096). + + + +@mansect see also +@ifset isman +@command{gpg-agent}(1), +@command{gpgsm}(1), +@command{gpg2}(1) +@end ifset +@include see-also-note.texi + diff --git a/doc/see-also-note.texi b/doc/see-also-note.texi new file mode 100644 index 0000000..b18efc3 --- /dev/null +++ b/doc/see-also-note.texi @@ -0,0 +1,14 @@ +@c We append this note to all ``see also'' sections of the man pages + +@ifset isman +The full documentation for this tool is maintained as a Texinfo manual. +If GnuPG and the info program are properly installed at your site, the +command + +@example +info gnupg +@end example + +should give you access to the complete manual including a menu structure +and an index. +@end ifset diff --git a/doc/specify-user-id.texi b/doc/specify-user-id.texi new file mode 100644 index 0000000..64e354b --- /dev/null +++ b/doc/specify-user-id.texi @@ -0,0 +1,173 @@ +@c Include file to allow for different placements in man pages and the manual + +There are different ways to specify a user ID to GnuPG. Some of them +are only valid for @command{gpg} others are only good for +@command{gpgsm}. Here is the entire list of ways to specify a key: + +@itemize @bullet + +@item By key Id. +This format is deduced from the length of the string and its content or +@code{0x} prefix. The key Id of an X.509 certificate are the low 64 bits +of its SHA-1 fingerprint. The use of key Ids is just a shortcut, for +all automated processing the fingerprint should be used. + +When using @command{gpg} an exclamation mark (!) may be appended to +force using the specified primary or secondary key and not to try and +calculate which primary or secondary key to use. + +The last four lines of the example give the key ID in their long form as +internally used by the OpenPGP protocol. You can see the long key ID +using the option @option{--with-colons}. + +@cartouche +@example +234567C4 +0F34E556E +01347A56A +0xAB123456 + +234AABBCC34567C4 +0F323456784E56EAB +01AB3FED1347A5612 +0x234AABBCC34567C4 +@end example +@end cartouche + + + +@item By fingerprint. +This format is deduced from the length of the string and its content or +the @code{0x} prefix. Note, that only the 20 byte version fingerprint +is available with @command{gpgsm} (i.e. the SHA-1 hash of the +certificate). + +When using @command{gpg} an exclamation mark (!) may be appended to +force using the specified primary or secondary key and not to try and +calculate which primary or secondary key to use. + +The best way to specify a key Id is by using the fingerprint. This +avoids any ambiguities in case that there are duplicated key IDs. + +@cartouche +@example +1234343434343434C434343434343434 +123434343434343C3434343434343734349A3434 +0E12343434343434343434EAB3484343434343434 +0xE12343434343434343434EAB3484343434343434 +@end example +@end cartouche + +@noindent +@command{gpgsm} also accepts colons between each pair of hexadecimal +digits because this is the de-facto standard on how to present X.509 +fingerprints. @command{gpg} also allows the use of the space +separated SHA-1 fingerprint as printed by the key listing commands. + +@item By exact match on OpenPGP user ID. +This is denoted by a leading equal sign. It does not make sense for +X.509 certificates. + +@cartouche +@example +=Heinrich Heine <heinrichh@@uni-duesseldorf.de> +@end example +@end cartouche + +@item By exact match on an email address. +This is indicated by enclosing the email address in the usual way +with left and right angles. + +@cartouche +@example +<heinrichh@@uni-duesseldorf.de> +@end example +@end cartouche + + +@item By partial match on an email address. +This is indicated by prefixing the search string with an @code{@@}. +This uses a substring search but considers only the mail address +(i.e. inside the angle brackets). + +@cartouche +@example +@@heinrichh +@end example +@end cartouche + +@item By exact match on the subject's DN. +This is indicated by a leading slash, directly followed by the RFC-2253 +encoded DN of the subject. Note that you can't use the string printed +by @code{gpgsm --list-keys} because that one has been reordered and modified +for better readability; use @option{--with-colons} to print the raw +(but standard escaped) RFC-2253 string. + +@cartouche +@example +/CN=Heinrich Heine,O=Poets,L=Paris,C=FR +@end example +@end cartouche + +@item By exact match on the issuer's DN. +This is indicated by a leading hash mark, directly followed by a slash +and then directly followed by the RFC-2253 encoded DN of the issuer. +This should return the Root cert of the issuer. See note above. + +@cartouche +@example +#/CN=Root Cert,O=Poets,L=Paris,C=FR +@end example +@end cartouche + + +@item By exact match on serial number and issuer's DN. +This is indicated by a hash mark, followed by the hexadecimal +representation of the serial number, then followed by a slash and the +RFC-2253 encoded DN of the issuer. See note above. + +@cartouche +@example +#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR +@end example +@end cartouche + +@item By keygrip. +This is indicated by an ampersand followed by the 40 hex digits of a +keygrip. @command{gpgsm} prints the keygrip when using the command +@option{--dump-cert}. + +@cartouche +@example +&D75F22C3F86E355877348498CDC92BD21010A480 +@end example +@end cartouche + + +@item By substring match. +This is the default mode but applications may want to explicitly +indicate this by putting the asterisk in front. Match is not case +sensitive. + +@cartouche +@example +Heine +*Heine +@end example +@end cartouche + +@item . and + prefixes +These prefixes are reserved for looking up mails anchored at the end +and for a word search mode. They are not yet implemented and using +them is undefined. + +@end itemize + +Please note that we have reused the hash mark identifier which was used +in old GnuPG versions to indicate the so called local-id. It is not +anymore used and there should be no conflict when used with X.509 stuff. + +Using the RFC-2253 format of DNs has the drawback that it is not +possible to map them back to the original encoding, however we don't +have to do this because our key database stores this encoding as meta +data. diff --git a/doc/sysnotes.texi b/doc/sysnotes.texi new file mode 100644 index 0000000..f8cc212 --- /dev/null +++ b/doc/sysnotes.texi @@ -0,0 +1,58 @@ +@c Copyright (C) 2004 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +@node System Notes +@chapter Notes pertaining to certain OSes + +GnuPG has been developed on GNU/Linux systems and is know to work on +almost all Free OSes. All modern POSIX systems should be supported +right now, however there are probably a lot of smaller glitches we need +to fix first. The major problem areas are: + +@itemize +@item +We are planning to use file descriptor passing for interprocess +communication. This will allow us save a lot of resources and improve +performance of certain operations a lot. Systems not supporting this +won't gain these benefits but we try to keep them working the standard +way as it is done today. + +@item +We require more or less full POSIX compatibility. This has been +around for 15 years now and thus we don't believe it makes sense to +support non POSIX systems anymore. Well, we of course the usual +workarounds for near POSIX systems well be applied. + +There is one exception of this rule: Systems based the Microsoft Windows +API (called here @emph{W32}) will be supported to some extend. + +@end itemize + + +@menu +* W32 Notes:: Microsoft Windows Notes +@end menu + + +@node W32 Notes +@section Microsoft Windows Notes + +@noindent +Current limitations are: + +@itemize + +@item +@command{gpgconf} does not create backup files, so in case of trouble +your configuration file might get lost. + +@item +@command{watchgnupg} is not available. Logging to sockets is not +possible. + +@item +The periodical smartcard status checking done by @command{scdaemon} is +not yet supported. + +@end itemize diff --git a/doc/tools.texi b/doc/tools.texi new file mode 100644 index 0000000..6b9a9fe --- /dev/null +++ b/doc/tools.texi @@ -0,0 +1,2136 @@ +@c Copyright (C) 2004, 2008 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file GnuPG.texi. + +@include defs.inc + +@node Helper Tools +@chapter Helper Tools + +GnuPG comes with a couple of smaller tools: + +@menu +* watchgnupg:: Read logs from a socket. +* gpgv:: Verify OpenPGP signatures. +* addgnupghome:: Create .gnupg home directories. +* gpgconf:: Modify .gnupg home directories. +* applygnupgdefaults:: Run gpgconf for all users. +* gpg-preset-passphrase:: Put a passphrase into the cache. +* gpg-connect-agent:: Communicate with a running agent. +* dirmngr-client:: How to use the Dirmngr client tool. +* gpgparsemail:: Parse a mail message into an annotated format +* gpgtar:: Encrypt or sign files into an archive. +* gpg-check-pattern:: Check a passphrase on stdin against the patternfile. +@end menu + +@c +@c WATCHGNUPG +@c +@manpage watchgnupg.1 +@node watchgnupg +@section Read logs from a socket +@ifset manverb +.B watchgnupg +\- Read and print logs from a socket +@end ifset + +@mansect synopsis +@ifset manverb +.B watchgnupg +.RB [ \-\-force ] +.RB [ \-\-verbose ] +.I socketname +@end ifset + +@mansect description +Most of the main utilities are able to write their log files to a Unix +Domain socket if configured that way. @command{watchgnupg} is a simple +listener for such a socket. It ameliorates the output with a time stamp +and makes sure that long lines are not interspersed with log output from +other utilities. This tool is not available for Windows. + + +@noindent +@command{watchgnupg} is commonly invoked as + +@example +watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log +@end example +@manpause + +@noindent +This starts it on the current terminal for listening on the standard +logging socket (which is either @file{~/.gnupg/S.log} or +@file{/var/run/user/UID/gnupg/S.log}). + +@mansect options +@noindent +@command{watchgnupg} understands these options: + +@table @gnupgtabopt + +@item --force +@opindex force +Delete an already existing socket file. + +@anchor{option watchgnupg --tcp} +@item --tcp @var{n} +Instead of reading from a local socket, listen for connects on TCP port +@var{n}. + +@item --time-only +@opindex time-only +Do not print the date part of the timestamp. + +@item --verbose +@opindex verbose +Enable extra informational output. + +@item --version +@opindex version +Print version of the program and exit. + +@item --help +@opindex help +Display a brief help page and exit. + +@end table + +@noindent +@mansect examples +@chapheading Examples + +@example +$ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log +@end example + +This waits for connections on the local socket +(e.g. @file{/home/foo/.gnupg/S.log}) and shows all log entries. To +make this work the option @option{log-file} needs to be used with all +modules which logs are to be shown. The suggested entry for the +configuration files is: + +@example +log-file socket:// +@end example + +If the default socket as given above and returned by "echo $(gpgconf +--list-dirs socketdir)/S.log" is not desired an arbitrary socket name +can be specified, for example @file{socket:///home/foo/bar/mysocket}. +For debugging purposes it is also possible to do remote logging. Take +care if you use this feature because the information is send in the +clear over the network. Use this syntax in the conf files: + +@example +log-file tcp://192.168.1.1:4711 +@end example + +You may use any port and not just 4711 as shown above; only IP +addresses are supported (v4 and v6) and no host names. You need to +start @command{watchgnupg} with the @option{tcp} option. Note that +under Windows the registry entry +@var{HKCU\Software\GNU\GnuPG:DefaultLogFile} can be used to change the +default log output from @code{stderr} to whatever is given by that +entry. However the only useful entry is a TCP name for remote +debugging. + + +@mansect see also +@ifset isman +@command{gpg}(1), +@command{gpgsm}(1), +@command{gpg-agent}(1), +@command{scdaemon}(1) +@end ifset +@include see-also-note.texi + + +@c +@c GPGV +@c +@include gpgv.texi + + +@c +@c ADDGNUPGHOME +@c +@manpage addgnupghome.8 +@node addgnupghome +@section Create .gnupg home directories +@ifset manverb +.B addgnupghome +\- Create .gnupg home directories +@end ifset + +@mansect synopsis +@ifset manverb +.B addgnupghome +.I account_1 +.IR account_2 ... account_n +@end ifset + +@mansect description +If GnuPG is installed on a system with existing user accounts, it is +sometimes required to populate the GnuPG home directory with existing +files. Especially a @file{trustlist.txt} and a keybox with some +initial certificates are often desired. This script helps to do this +by copying all files from @file{/etc/skel/.gnupg} to the home +directories of the accounts given on the command line. It takes care +not to overwrite existing GnuPG home directories. + +@noindent +@command{addgnupghome} is invoked by root as: + +@example +addgnupghome account1 account2 ... accountn +@end example + + +@c +@c GPGCONF +@c +@manpage gpgconf.1 +@node gpgconf +@section Modify .gnupg home directories +@ifset manverb +.B gpgconf +\- Modify .gnupg home directories +@end ifset + +@mansect synopsis +@ifset manverb +.B gpgconf +.RI [ options ] +.B \-\-list-components +.br +.B gpgconf +.RI [ options ] +.B \-\-list-options +.I component +.br +.B gpgconf +.RI [ options ] +.B \-\-change-options +.I component +@end ifset + + +@mansect description +The @command{gpgconf} is a utility to automatically and reasonable +safely query and modify configuration files in the @file{.gnupg} home +directory. It is designed not to be invoked manually by the user, but +automatically by graphical user interfaces (GUI).@footnote{Please note +that currently no locking is done, so concurrent access should be +avoided. There are some precautions to avoid corruption with +concurrent usage, but results may be inconsistent and some changes may +get lost. The stateless design makes it difficult to provide more +guarantees.} + +@command{gpgconf} provides access to the configuration of one or more +components of the GnuPG system. These components correspond more or +less to the programs that exist in the GnuPG framework, like GPG, +GPGSM, DirMngr, etc. But this is not a strict one-to-one +relationship. Not all configuration options are available through +@command{gpgconf}. @command{gpgconf} provides a generic and abstract +method to access the most important configuration options that can +feasibly be controlled via such a mechanism. + +@command{gpgconf} can be used to gather and change the options +available in each component, and can also provide their default +values. @command{gpgconf} will give detailed type information that +can be used to restrict the user's input without making an attempt to +commit the changes. + +@command{gpgconf} provides the backend of a configuration editor. The +configuration editor would usually be a graphical user interface +program that displays the current options, their default +values, and allows the user to make changes to the options. These +changes can then be made active with @command{gpgconf} again. Such a +program that uses @command{gpgconf} in this way will be called GUI +throughout this section. + +@menu +* Invoking gpgconf:: List of all commands and options. +* Format conventions:: Formatting conventions relevant for all commands. +* Listing components:: List all gpgconf components. +* Checking programs:: Check all programs known to gpgconf. +* Listing options:: List all options of a component. +* Changing options:: Changing options of a component. +* Listing global options:: List all global options. +* Querying versions:: Get and compare software versions. +* Files used by gpgconf:: What files are used by gpgconf. +@end menu + +@manpause +@node Invoking gpgconf +@subsection Invoking gpgconf + +@mansect commands +One of the following commands must be given: + +@table @gnupgtabopt + +@item --list-components +List all components. This is the default command used if none is +specified. + +@item --check-programs +List all available backend programs and test whether they are runnable. + +@item --list-options @var{component} +List all options of the component @var{component}. + +@item --change-options @var{component} +Change the options of the component @var{component}. + +@item --check-options @var{component} +Check the options for the component @var{component}. + +@item --apply-profile @var{file} +Apply the configuration settings listed in @var{file} to the +configuration files. If @var{file} has no suffix and no slashes the +command first tries to read a file with the suffix @code{.prf} from +the data directory (@code{gpgconf --list-dirs datadir}) before it +reads the file verbatim. A profile is divided into sections using the +bracketed component name. Each section then lists the option which +shall go into the respective configuration file. + +@item --apply-defaults +Update all configuration files with values taken from the global +configuration file (usually @file{/etc/gnupg/gpgconf.conf}). +Note: This is a legacy mechanism. Please use global configuraion +files instead. + +@item --list-dirs [@var{names}] +@itemx -L +Lists the directories used by @command{gpgconf}. One directory is +listed per line, and each line consists of a colon-separated list where +the first field names the directory type (for example @code{sysconfdir}) +and the second field contains the percent-escaped directory. Although +they are not directories, the socket file names used by +@command{gpg-agent} and @command{dirmngr} are printed as well. Note +that the socket file names and the @code{homedir} lines are the default +names and they may be overridden by command line switches. If +@var{names} are given only the directories or file names specified by +the list names are printed without any escaping. + +@item --list-config [@var{filename}] +List the global configuration file in a colon separated format. If +@var{filename} is given, check that file instead. + +@item --check-config [@var{filename}] +Run a syntax check on the global configuration file. If @var{filename} +is given, check that file instead. + + +@item --query-swdb @var{package_name} [@var{version_string}] +Returns the current version for @var{package_name} and if +@var{version_string} is given also an indicator on whether an update +is available. The actual file with the software version is +automatically downloaded and checked by @command{dirmngr}. +@command{dirmngr} uses a thresholds to avoid download the file too +often and it does this by default only if it can be done via Tor. To +force an update of that file this command can be used: + +@example + gpg-connect-agent --dirmngr 'loadswdb --force' /bye +@end example + +@item --reload [@var{component}] +@itemx -R +@opindex reload +Reload all or the given component. This is basically the same as +sending a SIGHUP to the component. Components which don't support +reloading are ignored. Without @var{component} or by using "all" for +@var{component} all components which are daemons are reloaded. + +@item --launch [@var{component}] +@opindex launch +If the @var{component} is not already running, start it. +@command{component} must be a daemon. This is in general not required +because the system starts these daemons as needed. However, external +software making direct use of @command{gpg-agent} or @command{dirmngr} +may use this command to ensure that they are started. Using "all" for +@var{component} launches all components which are daemons. + +@item --kill [@var{component}] +@itemx -K +@opindex kill +Kill the given component that runs as a daemon, including +@command{gpg-agent}, @command{dirmngr}, and @command{scdaemon}. A +@command{component} which does not run as a daemon will be ignored. +Using "all" for @var{component} kills all components running as +daemons. Note that as of now reload and kill have the same effect for +@command{scdaemon}. + +@item --create-socketdir +@opindex create-socketdir +Create a directory for sockets below /run/user or /var/run/user. This +is command is only required if a non default home directory is used +and the /run based sockets shall be used. For the default home +directory GnUPG creates a directory on the fly. + +@item --remove-socketdir +@opindex remove-socketdir +Remove a directory created with command @option{--create-socketdir}. + +@end table + + +@mansect options + +The following options may be used: + +@table @gnupgtabopt + +@item -o @var{file} +@itemx --output @var{file} +Write output to @var{file}. Default is to write to stdout. + +@item -v +@itemx --verbose +Outputs additional information while running. Specifically, this +extends numerical field values by human-readable descriptions. + +@item -q +@itemx --quiet +@opindex quiet +Try to be as quiet as possible. + +@include opt-homedir.texi + +@item -n +@itemx --dry-run +Do not actually change anything. This is currently only implemented +for @code{--change-options} and can be used for testing purposes. + +@item -r +@itemx --runtime +Only used together with @code{--change-options}. If one of the +modified options can be changed in a running daemon process, signal +the running daemon to ask it to reparse its configuration file after +changing. + +This means that the changes will take effect at run-time, as far as +this is possible. Otherwise, they will take effect at the next start +of the respective backend programs. + +@item --status-fd @var{n} +@opindex status-fd +Write special status strings to the file descriptor @var{n}. This +program returns the status messages SUCCESS or FAILURE which are +helpful when the caller uses a double fork approach and can't easily +get the return code of the process. + +@manpause +@end table + + +@node Format conventions +@subsection Format conventions + +Some lines in the output of @command{gpgconf} contain a list of +colon-separated fields. The following conventions apply: + +@itemize @bullet +@item +The GUI program is required to strip off trailing newline and/or +carriage return characters from the output. + +@item +@command{gpgconf} will never leave out fields. If a certain version +provides a certain field, this field will always be present in all +@command{gpgconf} versions from that time on. + +@item +Future versions of @command{gpgconf} might append fields to the list. +New fields will always be separated from the previously last field by +a colon separator. The GUI should be prepared to parse the last field +it knows about up until a colon or end of line. + +@item +Not all fields are defined under all conditions. You are required to +ignore the content of undefined fields. +@end itemize + +There are several standard types for the content of a field: + +@table @asis +@item verbatim +Some fields contain strings that are not escaped in any way. Such +fields are described to be used @emph{verbatim}. These fields will +never contain a colon character (for obvious reasons). No de-escaping +or other formatting is required to use the field content. This is for +easy parsing of the output, when it is known that the content can +never contain any special characters. + +@item percent-escaped +Some fields contain strings that are described to be +@emph{percent-escaped}. Such strings need to be de-escaped before +their content can be presented to the user. A percent-escaped string +is de-escaped by replacing all occurrences of @code{%XY} by the byte +that has the hexadecimal value @code{XY}. @code{X} and @code{Y} are +from the set @code{0-9a-f}. + +@item localized +Some fields contain strings that are described to be @emph{localized}. +Such strings are translated to the active language and formatted in +the active character set. + +@item @w{unsigned number} +Some fields contain an @emph{unsigned number}. This number will +always fit into a 32-bit unsigned integer variable. The number may be +followed by a space, followed by a human readable description of that +value (if the verbose option is used). You should ignore everything +in the field that follows the number. + +@item @w{signed number} +Some fields contain a @emph{signed number}. This number will always +fit into a 32-bit signed integer variable. The number may be followed +by a space, followed by a human readable description of that value (if +the verbose option is used). You should ignore everything in the +field that follows the number. + +@item @w{boolean value} +Some fields contain a @emph{boolean value}. This is a number with +either the value 0 or 1. The number may be followed by a space, +followed by a human readable description of that value (if the verbose +option is used). You should ignore everything in the field that follows +the number; checking just the first character is sufficient in this +case. + +@item option +Some fields contain an @emph{option} argument. The format of an +option argument depends on the type of the option and on some flags: + +@table @asis +@item no argument +The simplest case is that the option does not take an argument at all +(@var{type} @code{0}). Then the option argument is an unsigned number +that specifies how often the option occurs. If the @code{list} flag +is not set, then the only valid number is @code{1}. Options that do +not take an argument never have the @code{default} or @code{optional +arg} flag set. + +@item number +If the option takes a number argument (@var{alt-type} is @code{2} or +@code{3}), and it can only occur once (@code{list} flag is not set), +then the option argument is either empty (only allowed if the argument +is optional), or it is a number. A number is a string that begins +with an optional minus character, followed by one or more digits. The +number must fit into an integer variable (unsigned or signed, +depending on @var{alt-type}). + +@item number list +If the option takes a number argument and it can occur more than once, +then the option argument is either empty, or it is a comma-separated +list of numbers as described above. + +@item string +If the option takes a string argument (@var{alt-type} is 1), and it +can only occur once (@code{list} flag is not set) then the option +argument is either empty (only allowed if the argument is optional), +or it starts with a double quote character (@code{"}) followed by a +percent-escaped string that is the argument value. Note that there is +only a leading double quote character, no trailing one. The double +quote character is only needed to be able to differentiate between no +value and the empty string as value. + +@item string list +If the option takes a string argument and it can occur more than once, +then the option argument is either empty, or it is a comma-separated +list of string arguments as described above. +@end table +@end table + +The active language and character set are currently determined from +the locale environment of the @command{gpgconf} program. + +@c FIXME: Document the active language and active character set. Allow +@c to change it via the command line? + + +@mansect usage +@node Listing components +@subsection Listing components + +The command @code{--list-components} will list all components that can +be configured with @command{gpgconf}. Usually, one component will +correspond to one GnuPG-related program and contain the options of +that program's configuration file that can be modified using +@command{gpgconf}. However, this is not necessarily the case. A +component might also be a group of selected options from several +programs, or contain entirely virtual options that have a special +effect rather than changing exactly one option in one configuration +file. + +A component is a set of configuration options that semantically belong +together. Furthermore, several changes to a component can be made in +an atomic way with a single operation. The GUI could for example +provide a menu with one entry for each component, or a window with one +tabulator sheet per component. + +The command @code{--list-components} lists all available +components, one per line. The format of each line is: + +@code{@var{name}:@var{description}:@var{pgmname}:} + +@table @var +@item name +This field contains a name tag of the component. The name tag is used +to specify the component in all communication with @command{gpgconf}. +The name tag is to be used @emph{verbatim}. It is thus not in any +escaped format. + +@item description +The @emph{string} in this field contains a human-readable description +of the component. It can be displayed to the user of the GUI for +informational purposes. It is @emph{percent-escaped} and +@emph{localized}. + +@item pgmname +The @emph{string} in this field contains the absolute name of the +program's file. It can be used to unambiguously invoke that program. +It is @emph{percent-escaped}. +@end table + +Example: +@example +$ gpgconf --list-components +gpg:GPG for OpenPGP:/usr/local/bin/gpg2: +gpg-agent:GPG Agent:/usr/local/bin/gpg-agent: +scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon: +gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm: +dirmngr:Directory Manager:/usr/local/bin/dirmngr: +@end example + + + +@node Checking programs +@subsection Checking programs + +The command @code{--check-programs} is similar to +@code{--list-components} but works on backend programs and not on +components. It runs each program to test whether it is installed and +runnable. This also includes a syntax check of all config file options +of the program. + +The command @code{--check-programs} lists all available +programs, one per line. The format of each line is: + +@code{@var{name}:@var{description}:@var{pgmname}:@var{avail}:@var{okay}:@var{cfgfile}:@var{line}:@var{error}:} + +@table @var +@item name +This field contains a name tag of the program which is identical to the +name of the component. The name tag is to be used @emph{verbatim}. It +is thus not in any escaped format. This field may be empty to indicate +a continuation of error descriptions for the last name. The description +and pgmname fields are then also empty. + +@item description +The @emph{string} in this field contains a human-readable description +of the component. It can be displayed to the user of the GUI for +informational purposes. It is @emph{percent-escaped} and +@emph{localized}. + +@item pgmname +The @emph{string} in this field contains the absolute name of the +program's file. It can be used to unambiguously invoke that program. +It is @emph{percent-escaped}. + +@item avail +The @emph{boolean value} in this field indicates whether the program is +installed and runnable. + +@item okay +The @emph{boolean value} in this field indicates whether the program's +config file is syntactically okay. + +@item cfgfile +If an error occurred in the configuration file (as indicated by a false +value in the field @code{okay}), this field has the name of the failing +configuration file. It is @emph{percent-escaped}. + +@item line +If an error occurred in the configuration file, this field has the line +number of the failing statement in the configuration file. +It is an @emph{unsigned number}. + +@item error +If an error occurred in the configuration file, this field has the error +text of the failing statement in the configuration file. It is +@emph{percent-escaped} and @emph{localized}. + +@end table + +@noindent +In the following example the @command{dirmngr} is not runnable and the +configuration file of @command{scdaemon} is not okay. + +@example +$ gpgconf --check-programs +gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1: +gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1: +scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0: +gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1: +dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0: +@end example + +@noindent +The command @w{@code{--check-options @var{component}}} will verify the +configuration file in the same manner as @code{--check-programs}, but +only for the component @var{component}. + + +@node Listing options +@subsection Listing options + +Every component contains one or more options. Options may be gathered +into option groups to allow the GUI to give visual hints to the user +about which options are related. + +The command @code{@w{--list-options @var{component}}} lists +all options (and the groups they belong to) in the component +@var{component}, one per line. @var{component} must be the string in +the field @var{name} in the output of the @code{--list-components} +command. + +Take care if system-wide options are used: gpgconf may not be able to +properly show the options and the listed options may have no actual +effect in case the system-wide options enforced their own settings. + +There is one line for each option and each group. First come all +options that are not in any group. Then comes a line describing a +group. Then come all options that belong into each group. Then comes +the next group and so on. There does not need to be any group (and in +this case the output will stop after the last non-grouped option). + +The format of each line is: + +@code{@var{name}:@var{flags}:@var{level}:@var{description}:@var{type}:@var{alt-type}:@var{argname}:@var{default}:@var{argdef}:@var{value}} + +@table @var +@item name +This field contains a name tag for the group or option. The name tag +is used to specify the group or option in all communication with +@command{gpgconf}. The name tag is to be used @emph{verbatim}. It is +thus not in any escaped format. + +@item flags +The flags field contains an @emph{unsigned number}. Its value is the +OR-wise combination of the following flag values: + +@table @code +@item group (1) +If this flag is set, this is a line describing a group and not an +option. +@end table + +The following flag values are only defined for options (that is, if +the @code{group} flag is not used). + +@table @code +@item optional arg (2) +If this flag is set, the argument is optional. This is never set for +@var{type} @code{0} (none) options. + +@item list (4) +If this flag is set, the option can be given multiple times. + +@item runtime (8) +If this flag is set, the option can be changed at runtime. + +@item default (16) +If this flag is set, a default value is available. + +@item default desc (32) +If this flag is set, a (runtime) default is available. This and the +@code{default} flag are mutually exclusive. + +@item no arg desc (64) +If this flag is set, and the @code{optional arg} flag is set, then the +option has a special meaning if no argument is given. + +@item no change (128) +If this flag is set, @command{gpgconf} ignores requests to change the +value. GUI frontends should grey out this option. Note, that manual +changes of the configuration files are still possible. +@end table + +@item level +This field is defined for options and for groups. It contains an +@emph{unsigned number} that specifies the expert level under which +this group or option should be displayed. The following expert levels +are defined for options (they have analogous meaning for groups): + +@table @code +@item basic (0) +This option should always be offered to the user. + +@item advanced (1) +This option may be offered to advanced users. + +@item expert (2) +This option should only be offered to expert users. + +@item invisible (3) +This option should normally never be displayed, not even to expert +users. + +@item internal (4) +This option is for internal use only. Ignore it. +@end table + +The level of a group will always be the lowest level of all options it +contains. + +@item description +This field is defined for options and groups. The @emph{string} in +this field contains a human-readable description of the option or +group. It can be displayed to the user of the GUI for informational +purposes. It is @emph{percent-escaped} and @emph{localized}. + +@item type +This field is only defined for options. It contains an @emph{unsigned +number} that specifies the type of the option's argument, if any. The +following types are defined: + +Basic types: + +@table @code +@item none (0) +No argument allowed. + +@item string (1) +An @emph{unformatted string}. + +@item int32 (2) +A @emph{signed number}. + +@item uint32 (3) +An @emph{unsigned number}. +@end table + +Complex types: + +@table @code +@item pathname (32) +A @emph{string} that describes the pathname of a file. The file does +not necessarily need to exist. + +@item ldap server (33) +A @emph{string} that describes an LDAP server in the format: + +@code{@var{hostname}:@var{port}:@var{username}:@var{password}:@var{base_dn}} + +@item key fingerprint (34) +A @emph{string} with a 40 digit fingerprint specifying a certificate. + +@item pub key (35) +A @emph{string} that describes a certificate by user ID, key ID or +fingerprint. + +@item sec key (36) +A @emph{string} that describes a certificate with a key by user ID, +key ID or fingerprint. + +@item alias list (37) +A @emph{string} that describes an alias list, like the one used with +gpg's group option. The list consists of a key, an equal sign and space +separated values. +@end table + +More types will be added in the future. Please see the @var{alt-type} +field for information on how to cope with unknown types. + +@item alt-type +This field is identical to @var{type}, except that only the types +@code{0} to @code{31} are allowed. The GUI is expected to present the +user the option in the format specified by @var{type}. But if the +argument type @var{type} is not supported by the GUI, it can still +display the option in the more generic basic type @var{alt-type}. The +GUI must support all the defined basic types to be able to display all +options. More basic types may be added in future versions. If the +GUI encounters a basic type it doesn't support, it should report an +error and abort the operation. + +@item argname +This field is only defined for options with an argument type +@var{type} that is not @code{0}. In this case it may contain a +@emph{percent-escaped} and @emph{localized string} that gives a short +name for the argument. The field may also be empty, though, in which +case a short name is not known. + +@item default +This field is defined only for options for which the @code{default} or +@code{default desc} flag is set. If the @code{default} flag is set, +its format is that of an @emph{option argument} (@pxref{Format +conventions}, for details). If the default value is empty, then no +default is known. Otherwise, the value specifies the default value +for this option. If the @code{default desc} flag is set, the field is +either empty or contains a description of the effect if the option is +not given. + +@item argdef +This field is defined only for options for which the @code{optional +arg} flag is set. If the @code{no arg desc} flag is not set, its +format is that of an @emph{option argument} (@pxref{Format +conventions}, for details). If the default value is empty, then no +default is known. Otherwise, the value specifies the default argument +for this option. If the @code{no arg desc} flag is set, the field is +either empty or contains a description of the effect of this option if +no argument is given. + +@item value +This field is defined only for options. Its format is that of an +@emph{option argument}. If it is empty, then the option is not +explicitly set in the current configuration, and the default applies +(if any). Otherwise, it contains the current value of the option. +Note that this field is also meaningful if the option itself does not +take a real argument (in this case, it contains the number of times +the option appears). +@end table + + +@node Changing options +@subsection Changing options + +The command @w{@code{--change-options @var{component}}} will attempt +to change the options of the component @var{component} to the +specified values. @var{component} must be the string in the field +@var{name} in the output of the @code{--list-components} command. You +have to provide the options that shall be changed in the following +format on standard input: + +@code{@var{name}:@var{flags}:@var{new-value}} + +@table @var +@item name +This is the name of the option to change. @var{name} must be the +string in the field @var{name} in the output of the +@code{--list-options} command. + +@item flags +The flags field contains an @emph{unsigned number}. Its value is the +OR-wise combination of the following flag values: + +@table @code +@item default (16) +If this flag is set, the option is deleted and the default value is +used instead (if applicable). +@end table + +@item new-value +The new value for the option. This field is only defined if the +@code{default} flag is not set. The format is that of an @emph{option +argument}. If it is empty (or the field is omitted), the default +argument is used (only allowed if the argument is optional for this +option). Otherwise, the option will be set to the specified value. +@end table + +@noindent +The output of the command is the same as that of +@code{--check-options} for the modified configuration file. + +Examples: + +To set the force option, which is of basic type @code{none (0)}: + +@example +$ echo 'force:0:1' | gpgconf --change-options dirmngr +@end example + +To delete the force option: + +@example +$ echo 'force:16:' | gpgconf --change-options dirmngr +@end example + +The @code{--runtime} option can influence when the changes take +effect. + + +@node Listing global options +@subsection Listing global options + +Some legacy applications look at the global configuration file for the +gpgconf tool itself; this is the file @file{gpgconf.conf}. Modern +applications should not use it but use per component global +configuration files which are more flexible than the +@file{gpgconf.conf}. Using both files is not suggested. + +The colon separated listing format is record oriented and uses the first +field to identify the record type: + +@table @code +@item k +This describes a key record to start the definition of a new ruleset for +a user/group. The format of a key record is: + + @code{k:@var{user}:@var{group}:} + +@table @var +@item user +This is the user field of the key. It is percent escaped. See the +definition of the gpgconf.conf format for details. + +@item group +This is the group field of the key. It is percent escaped. +@end table + +@item r +This describes a rule record. All rule records up to the next key record +make up a rule set for that key. The format of a rule record is: + + @code{r:::@var{component}:@var{option}:@var{flag}:@var{value}:} + +@table @var +@item component +This is the component part of a rule. It is a plain string. + +@item option +This is the option part of a rule. It is a plain string. + +@item flag +This is the flags part of a rule. There may be only one flag per rule +but by using the same component and option, several flags may be +assigned to an option. It is a plain string. + +@item value +This is the optional value for the option. It is a percent escaped +string with a single quotation mark to indicate a string. The quotation +mark is only required to distinguish between no value specified and an +empty string. +@end table + +@end table + +@noindent +Unknown record types should be ignored. Note that there is intentionally +no feature to change the global option file through @command{gpgconf}. + + +@node Querying versions +@subsection Get and compare software versions. + +The GnuPG Project operates a server to query the current versions of +software packages related to GnuPG. @command{gpgconf} can be used to +access this online database. To allow for offline operations, this +feature works by having @command{dirmngr} download a file from +@code{https://versions.gnupg.org}, checking the signature of that file +and storing the file in the GnuPG home directory. If +@command{gpgconf} is used and @command{dirmngr} is running, it may ask +@command{dirmngr} to refresh that file before itself uses the file. + +The command @option{--query-swdb} returns information for the given +package in a colon delimited format: + +@table @var + +@item name +This is the name of the package as requested. Note that "gnupg" is a +special name which is replaced by the actual package implementing this +version of GnuPG. For this name it is also not required to specify a +version because @command{gpgconf} takes its own version in this case. + +@item iversion +The currently installed version or an empty string. The value is +taken from the command line argument but may be provided by gpg +if not given. + +@item status +The status of the software package according to this table: +@table @code +@item - +No information available. This is either because no current version +has been specified or due to an error. +@item ? +The given name is not known in the online database. +@item u +An update of the software is available. +@item c +The installed version of the software is current. +@item n +The installed version is already newer than the released version. +@end table + +@item urgency +If the value (the empty string should be considered as zero) is +greater than zero an important update is available. + +@item error +This returns an @command{gpg-error} error code to distinguish between +various failure modes. + +@item filedate +This gives the date of the file with the version numbers in standard +ISO format (@code{yyyymmddThhmmss}). The date has been extracted by +@command{dirmngr} from the signature of the file. + +@item verified +This gives the date in ISO format the file was downloaded. This value +can be used to evaluate the freshness of the information. + +@item version +This returns the version string for the requested software from the +file. + +@item reldate +This returns the release date in ISO format. + +@item size +This returns the size of the package as decimal number of bytes. + +@item hash +This returns a hexified SHA-2 hash of the package. + +@end table + +@noindent +More fields may be added in future to the output. + + +@mansect files +@node Files used by gpgconf +@subsection Files used by gpgconf + +@table @file + +@item /etc/gnupg/gpgconf.conf +@cindex gpgconf.conf + If this file exists, it is processed as a global configuration file. + This is a legacy mechanism which should not be used tigether with + the modern global per component configuration files. A commented + example can be found in the @file{examples} directory of the + distribution. + +@item @var{GNUPGHOME}/swdb.lst +@cindex swdb.lst + A file with current software versions. @command{dirmngr} creates + this file on demand from an online resource. + +@end table + + +@mansect see also +@ifset isman +@command{gpg}(1), +@command{gpgsm}(1), +@command{gpg-agent}(1), +@command{scdaemon}(1), +@command{dirmngr}(1) +@end ifset +@include see-also-note.texi + + + +@c +@c APPLYGNUPGDEFAULTS +@c +@manpage applygnupgdefaults.8 +@node applygnupgdefaults +@section Run gpgconf for all users +@ifset manverb +.B applygnupgdefaults +\- Run gpgconf --apply-defaults for all users. +@end ifset + +@mansect synopsis +@ifset manverb +.B applygnupgdefaults +@end ifset + +@mansect description +This is a legacy script. Modern application should use the per +component global configuration files under @file{/etc/gnupg/}. + +This script is a wrapper around @command{gpgconf} to run it with the +command @code{--apply-defaults} for all real users with an existing +GnuPG home directory. Admins might want to use this script to update he +GnuPG configuration files for all users after +@file{/etc/gnupg/gpgconf.conf} has been changed. This allows enforcing +certain policies for all users. Note, that this is not a bulletproof way to +force a user to use certain options. A user may always directly edit +the configuration files and bypass gpgconf. + +@noindent +@command{applygnupgdefaults} is invoked by root as: + +@example +applygnupgdefaults +@end example + + +@c +@c GPG-PRESET-PASSPHRASE +@c +@node gpg-preset-passphrase +@section Put a passphrase into the cache +@manpage gpg-preset-passphrase.1 +@ifset manverb +.B gpg-preset-passphrase +\- Put a passphrase into gpg-agent's cache +@end ifset + +@mansect synopsis +@ifset manverb +.B gpg-preset-passphrase +.RI [ options ] +.RI [ command ] +.I cache-id +@end ifset + +@mansect description +The @command{gpg-preset-passphrase} is a utility to seed the internal +cache of a running @command{gpg-agent} with passphrases. It is mainly +useful for unattended machines, where the usual @command{pinentry} tool +may not be used and the passphrases for the to be used keys are given at +machine startup. + +This program works with GnuPG 2 and later. GnuPG 1.x is not supported. + +Passphrases set with this utility don't expire unless the +@option{--forget} option is used to explicitly clear them from the +cache --- or @command{gpg-agent} is either restarted or reloaded (by +sending a SIGHUP to it). Note that the maximum cache time as set with +@option{--max-cache-ttl} is still honored. It is necessary to allow +this passphrase presetting by starting @command{gpg-agent} with the +@option{--allow-preset-passphrase}. + +@menu +* Invoking gpg-preset-passphrase:: List of all commands and options. +@end menu + +@manpause +@node Invoking gpg-preset-passphrase +@subsection List of all commands and options +@mancont + +@noindent +@command{gpg-preset-passphrase} is invoked this way: + +@example +gpg-preset-passphrase [options] [command] @var{cacheid} +@end example + +@var{cacheid} is either a 40 character keygrip of hexadecimal +characters identifying the key for which the passphrase should be set +or cleared. The keygrip is listed along with the key when running the +command: @code{gpgsm --with-keygrip --list-secret-keys}. +Alternatively an arbitrary string may be used to identify a +passphrase; it is suggested that such a string is prefixed with the +name of the application (e.g @code{foo:12346}). Scripts should always +use the option @option{--with-colons}, which provides the keygrip in a +"grp" line (cf. @file{doc/DETAILS})/ + +@noindent +One of the following command options must be given: + +@table @gnupgtabopt +@item --preset +@opindex preset +Preset a passphrase. This is what you usually will +use. @command{gpg-preset-passphrase} will then read the passphrase from +@code{stdin}. + +@item --forget +@opindex forget +Flush the passphrase for the given cache ID from the cache. + +@end table + +@noindent +The following additional options may be used: + +@table @gnupgtabopt +@item -v +@itemx --verbose +@opindex verbose +Output additional information while running. + +@item -P @var{string} +@itemx --passphrase @var{string} +@opindex passphrase +Instead of reading the passphrase from @code{stdin}, use the supplied +@var{string} as passphrase. Note that this makes the passphrase visible +for other users. +@end table + +@mansect see also +@ifset isman +@command{gpg}(1), +@command{gpgsm}(1), +@command{gpg-agent}(1), +@command{scdaemon}(1) +@end ifset +@include see-also-note.texi + + + + +@c +@c GPG-CONNECT-AGENT +@c +@node gpg-connect-agent +@section Communicate with a running agent +@manpage gpg-connect-agent.1 +@ifset manverb +.B gpg-connect-agent +\- Communicate with a running agent +@end ifset + +@mansect synopsis +@ifset manverb +.B gpg-connect-agent +.RI [ options ] [commands] +@end ifset + +@mansect description +The @command{gpg-connect-agent} is a utility to communicate with a +running @command{gpg-agent}. It is useful to check out the commands +@command{gpg-agent} provides using the Assuan interface. It might +also be useful for scripting simple applications. Input is expected +at stdin and output gets printed to stdout. + +It is very similar to running @command{gpg-agent} in server mode; but +here we connect to a running instance. + +@menu +* Invoking gpg-connect-agent:: List of all options. +* Controlling gpg-connect-agent:: Control commands. +@end menu + +@manpause +@node Invoking gpg-connect-agent +@subsection List of all options + +@noindent +@command{gpg-connect-agent} is invoked this way: + +@example +gpg-connect-agent [options] [commands] +@end example +@mancont + +@noindent +The following options may be used: + +@table @gnupgtabopt +@item -v +@itemx --verbose +@opindex verbose +Output additional information while running. + +@item -q +@item --quiet +@opindex q +@opindex quiet +Try to be as quiet as possible. + +@include opt-homedir.texi + +@item --agent-program @var{file} +@opindex agent-program +Specify the agent program to be started if none is running. The +default value is determined by running @command{gpgconf} with the +option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is +used for a regression test suite hack and may thus not be used in the +file name. + +@item --dirmngr-program @var{file} +@opindex dirmngr-program +Specify the directory manager (keyserver client) program to be started +if none is running. This has only an effect if used together with the +option @option{--dirmngr}. + +@item --dirmngr +@opindex dirmngr +Connect to a running directory manager (keyserver client) instead of +to the gpg-agent. If a dirmngr is not running, start it. + +@item -S +@itemx --raw-socket @var{name} +@opindex raw-socket +Connect to socket @var{name} assuming this is an Assuan style server. +Do not run any special initializations or environment checks. This may +be used to directly connect to any Assuan style socket server. + +@item -E +@itemx --exec +@opindex exec +Take the rest of the command line as a program and it's arguments and +execute it as an Assuan server. Here is how you would run @command{gpgsm}: +@smallexample + gpg-connect-agent --exec gpgsm --server +@end smallexample +Note that you may not use options on the command line in this case. + +@item --no-ext-connect +@opindex no-ext-connect +When using @option{-S} or @option{--exec}, @command{gpg-connect-agent} +connects to the Assuan server in extended mode to allow descriptor +passing. This option makes it use the old mode. + +@item --no-autostart +@opindex no-autostart +Do not start the gpg-agent or the dirmngr if it has not yet been +started. + +@item -r @var{file} +@itemx --run @var{file} +@opindex run +Run the commands from @var{file} at startup and then continue with the +regular input method. Note, that commands given on the command line are +executed after this file. + +@item -s +@itemx --subst +@opindex subst +Run the command @code{/subst} at startup. + +@item --hex +@opindex hex +Print data lines in a hex format and the ASCII representation of +non-control characters. + +@item --decode +@opindex decode +Decode data lines. That is to remove percent escapes but make sure that +a new line always starts with a D and a space. + +@end table + +@mansect control commands +@node Controlling gpg-connect-agent +@subsection Control commands + +While reading Assuan commands, gpg-agent also allows a few special +commands to control its operation. These control commands all start +with a slash (@code{/}). + +@table @code + +@item /echo @var{args} +Just print @var{args}. + +@item /let @var{name} @var{value} +Set the variable @var{name} to @var{value}. Variables are only +substituted on the input if the @command{/subst} has been used. +Variables are referenced by prefixing the name with a dollar sign and +optionally include the name in curly braces. The rules for a valid name +are identically to those of the standard bourne shell. This is not yet +enforced but may be in the future. When used with curly braces no +leading or trailing white space is allowed. + +If a variable is not found, it is searched in the environment and if +found copied to the table of variables. + +Variable functions are available: The name of the function must be +followed by at least one space and the at least one argument. The +following functions are available: + +@table @code +@item get +Return a value described by the argument. Available arguments are: + +@table @code +@item cwd +The current working directory. +@item homedir +The gnupg homedir. +@item sysconfdir +GnuPG's system configuration directory. +@item bindir +GnuPG's binary directory. +@item libdir +GnuPG's library directory. +@item libexecdir +GnuPG's library directory for executable files. +@item datadir +GnuPG's data directory. +@item serverpid +The PID of the current server. Command @command{/serverpid} must +have been given to return a useful value. +@end table + +@item unescape @var{args} +Remove C-style escapes from @var{args}. Note that @code{\0} and +@code{\x00} terminate the returned string implicitly. The string to be +converted are the entire arguments right behind the delimiting space of +the function name. + +@item unpercent @var{args} +@itemx unpercent+ @var{args} +Remove percent style escaping from @var{args}. Note that @code{%00} +terminates the string implicitly. The string to be converted are the +entire arguments right behind the delimiting space of the function +name. @code{unpercent+} also maps plus signs to a spaces. + +@item percent @var{args} +@itemx percent+ @var{args} +Escape the @var{args} using percent style escaping. Tabs, formfeeds, +linefeeds, carriage returns and colons are escaped. @code{percent+} also +maps spaces to plus signs. + +@item errcode @var{arg} +@itemx errsource @var{arg} +@itemx errstring @var{arg} +Assume @var{arg} is an integer and evaluate it using @code{strtol}. Return +the gpg-error error code, error source or a formatted string with the +error code and error source. + + +@item + +@itemx - +@itemx * +@itemx / +@itemx % +Evaluate all arguments as long integers using @code{strtol} and apply +this operator. A division by zero yields an empty string. + +@item ! +@itemx | +@itemx & +Evaluate all arguments as long integers using @code{strtol} and apply +the logical operators NOT, OR or AND. The NOT operator works on the +last argument only. + + +@end table + + +@item /definq @var{name} @var{var} +Use content of the variable @var{var} for inquiries with @var{name}. +@var{name} may be an asterisk (@code{*}) to match any inquiry. + + +@item /definqfile @var{name} @var{file} +Use content of @var{file} for inquiries with @var{name}. +@var{name} may be an asterisk (@code{*}) to match any inquiry. + +@item /definqprog @var{name} @var{prog} +Run @var{prog} for inquiries matching @var{name} and pass the +entire line to it as command line arguments. + +@item /datafile @var{name} +Write all data lines from the server to the file @var{name}. The file +is opened for writing and created if it does not exists. An existing +file is first truncated to 0. The data written to the file fully +decoded. Using a single dash for @var{name} writes to stdout. The +file is kept open until a new file is set using this command or this +command is used without an argument. + +@item /showdef +Print all definitions + +@item /cleardef +Delete all definitions + +@item /sendfd @var{file} @var{mode} +Open @var{file} in @var{mode} (which needs to be a valid @code{fopen} +mode string) and send the file descriptor to the server. This is +usually followed by a command like @code{INPUT FD} to set the +input source for other commands. + +@item /recvfd +Not yet implemented. + +@item /open @var{var} @var{file} [@var{mode}] +Open @var{file} and assign the file descriptor to @var{var}. Warning: +This command is experimental and might change in future versions. + +@item /close @var{fd} +Close the file descriptor @var{fd}. Warning: This command is +experimental and might change in future versions. + +@item /showopen +Show a list of open files. + +@item /serverpid +Send the Assuan command @command{GETINFO pid} to the server and store +the returned PID for internal purposes. + +@item /sleep +Sleep for a second. + +@item /hex +@itemx /nohex +Same as the command line option @option{--hex}. + +@item /decode +@itemx /nodecode +Same as the command line option @option{--decode}. + +@item /subst +@itemx /nosubst +Enable and disable variable substitution. It defaults to disabled +unless the command line option @option{--subst} has been used. +If /subst as been enabled once, leading whitespace is removed from +input lines which makes scripts easier to read. + +@item /while @var{condition} +@itemx /end +These commands provide a way for executing loops. All lines between +the @code{while} and the corresponding @code{end} are executed as long +as the evaluation of @var{condition} yields a non-zero value or is the +string @code{true} or @code{yes}. The evaluation is done by passing +@var{condition} to the @code{strtol} function. Example: + +@smallexample + /subst + /let i 3 + /while $i + /echo loop counter is $i + /let i $@{- $i 1@} + /end +@end smallexample + +@item /if @var{condition} +@itemx /end +These commands provide a way for conditional execution. All lines between +the @code{if} and the corresponding @code{end} are executed only if +the evaluation of @var{condition} yields a non-zero value or is the +string @code{true} or @code{yes}. The evaluation is done by passing +@var{condition} to the @code{strtol} function. + +@item /run @var{file} +Run commands from @var{file}. + +@item /bye +Terminate the connection and the program. + +@item /help +Print a list of available control commands. + +@end table + + +@ifset isman +@mansect see also +@command{gpg-agent}(1), +@command{scdaemon}(1) +@include see-also-note.texi +@end ifset + +@c +@c DIRMNGR-CLIENT +@c +@node dirmngr-client +@section The Dirmngr Client Tool + +@manpage dirmngr-client.1 +@ifset manverb +.B dirmngr-client +\- Tool to access the Dirmngr services +@end ifset + +@mansect synopsis +@ifset manverb +.B dirmngr-client +.RI [ options ] +.RI [ certfile | pattern ] +@end ifset + +@mansect description +The @command{dirmngr-client} is a simple tool to contact a running +dirmngr and test whether a certificate has been revoked --- either by +being listed in the corresponding CRL or by running the OCSP protocol. +If no dirmngr is running, a new instances will be started but this is +in general not a good idea due to the huge performance overhead. + +@noindent +The usual way to run this tool is either: + +@example +dirmngr-client @var{acert} +@end example + +@noindent +or + +@example +dirmngr-client <@var{acert} +@end example + +Where @var{acert} is one DER encoded (binary) X.509 certificates to be +tested. +@ifclear isman +The return value of this command is +@end ifclear + +@mansect return value +@ifset isman +@command{dirmngr-client} returns these values: +@end ifset +@table @code + +@item 0 +The certificate under question is valid; i.e. there is a valid CRL +available and it is not listed there or the OCSP request returned that +that certificate is valid. + +@item 1 +The certificate has been revoked + +@item 2 (and other values) +There was a problem checking the revocation state of the certificate. +A message to stderr has given more detailed information. Most likely +this is due to a missing or expired CRL or due to a network problem. + +@end table + +@mansect options +@noindent +@command{dirmngr-client} may be called with the following options: + + +@table @gnupgtabopt +@item --version +@opindex version +Print the program version and licensing information. Note that you cannot +abbreviate this command. + +@item --help, -h +@opindex help +Print a usage message summarizing the most useful command-line options. +Note that you cannot abbreviate this command. + +@item --quiet, -q +@opindex quiet +Make the output extra brief by suppressing any informational messages. + +@item -v +@item --verbose +@opindex v +@opindex verbose +Outputs additional information while running. +You can increase the verbosity by giving several +verbose commands to @sc{dirmngr}, such as @samp{-vv}. + +@item --pem +@opindex pem +Assume that the given certificate is in PEM (armored) format. + +@item --ocsp +@opindex ocsp +Do the check using the OCSP protocol and ignore any CRLs. + +@item --force-default-responder +@opindex force-default-responder +When checking using the OCSP protocol, force the use of the default OCSP +responder. That is not to use the Reponder as given by the certificate. + +@item --ping +@opindex ping +Check whether the dirmngr daemon is up and running. + +@item --cache-cert +@opindex cache-cert +Put the given certificate into the cache of a running dirmngr. This is +mainly useful for debugging. + +@item --validate +@opindex validate +Validate the given certificate using dirmngr's internal validation code. +This is mainly useful for debugging. + +@item --load-crl +@opindex load-crl +This command expects a list of filenames with DER encoded CRL files. +With the option @option{--url} URLs are expected in place of filenames +and they are loaded directly from the given location. All CRLs will be +validated and then loaded into dirmngr's cache. + +@item --lookup +@opindex lookup +Take the remaining arguments and run a lookup command on each of them. +The results are Base-64 encoded outputs (without header lines). This +may be used to retrieve certificates from a server. However the output +format is not very well suited if more than one certificate is returned. + +@item --url +@itemx -u +@opindex url +Modify the @command{lookup} and @command{load-crl} commands to take an URL. + +@item --local +@itemx -l +@opindex url +Let the @command{lookup} command only search the local cache. + +@item --squid-mode +@opindex squid-mode +Run @sc{dirmngr-client} in a mode suitable as a helper program for +Squid's @option{external_acl_type} option. + + +@end table + +@ifset isman +@mansect see also +@command{dirmngr}(8), +@command{gpgsm}(1) +@include see-also-note.texi +@end ifset + + +@c +@c GPGPARSEMAIL +@c +@node gpgparsemail +@section Parse a mail message into an annotated format + +@manpage gpgparsemail.1 +@ifset manverb +.B gpgparsemail +\- Parse a mail message into an annotated format +@end ifset + +@mansect synopsis +@ifset manverb +.B gpgparsemail +.RI [ options ] +.RI [ file ] +@end ifset + +@mansect description +The @command{gpgparsemail} is a utility currently only useful for +debugging. Run it with @code{--help} for usage information. + + + +@c +@c GPGTAR +@c +@manpage gpgtar.1 +@node gpgtar +@section Encrypt or sign files into an archive +@ifset manverb +.B gpgtar +\- Encrypt or sign files into an archive +@end ifset + +@mansect synopsis +@ifset manverb +.B gpgtar +.RI [ options ] +.I filename1 +.I [ filename2, ... ] +.I directory1 +.I [ directory2, ... ] +@end ifset + +@mansect description +@command{gpgtar} encrypts or signs files into an archive. It is an +gpg-ized tar using the same format as used by PGP's PGP Zip. + +@manpause +@noindent +@command{gpgtar} is invoked this way: + +@example +gpgtar [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...] +@end example + +@mansect options +@noindent +@command{gpgtar} understands these options: + +@table @gnupgtabopt + +@item --create +@opindex create +Put given files and directories into a vanilla ``ustar'' archive. + +@item --extract +@opindex extract +Extract all files from a vanilla ``ustar'' archive. + +@item --encrypt +@itemx -e +@opindex encrypt +Encrypt given files and directories into an archive. This option may +be combined with option @option{--symmetric} for an archive that may +be decrypted via a secret key or a passphrase. + +@item --decrypt +@itemx -d +@opindex decrypt +Extract all files from an encrypted archive. + +@item --sign +@itemx -s +Make a signed archive from the given files and directories. This can +be combined with option @option{--encrypt} to create a signed and then +encrypted archive. + +@item --list-archive +@itemx -t +@opindex list-archive +List the contents of the specified archive. + +@item --symmetric +@itemx -c +Encrypt with a symmetric cipher using a passphrase. The default +symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the +@option{--cipher-algo} option to @command{gpg}. + +@item --recipient @var{user} +@itemx -r @var{user} +@opindex recipient +Encrypt for user id @var{user}. For details see @command{gpg}. + +@item --local-user @var{user} +@itemx -u @var{user} +@opindex local-user +Use @var{user} as the key to sign with. For details see @command{gpg}. + +@item --output @var{file} +@itemx -o @var{file} +@opindex output +Write the archive to the specified file @var{file}. + +@item --verbose +@itemx -v +@opindex verbose +Enable extra informational output. + +@item --quiet +@itemx -q +@opindex quiet +Try to be as quiet as possible. + +@item --skip-crypto +@opindex skip-crypto +Skip all crypto operations and create or extract vanilla ``ustar'' +archives. + +@item --dry-run +@opindex dry-run +Do not actually output the extracted files. + +@item --directory @var{dir} +@itemx -C @var{dir} +@opindex directory +Extract the files into the directory @var{dir}. The default is to +take the directory name from the input filename. If no input filename +is known a directory named @file{GPGARCH} is used. For tarball +creation, switch to directory @var{dir} before performing any +operations. + +@item --files-from @var{file} +@itemx -T @var{file} +Take the file names to work from the file @var{file}; one file per +line. + +@item --null +@opindex null +Modify option @option{--files-from} to use a binary nul instead of a +linefeed to separate file names. + +@item --utf8-strings +@opindex utf8-strings +Assume that the file names read by @option{--files-from} are UTF-8 +encoded. This option has an effect only on Windows where the active +code page is otherwise assumed. + +@item --openpgp +@opindex openpgp +This option has no effect because OpenPGP encryption and signing is +the default. + +@item --cms +@opindex cms +This option is reserved and shall not be used. It will eventually be +used to encrypt or sign using the CMS protocol; but that is not yet +implemented. + +@item --batch +@opindex batch +Use batch mode. Never ask but use the default action. This option is +passed directly to @command{gpg}. + +@item --yes +@opindex yes +Assume "yes" on most questions. Often used together with +@option{--batch} to overwrite existing files. This option is passed +directly to @command{gpg}. + +@item --no +@opindex no +Assume "no" on most questions. This option is passed directly to +@command{gpg}. + +@item --require-compliance +@opindex require-compliance +This option is passed directly to @command{gpg}. + +@item --status-fd @var{n} +@opindex status-fd +Write special status strings to the file descriptor @var{n}. +See the file DETAILS in the documentation for a listing of them. + +@item --with-log +@opindex with-log +When extracting an encrypted tarball also write a log file with the +gpg output to a file named after the extraction directory with the +suffix ".log". + +@item --set-filename @var{file} +@opindex set-filename +Use the last component of @var{file} as the output directory. The +default is to take the directory name from the input filename. If no +input filename is known a directory named @file{GPGARCH} is used. +This option is deprecated in favor of option @option{--directory}. + +@item --gpg @var{gpgcmd} +@opindex gpg +Use the specified command @var{gpgcmd} instead of @command{gpg}. + +@item --gpg-args @var{args} +@opindex gpg-args +Pass the specified extra options to @command{gpg}. + +@item --tar-args @var{args} +@opindex tar-args +Assume @var{args} are standard options of the command @command{tar} +and parse them. The only supported tar options are "--directory", +"--files-from", and "--null" This is an obsolete options because those +supported tar options can also be given directly. + +@item --version +@opindex version +Print version of the program and exit. + +@item --help +@opindex help +Display a brief help page and exit. + +@end table + +@mansect diagnostics +@noindent +The program returns 0 if everything was fine, 1 otherwise. + + +@mansect examples +@ifclear isman +@noindent +Some examples: + +@end ifclear +@noindent +Encrypt the contents of directory @file{mydocs} for user Bob to file +@file{test1}: + +@example +gpgtar --encrypt --output test1 -r Bob mydocs +@end example + +@noindent +List the contents of archive @file{test1}: + +@example +gpgtar --list-archive test1 +@end example + + +@mansect see also +@ifset isman +@command{gpg}(1), +@command{tar}(1), +@end ifset +@include see-also-note.texi + +@c +@c GPG-CHECK-PATTERN +@c +@manpage gpg-check-pattern.1 +@node gpg-check-pattern +@section Check a passphrase on stdin against the patternfile +@ifset manverb +.B gpg-check-pattern +\- Check a passphrase on stdin against the patternfile +@end ifset + +@mansect synopsis +@ifset manverb +.B gpg\-check\-pattern +.RI [ options ] +.I patternfile +@end ifset + +@mansect description +@command{gpg-check-pattern} checks a passphrase given on stdin against +a specified pattern file. + +The pattern file is line based with comment lines beginning on the +@emph{first} position with a @code{#}. Empty lines and lines with +only white spaces are ignored. The actual pattern lines may either be +verbatim string pattern and match as they are (trailing spaces are +ignored) or extended regular expressions indicated by a @code{/} or +@code{!/} in the first column and terminated by another @code{/} or +end of line. If a regular expression starts with @code{!/} the match +result is reversed. By default all comparisons are case insensitive. + +Tag lines may be used to further control the operation of this tool. +The currently defined tags are: + +@table @code +@item [icase] +Switch to case insensitive comparison for all further patterns. This +is the default. + +@item [case] +Switch to case sensitive comparison for all further patterns. + +@item [reject] +Switch to reject mode. This is the default mode. + +@item [accept] +Switch to accept mode. +@end table + +In the future more tags may be introduced and thus it is advisable not to +start a plain pattern string with an open bracket. The tags must be +given verbatim on the line with no spaces to the left or any non white +space characters to the right. + +In reject mode the program exits on the first match with an exit code +of 1 (failure). If at the end of the pattern list the reject mode is +still active the program exits with code 0 (success). + +In accept mode blocks of patterns are used. A block starts at the +next pattern after an "accept" tag and ends with the last pattern +before the next "accept" or "reject" tag or at the end of the pattern +list. If all patterns in a block match the program exits with an exit +code of 0 (success). If any pattern in a block do not match the next +pattern block is evaluated. If at the end of the pattern list the +accept mode is still active the program exits with code 1 (failure). + + +@mansect options +@noindent + +@table @gnupgtabopt + +@item --verbose +@opindex verbose +Enable extra informational output. + +@item --check +@opindex check +Run only a syntax check on the patternfile. + +@item --null +@opindex null +Input is expected to be null delimited. + +@end table + +@mansect see also +@ifset isman +@command{gpg-agent}(1), +@end ifset +@include see-also-note.texi diff --git a/doc/trust-values.texi b/doc/trust-values.texi new file mode 100644 index 0000000..634a784 --- /dev/null +++ b/doc/trust-values.texi @@ -0,0 +1,47 @@ +@c Copyright (C) 2018 Free Software Foundation, Inc. +@c This is part of the GnuPG manual. +@c For copying conditions, see the file gnupg.texi. + +Trust values are used to indicate ownertrust and validity of keys and +user IDs. They are displayed with letters or strings: + +@table @asis + + @item - + @itemx unknown + No ownertrust assigned / not yet calculated. + + @item e + @itemx expired + + Trust calculation has failed; probably due to an expired key. + + @item q + @itemx undefined, undef + Not enough information for calculation. + + @item n + @itemx never + Never trust this key. + + @item m + @itemx marginal + Marginally trusted. + + @item f + @itemx full + Fully trusted. + + @item u + @itemx ultimate + Ultimately trusted. + + @item r + @itemx revoked + For validity only: the key or the user ID has been revoked. + + @item ? + @itemx err + The program encountered an unknown trust value. + +@end table diff --git a/doc/whats-new-in-2.1.txt b/doc/whats-new-in-2.1.txt new file mode 100644 index 0000000..ef8b233 --- /dev/null +++ b/doc/whats-new-in-2.1.txt @@ -0,0 +1,873 @@ + â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + GNUPG - WHAT’S NEW IN 2.1 + + + Werner Koch + â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â” + + + 2017-08-28 + + +Table of Contents +───────────────── + +1 What’s new in GnuPG 2.1 +.. 1.1 Removal of the secret keyring +.. 1.2 Removal of PGP-2 support +.. 1.3 Leaner key generation interface +.. 1.4 Support for ECC +.. 1.5 Quick generate and sign commands +.. 1.6 Improved Pinentry support +.. 1.7 Auto-start of the gpg-agent +.. 1.8 Duplicate long key id fixes +.. 1.9 Enhanced Dirmngr +.. 1.10 Better keyserver pool support +.. 1.11 Faster keyring format +.. 1.12 Auto-generated revocation certificates +.. 1.13 Improved card support +.. 1.14 New format for key listings +.. 1.15 Recipient key from file +.. 1.16 Using gpg as a filter +.. 1.17 Support for Putty +.. 1.18 Export of SSH public keys +.. 1.19 Improved X.509 certificate creation +.. 1.20 Scripts to create a Windows installer + + +A possibly revised version of this article can be found at: +https://gnupg.org/faq/whats-new-in-2.1.html + + +1 What’s new in GnuPG 2.1 +â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â• + + GnuPG version 2.1 (now known as 2.2) comes with a bag of new features + which changes some things old-timers are used to. This page explains + the more important ones. It expects that the reader is familiar with + GnuPG version 2.0 and aware that GnuPG consists of /gpg/, /gpgsm/, and + /gpg-agent/ as its main components. + + • The file /secring.gpg/ is not anymore used to store the secret keys. + Merging of secret keys is now supported. + + • All support for /PGP-2 keys/ has been removed for security reasons. + + • The standard key generation interface is now much leaner. This will + help a new user to quickly generate a suitable key. + + • Support for /Elliptic Curve Cryptography/ (ECC) is now available. + + • Commands to create and sign keys from the command line without any + extra prompts are now available. + + • The Pinentry may now show the new passphrase entry and the + passphrase confirmation entry in one dialog. + + • There is no more need to manually start the gpg-agent. It is now + started by any part of GnuPG as needed. + + • Problems with importing keys with the same long key id have been + addressed. + + • The /dirmngr/ is now part of GnuPG proper and also takes care of + accessing keyserver. + + • Keyserver pools are now handled in a smarter way. + + • A new format for locally storing the public keys is now used. This + considerable speeds up operations on large keyrings. + + • /Revocation certificates/ are now created by default. + + • Card support has been updated, new readers and token types are + supported. + + • The format of the key listing has been changed to better identify + the properties of a key. + + • A file with the recipient’s key may now be used directly. + + • Gpg can be used to filter out parts of a key. + + • The gpg-agent may now be used on Windows as /pageant/ replacement + for /putty/ in the same way it is used for years on Unix as + /ssh-agent/ replacement. + + • Creation of X.509 certificates has been improved. It is now also + possible to export them directly in PKCS#8 and PEM format for use on + TLS servers. + + • Export of /ssh/ keys has been integrated. + + • The scripts to create a Windows installer are now part of GnuPG. + + Now for the detailed description of these new features. Note that the + examples assume that /gpg/ is installed as /gpg/. Your installation + may have it installed under the name /gpg2/. + + +1.1 Removal of the secret keyring +───────────────────────────────── + + gpg used to keep the public key pairs in two files: `pubring.gpg' and + `secring.gpg'. The only difference is that secring stored in addition + to the public part also the private part of the key pair. The secret + keyring thus contained only the keys for which a private key is + available, that is the user’s key. It required a lot of code to keep + both versions of the key in sync and led to sometimes surprising + inconsistencies. + + The design of GnuPG-2 demands that only the gpg-agent has control over + the private parts of the keys and the actual encryption engine (gpg or + gpgsm) does not know about the private key but care only about session + keys and keys for symmetric encryption. This has been implemented + about 10 years ago for /gpgsm/ (the S/MIME part of GnuPG). However, + /gpg/ (the OpenPGP part) used the gpg-agent only as passphrase entry + and cache device but handles the private key itself. + + With GnuPG 2.1 this changed and /gpg/ now also delegates all private + key operations to the gpg-agent. Thus there is no more code in the + /gpg/ binary for handling private keys. En passant this allows the + long time requested “merging of secret keys†and several other + advanced key management techniques. + + To ease the migration to the no-secring method, /gpg/ detects the + presence of a `secring.gpg' and converts the keys on-the-fly to the + the key store of /gpg-agent/ (this is the `private-keys-v1.d' + directory below the GnuPG home directory (`~/.gnupg')). This is done + only once and an existing `secring.gpg' is then not anymore touched by + /gpg/. This allows co-existence of older GnuPG versions with GnuPG + 2.1. However, any change to the private keys using the new /gpg/ will + not show up when using pre-2.1 versions of GnuPG and vice versa. + + Note that the command `--export-secret-keys' still creates an OpenPGP + compliant file with the secret keys. This is achieved by asking + /gpg-agent/ to convert a key and return it in the OpenPGP protected + format. The export operation requires that the passphrase for the key + is entered so that /gpg-agent/ is able to change the protection from + its internal format to the OpenPGP required format. + + +1.2 Removal of PGP-2 support +──────────────────────────── + + Some algorithms and parts of the protocols as used by the 20 years old + [PGP-2] software are meanwhile considered unsafe. In particular the + baked in use of the [MD5] hash algorithm limits the security of PGP-2 + keys to non-acceptable rate. Technically those PGP-2 keys are called + version 3 keys (v3) and are easily identified by a shorter fingerprint + which is commonly presented as 16 separate double hex digits. + + With GnuPG 2.1 all support for those keys has gone. If they are in an + existing keyring they will eventually be removed. If GnuPG encounters + such a key on import it will not be imported due to the not anymore + implemented v3 key format. Removing the v3 key support also reduces + complexity of the code and is thus better than to keep on handling + them with a specific error message. + + There is one use case where PGP-2 keys may still be required: For + existing encrypted data. We suggest to keep a version of GnuPG 1.4 + around which still has support for these keys (it might be required to + use the `--allow-weak-digest-algos' option). A better solution is to + re-encrypt the data using a modern key. + + + [PGP-2] https://en.wikipedia.org/wiki/Pretty_Good_Privacy + + [MD5] https://en.wikipedia.org/wiki/MD5 + + +1.3 Leaner key generation interface +─────────────────────────────────── + + This is best shown with an example: + + ┌──── + │ $ gpg --gen-key + │ gpg (GnuPG) 2.1.0; Copyright (C) 2014 Free Software Foundation, Inc. + │ This is free software: you are free to change and redistribute it. + │ There is NO WARRANTY, to the extent permitted by law. + │ + │ gpg: keybox '/home/foo/.gnupg/pubring.kbx' created + │ Note: Use "gpg --full-gen-key" for a full featured key generation dialog. + │ + │ GnuPG needs to construct a user ID to identify your key. + │ + │ Real name: Glenn Greenwald + │ Email address: glenn@example.org + │ You selected this USER-ID: + │ "Glenn Greenwald <glenn@example.org>" + │ + │ Change (N)ame, (E)mail, or (O)kay/(Q)uit? o + │ [...] + │ pub rsa2048/68FD0088 2014-11-03 + │ Key fingerprint = 0290 5ABF 17C7 81FB C390 9B00 636A 1BBD 68FD 0088 + │ uid [ultimate] Glenn Greenwald <glenn@example.org> + │ sub rsa2048/84439DCD 2014-11-03 + └──── + + Thus only the name and the mail address are required. For all other + parameters the default values are used. Many graphical frontends + works in the same way. Note that /gpg/ prints a hint for the old time + gpg users on how to get the full option menu. + + +1.4 Support for ECC +─────────────────── + + GnuPG now support Elliptic Curve keys for public key encryption. This + is defined in [RFC-6637]. Because there is no other mainstream + OpenPGP implementation yet available which supports ECC, the use of + such keys is still very limited. Thus GnuPG 2.1 currently hides the + options to create an ECC key. + + For those who want to experiment with ECC or already want to prepare a + key for future use, the command `--full-gen-key' along with the option + `--expert' is the enabler: + + ┌──── + │ $ gpg --expert --full-gen-key + │ gpg (GnuPG) 2.1.0; Copyright (C) 2014 Free Software Foundation, Inc. + │ This is free software: you are free to change and redistribute it. + │ There is NO WARRANTY, to the extent permitted by law. + │ + │ Please select what kind of key you want: + │ (1) RSA and RSA (default) + │ (2) DSA and Elgamal + │ (3) DSA (sign only) + │ (4) RSA (sign only) + │ (7) DSA (set your own capabilities) + │ (8) RSA (set your own capabilities) + │ (9) ECC and ECC + │ (10) ECC (sign only) + │ (11) ECC (set your own capabilities) + │ Your selection? 9 + │ Please select which elliptic curve you want: + │ (2) NIST P-256 + │ (3) NIST P-384 + │ (4) NIST P-521 + │ (5) Brainpool P-256 + │ (6) Brainpool P-384 + │ (7) Brainpool P-512 + │ Your selection? 2 + │ Please specify how long the key should be valid. + │ 0 = key does not expire + │ <n> = key expires in n days + │ <n>w = key expires in n weeks + │ <n>m = key expires in n months + │ <n>y = key expires in n years + │ Key is valid for? (0) + │ Key does not expire at all + │ Is this correct? (y/N) y + │ + │ GnuPG needs to construct a user ID to identify your key. + │ + │ Real name: Edward Snowden + │ Email address: edward@example.org + │ Comment: + │ You selected this USER-ID: + │ "Edward Snowden <edward@example.org>" + │ + │ Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o + │ [...] + │ pub nistp256/382660E3 2014-11-03 + │ Key fingerprint = E630 27CF 3D68 22A7 6FF2 093E D179 9E72 3826 60E3 + │ uid [ultimate] Edward Snowden <edward@example.org> + │ sub nistp256/48C9A997 2014-11-03 nistp256 + └──── + + In this example we created a primary ECC key for signing and an subkey + for encryption. For both we use the NIST P-256 curve. The key may + now be used in the same way as any other key. It is possible to add + an RSA subkey or one can create an RSA or DSA main key and add an ECC + subkey for signing or encryption. Note that the list of offered + curves depends on the installed Libgcrypt version. + + For many people the NIST and also the Brainpool curves have an + doubtful origin and thus the plan for GnuPG is to use Bernstein’s + [Curve 25519] as default. GnuPG 2.1.0 already comes with support for + signing keys using the [Ed25519] variant of this curve. This has not + yet been standardized by the IETF (i.e. there is no RFC) but we won’t + wait any longer and go ahead using the proposed format for this + signing algorithm. The format for an encryption key has not yet been + finalized and will be added to GnuPG in one of the next point + releases. Recall that an encryption subkey can be added to a key at + any time. If you want to create a signing key you may do it this way: + + ┌──── + │ $ gpg --expert --full-gen-key + │ gpg (GnuPG) 2.1.0; Copyright (C) 2014 Free Software Foundation, Inc. + │ This is free software: you are free to change and redistribute it. + │ There is NO WARRANTY, to the extent permitted by law. + │ + │ Please select what kind of key you want: + │ (1) RSA and RSA (default) + │ (2) DSA and Elgamal + │ (3) DSA (sign only) + │ (4) RSA (sign only) + │ (7) DSA (set your own capabilities) + │ (8) RSA (set your own capabilities) + │ (9) ECC and ECC + │ (10) ECC (sign only) + │ (11) ECC (set your own capabilities) + │ Your selection? 10 + │ Please select which elliptic curve you want: + │ (1) Curve 25519 + │ (2) NIST P-256 + │ (3) NIST P-384 + │ (4) NIST P-521 + │ (5) Brainpool P-256 + │ (6) Brainpool P-384 + │ (7) Brainpool P-512 + │ Your selection? 1 + │ gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard. + │ Use this curve anyway? (y/N) y + │ Please specify how long the key should be valid. + │ 0 = key does not expire + │ <n> = key expires in n days + │ <n>w = key expires in n weeks + │ <n>m = key expires in n months + │ <n>y = key expires in n years + │ Key is valid for? (0) + │ Key does not expire at all + │ Is this correct? (y/N) y + │ + │ GnuPG needs to construct a user ID to identify your key. + │ + │ Real name: Laura Poitras + │ Email address: laura@example.org + │ Comment: + │ You selected this USER-ID: + │ "Laura Poitras <laura@example.org>" + │ + │ Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o + │ [...] + │ pub ed25519/5C1AFC2A 2014-11-03 + │ Key fingerprint = ED85 4D98 5D8F 502F C6C5 FFB2 AA81 319E 5C1A FC2A + │ uid [ultimate] Laura Poitras <laura@example.org> + └──── + + Support for ECC keys is available only on some keyservers but it is + expected that this will be fixed over the next few months. + + + [RFC-6637] https://rfc-editor.org/info/rfc6637 + + [Curve 25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf + + [Ed25519] http://dx.doi.org/10.1007/s13389-012-0027-1 + + +1.5 Quick generate and sign commands +──────────────────────────────────── + + Sometimes it is useful to use only command line options without any + parameter file or interactive prompts for generating a key or to sign + a key. This can now be accomplished with a few new commands: + + ┌──── + │ $ gpg --batch --quick-gen-key 'Daniel Ellsberg <ellsberg@example.org>' + │ gpg: key 911B90A9 marked as ultimately trusted + └──── + + If a key with that user id already exists, gpg bails out with an error + message. You can force creation using the option `--yes'. If you + want some more control, you may not use `--batch' and gpg will ask for + confirmation and show the resulting key: + + ┌──── + │ $ gpg --quick-gen-key 'Daniel Ellsberg <ellsberg@example.org>' + │ About to create a key for: + │ "Daniel Ellsberg <ellsberg@example.org>" + │ + │ Continue? (Y/n) y + │ gpg: A key for "Daniel Ellsberg <ellsberg@example.org>" already exists + │ Create anyway? (y/N) y + │ gpg: creating anyway + │ [...] + │ pub rsa2048/BD19AC1C 2014-11-04 + │ Key fingerprint = 15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C + │ uid [ultimate] Daniel Ellsberg <ellsberg@example.org> + │ sub rsa2048/72A4D018 2014-11-04 + └──── + + Another common operation is to sign a key. /gpg/ can do this directly + from the command line by giving the fingerprint of the to-be-signed + key: + + ┌──── + │ $ gpg --quick-sign-key '15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C' + │ + │ pub rsa2048/BD19AC1C + │ created: 2014-11-04 expires: never usage: SC + │ trust: ultimate validity: ultimate + │ Primary key fingerprint: 15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C + │ + │ Daniel Ellsberg <ellsberg@example.org> + └──── + + In case the key has already been signed, the command prints a note and + exits with success. In case you want to check that it really worked, + use `--check-sigs' as usual: + + ┌──── + │ $ gpg --check-sigs '15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C' + │ gpg: checking the trustdb + │ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + │ gpg: depth: 0 valid: 6 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 6u + │ pub rsa2048/BD19AC1C 2014-11-04 + │ uid [ full ] Daniel Ellsberg <ellsberg@example.org> + │ sig!3 BD19AC1C 2014-11-04 Daniel Ellsberg <ellsberg@example.org> + │ sig! 68FD0088 2014-11-04 Glenn Greenwald <glenn@example.org> + │ sub rsa2048/72A4D018 2014-11-04 + │ sig! BD19AC1C 2014-11-04 Daniel Ellsberg <ellsberg@example.org> + └──── + + + The fingerprint may also be given without the spaces in which case + there is no need for the quotes. If you want to sign only certain + user ids of a key, list those user id verbatim after the fingerprint. + To create a non-exportable key signature, use the command + `--quick-lsign-key' instead. + + Since version 2.1.4 it possible to directly add another user id to an + existing key: + + ┌──── + │ $ gpg -k 8CFDE12197965A9A + │ pub ed25519/8CFDE12197965A9A 2014-08-19 + │ uid [ unknown] EdDSA sample key 1 + │ $ gpg --quick-adduid 8CFDE12197965A9A 'Sample 2 <me@example.org>' + │ $ gpg -k 8CFDE12197965A9A + │ pub ed25519/8CFDE12197965A9A 2014-08-19 + │ uid [ unknown] Sample 2 <me@example.org> + │ uid [ unknown] EdDSA sample key 1 + └──── + + Since version 2.1.13 another subkey can directly be added to an + existing key: + + ┌──── + │ $ gpg --quick-addkey 15CB723E2000A1A82505F3B7CC00B501BD19AC1C - - 2016-12-31 + │ $ gpg -k 15CB723E2000A1A82505F3B7CC00B501BD19AC1C + │ pub rsa2048 2014-11-04 [SC] + │ 15CB723E2000A1A82505F3B7CC00B501BD19AC1C + │ uid [ unknown] Daniel Ellsberg <ellsberg@example.org> + │ sub rsa2048 2014-11-04 [E] + │ sub rsa2048 2016-06-06 [E] [expires: 2016-12-31] + └──── + + Here we created another encryption subkey with an expiration date. + The key listing also shows the default key listing format introduced + with 2.1.13. There are a lot of other options to the `--quick-addkey' + command which are described in the manual. + + Since version 2.1.14 it possible to revoke a user id on an existing + key: + + ┌──── + │ $ gpg -k 8CFDE12197965A9A + │ pub ed25519/8CFDE12197965A9A 2014-08-19 + │ uid [ unknown] Sample 2 <me@example.org> + │ uid [ unknown] EdDSA sample key 1 + │ $ gpg --quick-revuid 8CFDE12197965A9A 'EdDSA sample key 1' + │ $ gpg -k 8CFDE12197965A9A + │ pub ed25519/8CFDE12197965A9A 2014-08-19 + │ uid [ unknown] Sample 2 <me@example.org> + └──── + + Since version 2.1.17 the expiration date of the primary key can be + changed directly: + + ┌──── + │ $ gpg --quick-set-expire 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7 2017-12-31 + │ $ gpg -K 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7 + │ sec rsa2048 2016-06-22 [SC] [expires: 2017-12-31] + │ 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7 + │ uid [ultimate] steve.biko@example.net + │ ssb rsa2048 2016-06-22 [E] + │ + │ $ gpg --quick-set-expire 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7 none + │ $ gpg -K 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7 + │ sec rsa2048 2016-06-22 [SC] + │ 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7 + │ uid [ultimate] steve.biko@example.net + │ ssb rsa2048 2016-06-22 [E] + └──── + + +1.6 Improved Pinentry support +───────────────────────────── + + When using a recent Pinentry module (0.90, GTK+ variant), the + gpg-agent will not anymore show two separate Pinentry dialogs to enter + a new passphrase and later to confirm the new passphrase. Instead the + first dialog also has the confirm/repeat entry and internally checks + whether they match. + + With any Pinentry version the several separate dialogs to inform and + ask for confirmation about questionable properties of a new passphrase + (e.g. length, only alpha letters) have been combined into one dialog + to show all non-asserted constraints at once. + + The GTK+ Pinentry does now allow pasting of values into the entries. + Copying them from the entries is still inhibited on purpose. + Depending on the system, the option `no-grab' may be required for in + the `gpg-agent.conf' file to actually make use of the paste feature. + + +1.7 Auto-start of the gpg-agent +─────────────────────────────── + + The /gpg-agent/ is the central part of the GnuPG system. It takes + care of all private (secret) keys and if required diverts operations + to a smartcard or other token. It also provides support for the + Secure Shell by implementing the ssh-agent protocol. + + The classic way to run /gpg-agent/ on Unix systems is by launching it + at login time and use an environment variable (`GPG_AGENT_INFO') to + tell the other GnuPG modules how to connect to the agent. However, + correctly managing the start up and this environment variable is + cumbersome so that an easier method is required. Since GnuPG 2.0.16 + the `--use-standard-socket' option already allowed to start the agent + on the fly; however the environment variable was still required. + + With GnuPG 2.1 the need of `GPG_AGENT_INFO' has been completely + removed and the variable is ignored. Instead a fixed Unix domain + socket named `S.gpg-agent' in the GnuPG home directory (by default + `~/.gnupg') is used. The agent is also started on demand by all tools + requiring services from the agent. + + If the option `--enable-ssh-support' is used the auto-start mechanism + does not work because /ssh/ does not know about this mechanism. + Instead it is required that the environment variable `SSH_AUTH_SOCK' + is set to the `S.gpg-agent.ssh' socket in the GnuPG home directory. + Further /gpg-agent/ must be started: Either by using a GnuPG command + which implicitly starts /gpg-agent/ or by using `gpgconf --launch + gpg-agent' to explicitly start it if not yet done. + + +1.8 Duplicate long key id fixes +─────────────────────────────── + + A deficit of the OpenPGP protocol is that signatures carry only a + limited indication on which public key has been used to create a + signature. Thus a verification engine may only use this “long key id†+ to look up the key in its own store or from a public keyserver. + Unfortunately it has now become possible to create a key with a long + key id matching the key id of another key. Importing a key with a + long key id already used by another key in gpg’s local key store was + not possible due to checks done on import. Now, if the “wrong†key + has been imported first /gpg/ would not allow later import of the + second “correct†key. This problem has been fixed in 2.1 by allowing + the import and by doing trial verification against all matching keys. + + +1.9 Enhanced Dirmngr +──────────────────── + + Before version 2.1, /gpg/ used so-called keyserver helpers to access + the OpenPGP keyservers. A problem with that is that they are short + living processes which are not able to keep a state. With 2.1, the + formerly separate package Dirmngr (which was separate due to copyright + assignment reasons) has been integrated into GnuPG. + + In the past /dirmngr/ was only used by /gpgsm/ for X.509 (S/MIME) CRL + and OCSP handling. Being a proper part of GnuPG /dirmngr/ does now + also care about accessing OpenPGP keyservers. This make its easier to + debug problems with the keyservers and to exchange additional + information about the keyserver between /gpg/ and /dirmngr/. It will + eventually also be possible to run background tasks to refresh keys. + + Although the ability to start /dirmngr/ as a system service is still + available, this is not anymore recommended and instead /dirmngr/ is + now by default started on-demand, very similar to /gpg-agent/. + + +1.10 Better keyserver pool support +────────────────────────────────── + + For load balancing reasons, keyservers are organized in pools to + enable instant round-robin DNS assignment of random keyservers. A + problem with that approach is that the DNS resolver is not aware of + the state of the keyserver. If a keyserver has gone down or a routing + problems occurs, /gpg/ and its keyserver helpers were not aware of it + and would try over and over to use the same, dead, keyserver up until + the DNS information expires and a the DNS resolver assigned a new + server from the pool. + + The new /dirmngr/ in GnuPG does not use the implicit round-robin of + the DNS resolver but uses its own DNS lookup and keeps an internal + table of all hosts from the pool along with the encountered aliveness + state. Thus after a failure (timeout) of a request, /dirmngr/ flags a + host as dead and randomly selects another one from the pool. After a + few hours the flag is removed so that the host will be tried again. + It is also possible to mark a specific host from a pool explicitly as + dead so that it won’t be used in the future. To interact with the + /dirmngr/ the `gpg-connect-agent' tool is used: + + ┌──── + │ $ gpg-connect-agent --dirmngr 'help keyserver' /bye + │ $ gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye + └──── + + The first command prints a help screen for the keyserver command and + the second command prints the current host table. + + +1.11 Faster keyring format +────────────────────────── + + The format GnuPG has always used for the public keyring is actually a + slightly extended version of the on-the-wire format for OpenPGP key + exchange. This format is quite inflexible to work with when random + access to keys in the keyring is required. In fact /gpg/ always + parsed all keys in the keyring until it encountered the desired one. + With a large keyring (more than a few thousand keys) this could be + quite slow. + + From its very beginning /gpgsm/ has used a different format to store + public keys (certificates) which we call a /keybox/. That file format + carries meta information about the stored keys and thus allows + searching without actually parsing the key and computing fingerprints + and such. The /keybox/ format has been designed to be protocol + independent and with 2.1 support for OpenPGP keys has been added. + Random access to the keys is now really fast and keyrings with 30000 + keys and more are now easily possible. That change also enables us to + easily introduce other storage methods + + If no `pubring.gpg' is found, /gpg/ defaults to the new /keybox/ + format and creates a `pubring.kbx' keybox file. If such a keybox file + already exists, for example due to the use of /gpgsm/, it will also be + used for OpenPGP keys. However, if a `pubring.gpg' is found and no + keybox file with OpenPGP keys exists, the old `pubring.gpg' will be + used. Take care: GnuPG versions before 2.1 will always use the + `pubring.gpg' file and not know anything about keys stored in the + keybox file. + + To convert an existing `pubring.gpg' file to the keybox format, you + first backup the ownertrust values, then rename the file to (for + example) `publickeys', so it won’t be recognized by any GnuPG version, + then run import, and finally restore the ownertrust values: + + ┌──── + │ $ cd ~/.gnupg + │ $ gpg --export-ownertrust >otrust.lst + │ $ mv pubring.gpg publickeys + │ $ gpg --import-options import-local-sigs --import publickeys + │ $ gpg --import-ownertrust otrust.lst + └──── + + You may then rename the `publickeys' file back so that it can be used + by older GnuPG versions. Remember that in this case you have two + independent copies of the public keys. The ownertrust values are kept + by all gpg versions in the file `trustdb.gpg' but the above + precautions need to be taken to keep them over an import. + + +1.12 Auto-generated revocation certificates +─────────────────────────────────────────── + + This version creates an ASCII armored revocation certificate for each + generated keypair and stores that certificate in a file named after + the fingerprint of the key in the `openpgp-revocs.d' directory below + the GnuPG home directory. Brief instructions on how to use this + revocation certificate are put at the top of the file. + + +1.13 Improved card support +────────────────────────── + + The /scdaemon/, which is responsible for accessing smardcards and + other tokens, has received many updates. In particular pluggable USB + readers with a fixed card now work smoothless and similar to standard + readers. The latest features of the [gnuk] token are supported. Code + for the SmartCard-HSM has been added. More card readers with a PIN + pad are supported. The internal CCID driver does now also work with + certain non-auto-configuration equipped readers. + + Since version 2.1.19 multiple card readers are support and the format + of the Pinentry prompts has been changed to show more information on + the requested card. + + + [gnuk] http://www.fsij.org/doc-gnuk/ + + +1.14 New format for key listings +──────────────────────────────── + + Due to the introduction of ECC keys the old format to list keys was + not anymore suitable. In particular, the length of an ECC key is + defined but its expressiveness is limited without the other parameters + of the curve. The common way to describe an ECC key is by using the + assigned name of its curve. To allow for a common description we now + either use the algorithm name with appended key length or use the name + of the curve: + + ┌──── + │ pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31] + │ + │ pub dsa2048 2007-12-31 [SC] [expires: 2018-12-31] + │ 80615870F5BAD690333686D0F2AD85AC1E42B367 + │ + │ pub ed25519 2014-10-18 [SC] + │ 0B7F0C1D690BC440D5AFF9B56902F00A0AA914C9 + └──── + + The first two "pub"-items show the same key in the old format and in + the new format. The third "pub"-item shows an example of an ECC key + using an ed25519 curve. Note that since version 2.1.13 the key id is + not anymore shown. Instead the full fingerprint is shown in a compact + format; by using the option `--with-fingerprint' the non-compact + format is used. The `--keyid-format' option can be used to switch + back to the discouraged format which prints only the key id. + + As a further change the validity of a key is now shown by default; + that is `show-uid-validity' is implicitly used for the + `--list-options'. + + The annotated key listing produced by the `--with-colons' options did + not change. However a couple of new fields have been added, for + example if the new option `--with-secret' is used the “S/N of a token + field†indicates the presence of a secret key even in a public key + listing. This option is supported by recent [GPGME] versions and + makes writing of key manager software easier. + + + [GPGME] https://gnupg.org/software/gpgme/ + + +1.15 Recipient key from file +──────────────────────────── + + Since version 2.1.14 it is possible to specify the recipient’s key by + providing a file with that key. This done with the new options + `--recipient-file' (or short `-f') and `--hidden-recipient-file' (or + short `-F'). The file must containing exactly one key in binary or + armored format. All keys specified with those options are always + considered fully valid. These option may be mixed with the regular + options to specify a key. Along with the new convenience option + `--no-keyring' it is now possible to encrypt data without maintaining + a local keyring. + + +1.16 Using gpg as a filter +────────────────────────── + + Since version 2.1.14 the export and import options have been enhanced + to allow the use of /gpg/ to modify a key without first stroing it in + the keyring. For example: + + ┌──── + │ $ gpg --import-options import-minimal,import-export \ + │ --output smallkey.gpg --import key.gpg + └──── + + copies the keys in `keys.gpg' to `smallkey.gpg' while also removing + all key signatures except for the latest self-signatures. This can + even be further restricted to copy only a specific user ID to the + output file: + + ┌──── + │ $ gpg --import-options import-minimal,import-export \ + │ --import-filter keepuid='mbox = foo@example.org' \ + │ --output smallkey.gpg --import key.gpg + └──── + + Here the new `--import-filter' option is used to remove all user IDs + except for those which have the mail address “foo@example.orgâ€. The + same is also possible while exporting a key: + + ┌──── + │ $ gpg --export-filter keepuid='mbox = me@example.org' \ + │ --armor --export 8CFDE12197965A9A >smallkey.asc + └──── + + +1.17 Support for Putty +────────────────────── + + On Windows the new option `--enable-putty-support' allows gpg-agent to + act as a replacement for [Putty]’s authentication agent /Pageant/. It + is the Windows counterpart for the `--enable-ssh-support' option as + used on Unix. + + + [Putty] http://www.chiark.greenend.org.uk/~sgtatham/putty/ + + +1.18 Export of SSH public keys +────────────────────────────── + + The new command `--export-ssh-key' makes it easy to export an /ssh/ + public key in the format used for ssh’s `authorized_keys' file. By + default the command exports the newest subkey with an authorization + usage flags. A special syntax can be used to export other subkeys. + This command is available since 2.1.11 and replaces the former debug + utility /gpgkey2ssh/. + + +1.19 Improved X.509 certificate creation +──────────────────────────────────────── + + In addition to an improved certificate signing request menu, it is now + possible to create a self-signed certificate using the interactive + menu of /gpgsm/. + + In batch mode the certificate creation dialog can now be controlled by + a parameter file with several new keywords. Such a parameter file + allows the creation of arbitrary X.509 certificates similar to what + can be done with /openssl/. It may thus be used as the base for a CA + software. For details see the “CSR and certificate creation†section + in the manual. + + The new commands `--export-secret-key-p8' and –export-secret-key-raw= + may be used to export a secret key directly in PKCS#8 or PKCS#1 + format. Thus X.509 certificates for TLS use may be managed by /gpgsm/ + and directly exported in a format suitable for OpenSSL based servers. + + +1.20 Scripts to create a Windows installer +────────────────────────────────────────── + + GnuPG now comes with the /speedo/ build system which may be used to + quickly download and build GnuPG and all its direct dependencies on a + decent Unix system. See the README file for more instructions. + + The very same script may also be used to build a complete NSIS based + installer for Windows using the mingw-w64 cross-compiler toolchain. + That installer will feature GnuPG proper, GPA as graphical frontend, + and GpgEX as a Windows Explorer extension. GnuPG needs to be unpacked + and from the top source directory you run this command + + ┌──── + │ make -f build-aux/speedo.mk w32-installer + └──── + + This command downloads all direct dependencies, checks the signatures + using the GnuPG version from the build system (all Linux distros + feature a suitable GnuPG tool), builds everything from source, and + uses NSIS to create the installer. Although this sounds easy, some + experience in setting up a development machine is still required. + Some versions of the toolchain exhibit bugs and thus your mileage may + vary. See the [Wiki] for more info. + + Support for keyserver access over TLS is currently not available but + will be added with one of the next point releases. + + + + # Copyright 2014--2017 The GnuPG Project. + # This work is licensed under the Creative Commons + # Attribution-ShareAlike 4.0 International License. To view a copy of + # this license, visit http://creativecommons.org/licenses/by-sa/4.0/ + # or send a letter to Creative Commons, PO Box 1866, Mountain View, CA + # 94042, USA. + # + # The canonical source for this article can be found in the gnupg-doc + # git repository as web/faq/whats-new-in-2.1.org. + + + [Wiki] https://wiki.gnupg.org/Build2.1_Windows diff --git a/doc/wks.texi b/doc/wks.texi new file mode 100644 index 0000000..e398ccb --- /dev/null +++ b/doc/wks.texi @@ -0,0 +1,481 @@ +@c wks.texi - man pages for the Web Key Service tools. +@c Copyright (C) 2017 g10 Code GmbH +@c Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik +@c This is part of the GnuPG manual. +@c For copying conditions, see the file GnuPG.texi. + +@include defs.inc + +@node Web Key Service +@chapter Web Key Service + +GnuPG comes with tools used to maintain and access a Web Key +Directory. + +@menu +* gpg-wks-client:: Send requests via WKS +* gpg-wks-server:: Server to provide the WKS. +@end menu + +@c +@c GPG-WKS-CLIENT +@c +@manpage gpg-wks-client.1 +@node gpg-wks-client +@section Send requests via WKS +@ifset manverb +.B gpg-wks-client +\- Client for the Web Key Service +@end ifset + +@mansect synopsis +@ifset manverb +.B gpg-wks-client +.RI [ options ] +.B \-\-supported +.I user-id +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-check +.I user-id +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-create +.I fingerprint +.I user-id +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-receive +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-read +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-mirror +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-install-key +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-remove-key +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-print-wkd-hash +.br +.B gpg-wks-client +.RI [ options ] +.B \-\-print-wkd-url +@end ifset + +@mansect description +The @command{gpg-wks-client} is used to send requests to a Web Key +Service provider. This is usually done to upload a key into a Web +Key Directory. + +With the @option{--supported} command the caller can test whether a +site supports the Web Key Service. The argument is an arbitrary +address in the to be tested domain. For example +@file{foo@@example.net}. The command returns success if the Web Key +Service is supported. The operation is silent; to get diagnostic +output use the option @option{--verbose}. See option +@option{--with-colons} for a variant of this command. + +With the @option{--check} command the caller can test whether a key +exists for a supplied mail address. The command returns success if a +key is available. + +The @option{--create} command is used to send a request for +publication in the Web Key Directory. The arguments are the +fingerprint of the key and the user id to publish. The output from +the command is a properly formatted mail with all standard headers. +This mail can be fed to @command{sendmail(8)} or any other tool to +actually send that mail. If @command{sendmail(8)} is installed the +option @option{--send} can be used to directly send the created +request. If the provider request a 'mailbox-only' user id and no such +user id is found, @command{gpg-wks-client} will try an additional user +id. + +The @option{--receive} and @option{--read} commands are used to +process confirmation mails as send from the service provider. The +former expects an encrypted MIME messages, the latter an already +decrypted MIME message. The result of these commands are another mail +which can be send in the same way as the mail created with +@option{--create}. + +The command @option{--install-key} manually installs a key into a +local directory (see option @option{-C}) reflecting the structure of a +WKD. The arguments are a file with the keyblock and the user-id to +install. If the first argument resembles a fingerprint the key is +taken from the current keyring; to force the use of a file, prefix the +first argument with "./". If no arguments are given the parameters +are read from stdin; the expected format are lines with the +fingerprint and the mailbox separated by a space. The command +@option{--remove-key} removes a key from that directory, its only +argument is a user-id. + +The command @option{--mirror} is similar to @option{--install-key} but +takes the keys from the the LDAP server configured for Dirmngr. If no +arguments are given all keys and user ids are installed. If arguments +are given they are taken as domain names to limit the to be installed +keys. The option @option{--blacklist} may be used to further limit +the to be installed keys. + +The command @option{--print-wkd-hash} prints the WKD user-id identifiers +and the corresponding mailboxes from the user-ids given on the command +line or via stdin (one user-id per line). + +The command @option{--print-wkd-url} prints the URLs used to fetch the +key for the given user-ids from WKD. The meanwhile preferred format +with sub-domains is used here. + +@command{gpg-wks-client} is not commonly invoked directly and thus it +is not installed in the bin directory. Here is an example how it can +be invoked manually to check for a Web Key Directory entry for +@file{foo@@example.org}: + +@example +$(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@@example.net +@end example + +@mansect options +@noindent +@command{gpg-wks-client} understands these options: + +@table @gnupgtabopt + +@item --send +@opindex send +Directly send created mails using the @command{sendmail} command. +Requires installation of that command. + +@item --with-colons +@opindex with-colons +This option has currently only an effect on the @option{--supported} +command. If it is used all arguments on the command line are taken +as domain names and tested for WKD support. The output format is one +line per domain with colon delimited fields. The currently specified +fields are (future versions may specify additional fields): + +@table @asis + + @item 1 - domain + This is the domain name. Although quoting is not required for valid + domain names this field is specified to be quoted in standard C + manner. + + @item 2 - WKD + If the value is true the domain supports the Web Key Directory. + + @item 3 - WKS + If the value is true the domain supports the Web Key Service + protocol to upload keys to the directory. + + @item 4 - error-code + This may contain an gpg-error code to describe certain + failures. Use @samp{gpg-error CODE} to explain the code. + + @item 5 - protocol-version + The minimum protocol version supported by the server. + + @item 6 - auth-submit + The auth-submit flag from the policy file of the server. + + @item 7 - mailbox-only + The mailbox-only flag from the policy file of the server. +@end table + + + +@item --output @var{file} +@itemx -o +@opindex output +Write the created mail to @var{file} instead of stdout. Note that the +value @code{-} for @var{file} is the same as writing to stdout. + +@item --status-fd @var{n} +@opindex status-fd +Write special status strings to the file descriptor @var{n}. +This program returns only the status messages SUCCESS or FAILURE which +are helpful when the caller uses a double fork approach and can't +easily get the return code of the process. + +@item -C @var{dir} +@itemx --directory @var{dir} +@opindex directory +Use @var{dir} as top level directory for the commands +@option{--mirror}, @option{--install-key} and @option{--remove-key}. +The default is @file{openpgpkey}. + + +@item --blacklist @var{file} +@opindex blacklist +This option is used to exclude certain mail addresses from a mirror +operation. The format of @var{file} is one mail address (just the +addrspec, e.g. "postel@@isi.edu") per line. Empty lines and lines +starting with a '#' are ignored. + +@item --verbose +@opindex verbose +Enable extra informational output. + +@item --quiet +@opindex quiet +Disable almost all informational output. + +@item --version +@opindex version +Print version of the program and exit. + +@item --help +@opindex help +Display a brief help page and exit. + +@end table + + +@mansect see also +@ifset isman +@command{gpg-wks-server}(1) +@end ifset + + +@c +@c GPG-WKS-SERVER +@c +@manpage gpg-wks-server.1 +@node gpg-wks-server +@section Provide the Web Key Service +@ifset manverb +.B gpg-wks-server +\- Server providing the Web Key Service +@end ifset + +@mansect synopsis +@ifset manverb +.B gpg-wks-server +.RI [ options ] +.B \-\-receive +.br +.B gpg-wks-server +.RI [ options ] +.B \-\-cron +.br +.B gpg-wks-server +.RI [ options ] +.B \-\-list-domains +.br +.B gpg-wks-server +.RI [ options ] +.B \-\-check-key +.I user-id +.br +.B gpg-wks-server +.RI [ options ] +.B \-\-install-key +.I file +.I user-id +.br +.B gpg-wks-server +.RI [ options ] +.B \-\-remove-key +.I user-id +.br +.B gpg-wks-server +.RI [ options ] +.B \-\-revoke-key +.I user-id +@end ifset + +@mansect description +The @command{gpg-wks-server} is a server site implementation of the +Web Key Service. It receives requests for publication, sends +confirmation requests, receives confirmations, and published the key. +It also has features to ease the setup and maintenance of a Web Key +Directory. + +When used with the command @option{--receive} a single Web Key Service +mail is processed. Commonly this command is used with the option +@option{--send} to directly send the crerated mails back. See below +for an installation example. + +The command @option{--cron} is used for regualr cleanup tasks. For +example non-confirmed requested should be removed after their expire +time. It is best to run this command once a day from a cronjob. + +The command @option{--list-domains} prints all configured domains. +Further it creates missing directories for the configuration and +prints warnings pertaining to problems in the configuration. + +The command @option{--check-key} (or just @option{--check}) checks +whether a key with the given user-id is installed. The process returns +success in this case; to also print a diagnostic use the option +@option{-v}. If the key is not installed a diagnostic is printed and +the process returns failure; to suppress the diagnostic, use option +@option{-q}. More than one user-id can be given; see also option +@option{with-file}. + +The command @option{--install-key} manually installs a key into the +WKD. The arguments are a file with the keyblock and the user-id to +install. If the first argument resembles a fingerprint the key is +taken from the current keyring; to force the use of a file, prefix the +first argument with "./". If no arguments are given the parameters +are read from stdin; the expected format are lines with the +fingerprint and the mailbox separated by a space. + +The command @option{--remove-key} uninstalls a key from the WKD. The +process returns success in this case; to also print a diagnostic, use +option @option{-v}. If the key is not installed a diagnostic is +printed and the process returns failure; to suppress the diagnostic, +use option @option{-q}. + +The command @option{--revoke-key} is not yet functional. + + +@mansect options +@noindent +@command{gpg-wks-server} understands these options: + +@table @gnupgtabopt + +@item -C @var{dir} +@itemx --directory @var{dir} +@opindex directory +Use @var{dir} as top level directory for domains. The default is +@file{/var/lib/gnupg/wks}. + +@item --from @var{mailaddr} +@opindex from +Use @var{mailaddr} as the default sender address. + +@item --header @var{name}=@var{value} +@opindex header +Add the mail header "@var{name}: @var{value}" to all outgoing mails. + +@item --send +@opindex send +Directly send created mails using the @command{sendmail} command. +Requires installation of that command. + +@item -o @var{file} +@itemx --output @var{file} +@opindex output +Write the created mail also to @var{file}. Note that the value +@code{-} for @var{file} would write it to stdout. + +@item --with-dir +@opindex with-dir +When used with the command @option{--list-domains} print for each +installed domain the domain name and its directory name. + +@item --with-file +@opindex with-file +When used with the command @option{--check-key} print for each user-id, +the address, 'i' for installed key or 'n' for not installed key, and +the filename. + +@item --verbose +@opindex verbose +Enable extra informational output. + +@item --quiet +@opindex quiet +Disable almost all informational output. + +@item --version +@opindex version +Print version of the program and exit. + +@item --help +@opindex help +Display a brief help page and exit. + +@end table + +@noindent +@mansect examples +@chapheading Examples + +The Web Key Service requires a working directory to store keys +pending for publication. As root create a working directory: + +@example + # mkdir /var/lib/gnupg/wks + # chown webkey:webkey /var/lib/gnupg/wks + # chmod 2750 /var/lib/gnupg/wks +@end example + +Then under your webkey account create directories for all your +domains. Here we do it for "example.net": + +@example + $ mkdir /var/lib/gnupg/wks/example.net +@end example + +Finally run + +@example + $ gpg-wks-server --list-domains +@end example + +to create the required sub-directories with the permissions set +correctly. For each domain a submission address needs to be +configured. All service mails are directed to that address. It can +be the same address for all configured domains, for example: + +@example + $ cd /var/lib/gnupg/wks/example.net + $ echo key-submission@@example.net >submission-address +@end example + +The protocol requires that the key to be published is send with an +encrypted mail to the service. Thus you need to create a key for +the submission address: + +@example + $ gpg --batch --passphrase '' --quick-gen-key key-submission@@example.net + $ gpg -K key-submission@@example.net +@end example + +The output of the last command looks similar to this: + +@example + sec rsa2048 2016-08-30 [SC] + C0FCF8642D830C53246211400346653590B3795B + uid [ultimate] key-submission@@example.net + ssb rsa2048 2016-08-30 [E] +@end example + +Take the fingerprint from that output and manually publish the key: + +@example + $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \ + > key-submission@@example.net +@end example + +Finally that submission address needs to be redirected to a script +running @command{gpg-wks-server}. The @command{procmail} command can +be used for this: Redirect the submission address to the user "webkey" +and put this into webkey's @file{.procmailrc}: + +@example +:0 +* !^From: webkey@@example.net +* !^X-WKS-Loop: webkey.example.net +|gpg-wks-server -v --receive \ + --header X-WKS-Loop=webkey.example.net \ + --from webkey@@example.net --send +@end example + + +@mansect see also +@ifset isman +@command{gpg-wks-client}(1) +@end ifset diff --git a/doc/yat2m.c b/doc/yat2m.c new file mode 100644 index 0000000..c7bec33 --- /dev/null +++ b/doc/yat2m.c @@ -0,0 +1,1646 @@ +/* yat2m.c - Yet Another Texi 2 Man converter + * Copyright (C) 2005, 2013, 2015, 2016, 2017 g10 Code GmbH + * Copyright (C) 2006, 2008, 2011 Free Software Foundation, Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <https://www.gnu.org/licenses/>. + */ + +/********************************************** + * Note: The canonical source of this tool ** + * is part of libgpg-error and it ** + * installs yat2m on the build system. ** + **********************************************/ + +/* + This is a simple texinfo to man page converter. It needs some + special markup in th e texinfo and tries best to get a create man + page. It has been designed for the GnuPG man pages and thus only + a few texinfo commands are supported. + + To use this you need to add the following macros into your texinfo + source: + + @macro manpage {a} + @end macro + @macro mansect {a} + @end macro + @macro manpause + @end macro + @macro mancont + @end macro + + They are used by yat2m to select parts of the Texinfo which should + go into the man page. These macros need to be used without leading + left space. Processing starts after a "manpage" macro has been + seen. "mansect" identifies the section and yat2m make sure to + emit the sections in the proper order. Note that @mansect skips + the next input line if that line begins with @section, @subsection or + @chapheading. + + To insert verbatim troff markup, the following texinfo code may be + used: + + @ifset manverb + .B whateever you want + @end ifset + + alternativly a special comment may be used: + + @c man:.B whatever you want + + This is useful in case you need just one line. If you want to + include parts only in the man page but keep the texinfo + translation you may use: + + @ifset isman + stuff to be rendered only on man pages + @end ifset + + or to exclude stuff from man pages: + + @ifclear isman + stuff not to be rendered on man pages + @end ifclear + + the keyword @section is ignored, however @subsection gets rendered + as ".SS". @menu is completely skipped. Several man pages may be + extracted from one file, either using the --store or the --select + option. + + If you want to indent tables in the source use this style: + + @table foo + @item + @item + @table + @item + @end + @end + + Don't change the indentation within a table and keep the same + number of white space at the start of the line. yat2m simply + detects the number of white spaces in front of an @item and remove + this number of spaces from all following lines until a new @item + is found or there are less spaces than for the last @item. + + Note that @* does only work correctly if used at the end of an + input line. + +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <stddef.h> +#include <string.h> +#include <errno.h> +#include <stdarg.h> +#include <assert.h> +#include <ctype.h> +#include <time.h> + + +#if __GNUC__ +# define MY_GCC_VERSION (__GNUC__ * 10000 \ + + __GNUC_MINOR__ * 100 \ + + __GNUC_PATCHLEVEL__) +#else +# define MY_GCC_VERSION 0 +#endif + +#if MY_GCC_VERSION >= 20500 +# define ATTR_PRINTF(f, a) __attribute__ ((format(printf,f,a))) +# define ATTR_NR_PRINTF(f, a) __attribute__ ((noreturn, format(printf,f,a))) +#else +# define ATTR_PRINTF(f, a) +# define ATTR_NR_PRINTF(f, a) +#endif +#if MY_GCC_VERSION >= 30200 +# define ATTR_MALLOC __attribute__ ((__malloc__)) +#else +# define ATTR_MALLOC +#endif + + + +#define PGM "yat2m" +#define VERSION "1.0" + +/* The maximum length of a line including the linefeed and one extra + character. */ +#define LINESIZE 1024 + +/* Number of allowed condition nestings. */ +#define MAX_CONDITION_NESTING 10 + +/* Option flags. */ +static int verbose; +static int quiet; +static int debug; +static const char *opt_source; +static const char *opt_release; +static const char *opt_date; +static const char *opt_select; +static const char *opt_include; +static int opt_store; + +/* Flag to keep track whether any error occurred. */ +static int any_error; + + +/* Object to keep macro definitions. */ +struct macro_s +{ + struct macro_s *next; + char *value; /* Malloced value. */ + char name[1]; +}; +typedef struct macro_s *macro_t; + +/* List of all defined macros. */ +static macro_t macrolist; + +/* List of variables set by @set. */ +static macro_t variablelist; + +/* List of global macro names. The value part is not used. */ +static macro_t predefinedmacrolist; + +/* Object to keep track of @isset and @ifclear. */ +struct condition_s +{ + int manverb; /* "manverb" needs special treatment. */ + int isset; /* This is an @isset condition. */ + char name[1]; /* Name of the condition macro. */ +}; +typedef struct condition_s *condition_t; + +/* The stack used to evaluate conditions. And the current states. */ +static condition_t condition_stack[MAX_CONDITION_NESTING]; +static int condition_stack_idx; +static int cond_is_active; /* State of ifset/ifclear */ +static int cond_in_verbatim; /* State of "manverb". */ + + +/* Object to store one line of content. */ +struct line_buffer_s +{ + struct line_buffer_s *next; + int verbatim; /* True if LINE contains verbatim data. The default + is Texinfo source. */ + char *line; +}; +typedef struct line_buffer_s *line_buffer_t; + + +/* Object to collect the data of a section. */ +struct section_buffer_s +{ + char *name; /* Malloced name of the section. This may be + NULL to indicate this slot is not used. */ + line_buffer_t lines; /* Linked list with the lines of the section. */ + line_buffer_t *lines_tail; /* Helper for faster appending to the + linked list. */ + line_buffer_t last_line; /* Points to the last line appended. */ +}; +typedef struct section_buffer_s *section_buffer_t; + +/* Variable to keep info about the current page together. */ +static struct +{ + /* Filename of the current page or NULL if no page is active. Malloced. */ + char *name; + + /* Number of allocated elements in SECTIONS below. */ + size_t n_sections; + /* Array with the data of the sections. */ + section_buffer_t sections; + +} thepage; + + +/* The list of standard section names. COMMANDS and ASSUAN are GnuPG + specific. */ +static const char * const standard_sections[] = + { "NAME", "SYNOPSIS", "DESCRIPTION", + "RETURN VALUE", "EXIT STATUS", "ERROR HANDLING", "ERRORS", + "COMMANDS", "OPTIONS", "USAGE", "EXAMPLES", "FILES", + "ENVIRONMENT", "DIAGNOSTICS", "SECURITY", "CONFORMING TO", + "ASSUAN", "NOTES", "BUGS", "AUTHOR", "SEE ALSO", NULL }; + + +/*-- Local prototypes. --*/ +static void proc_texi_buffer (FILE *fp, const char *line, size_t len, + int *table_level, int *eol_action); + +static void die (const char *format, ...) ATTR_NR_PRINTF(1,2); +static void err (const char *format, ...) ATTR_PRINTF(1,2); +static void inf (const char *format, ...) ATTR_PRINTF(1,2); +static void *xmalloc (size_t n) ATTR_MALLOC; +static void *xcalloc (size_t n, size_t m) ATTR_MALLOC; + + + +/*-- Functions --*/ + +/* Print diagnostic message and exit with failure. */ +static void +die (const char *format, ...) +{ + va_list arg_ptr; + + fflush (stdout); + fprintf (stderr, "%s: ", PGM); + + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); + putc ('\n', stderr); + + exit (1); +} + + +/* Print diagnostic message. */ +static void +err (const char *format, ...) +{ + va_list arg_ptr; + + fflush (stdout); + if (strncmp (format, "%s:%d:", 6)) + fprintf (stderr, "%s: ", PGM); + + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); + putc ('\n', stderr); + any_error = 1; +} + +/* Print diagnostic message. */ +static void +inf (const char *format, ...) +{ + va_list arg_ptr; + + fflush (stdout); + fprintf (stderr, "%s: ", PGM); + + va_start (arg_ptr, format); + vfprintf (stderr, format, arg_ptr); + va_end (arg_ptr); + putc ('\n', stderr); +} + + +static void * +xmalloc (size_t n) +{ + void *p = malloc (n); + if (!p) + die ("out of core: %s", strerror (errno)); + return p; +} + +static void * +xcalloc (size_t n, size_t m) +{ + void *p = calloc (n, m); + if (!p) + die ("out of core: %s", strerror (errno)); + return p; +} + +static void * +xrealloc (void *old, size_t n) +{ + void *p = realloc (old, n); + if (!p) + die ("out of core: %s", strerror (errno)); + return p; +} + +static char * +xstrdup (const char *string) +{ + void *p = malloc (strlen (string)+1); + if (!p) + die ("out of core: %s", strerror (errno)); + strcpy (p, string); + return p; +} + + +/* Uppercase the ascii characters in STRING. */ +static char * +ascii_strupr (char *string) +{ + char *p; + + for (p = string; *p; p++) + if (!(*p & 0x80)) + *p = toupper (*p); + return string; +} + + +/* Return the current date as an ISO string. */ +const char * +isodatestring (void) +{ + static char buffer[11+5]; + struct tm *tp; + time_t atime; + + if (opt_date && *opt_date) + atime = strtoul (opt_date, NULL, 10); + else + atime = time (NULL); + if (atime < 0) + strcpy (buffer, "????" "-??" "-??"); + else + { + tp = gmtime (&atime); + sprintf (buffer,"%04d-%02d-%02d", + 1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday ); + } + return buffer; +} + + +/* Add NAME to the list of predefined macros which are global for all + files. */ +static void +add_predefined_macro (const char *name) +{ + macro_t m; + + for (m=predefinedmacrolist; m; m = m->next) + if (!strcmp (m->name, name)) + break; + if (!m) + { + m = xcalloc (1, sizeof *m + strlen (name)); + strcpy (m->name, name); + m->next = predefinedmacrolist; + predefinedmacrolist = m; + } +} + + +/* Create or update a macro with name MACRONAME and set its values TO + MACROVALUE. Note that ownership of the macro value is transferred + to this function. */ +static void +set_macro (const char *macroname, char *macrovalue) +{ + macro_t m; + + for (m=macrolist; m; m = m->next) + if (!strcmp (m->name, macroname)) + break; + if (m) + free (m->value); + else + { + m = xcalloc (1, sizeof *m + strlen (macroname)); + strcpy (m->name, macroname); + m->next = macrolist; + macrolist = m; + } + m->value = macrovalue; + macrovalue = NULL; +} + + +/* Create or update a variable with name and value given in NAMEANDVALUE. */ +static void +set_variable (char *nameandvalue) +{ + macro_t m; + const char *value; + char *p; + + for (p = nameandvalue; *p && *p != ' ' && *p != '\t'; p++) + ; + if (!*p) + value = ""; + else + { + *p++ = 0; + while (*p == ' ' || *p == '\t') + p++; + value = p; + } + + for (m=variablelist; m; m = m->next) + if (!strcmp (m->name, nameandvalue)) + break; + if (m) + free (m->value); + else + { + m = xcalloc (1, sizeof *m + strlen (nameandvalue)); + strcpy (m->name, nameandvalue); + m->next = variablelist; + variablelist = m; + } + m->value = xstrdup (value); +} + + +/* Return true if the macro or variable NAME is set, i.e. not the + empty string and not evaluating to 0. */ +static int +macro_set_p (const char *name) +{ + macro_t m; + + for (m = macrolist; m ; m = m->next) + if (!strcmp (m->name, name)) + break; + if (!m) + for (m = variablelist; m ; m = m->next) + if (!strcmp (m->name, name)) + break; + if (!m || !m->value || !*m->value) + return 0; + if ((*m->value & 0x80) || !isdigit (*m->value)) + return 1; /* Not a digit but some other string. */ + return !!atoi (m->value); +} + + +/* Evaluate the current conditions. */ +static void +evaluate_conditions (const char *fname, int lnr) +{ + int i; + + /* for (i=0; i < condition_stack_idx; i++) */ + /* inf ("%s:%d: stack[%d] %s %s %c", */ + /* fname, lnr, i, condition_stack[i]->isset? "set":"clr", */ + /* condition_stack[i]->name, */ + /* (macro_set_p (condition_stack[i]->name) */ + /* ^ !condition_stack[i]->isset)? 't':'f'); */ + + cond_is_active = 1; + cond_in_verbatim = 0; + if (condition_stack_idx) + { + for (i=0; i < condition_stack_idx; i++) + { + if (condition_stack[i]->manverb) + cond_in_verbatim = (macro_set_p (condition_stack[i]->name) + ^ !condition_stack[i]->isset); + else if (!(macro_set_p (condition_stack[i]->name) + ^ !condition_stack[i]->isset)) + { + cond_is_active = 0; + break; + } + } + } + + /* inf ("%s:%d: active=%d verbatim=%d", */ + /* fname, lnr, cond_is_active, cond_in_verbatim); */ +} + + +/* Push a condition with condition macro NAME onto the stack. If + ISSET is true, a @isset condition is pushed. */ +static void +push_condition (const char *name, int isset, const char *fname, int lnr) +{ + condition_t cond; + int manverb = 0; + + if (condition_stack_idx >= MAX_CONDITION_NESTING) + { + err ("%s:%d: condition nested too deep", fname, lnr); + return; + } + + if (!strcmp (name, "manverb")) + { + if (!isset) + { + err ("%s:%d: using \"@ifclear manverb\" is not allowed", fname, lnr); + return; + } + manverb = 1; + } + + cond = xcalloc (1, sizeof *cond + strlen (name)); + cond->manverb = manverb; + cond->isset = isset; + strcpy (cond->name, name); + + condition_stack[condition_stack_idx++] = cond; + evaluate_conditions (fname, lnr); +} + + +/* Remove the last condition from the stack. ISSET is used for error + reporting. */ +static void +pop_condition (int isset, const char *fname, int lnr) +{ + if (!condition_stack_idx) + { + err ("%s:%d: unbalanced \"@end %s\"", + fname, lnr, isset?"isset":"isclear"); + return; + } + condition_stack_idx--; + free (condition_stack[condition_stack_idx]); + condition_stack[condition_stack_idx] = NULL; + evaluate_conditions (fname, lnr); +} + + + +/* Return a section buffer for the section NAME. Allocate a new buffer + if this is a new section. Keep track of the sections in THEPAGE. + This function may reallocate the section array in THEPAGE. */ +static section_buffer_t +get_section_buffer (const char *name) +{ + int i; + section_buffer_t sect; + + /* If there is no section we put everything into the required NAME + section. Given that this is the first one listed it is likely + that error are easily visible. */ + if (!name) + name = "NAME"; + + for (i=0; i < thepage.n_sections; i++) + { + sect = thepage.sections + i; + if (sect->name && !strcmp (name, sect->name)) + return sect; + } + for (i=0; i < thepage.n_sections; i++) + if (!thepage.sections[i].name) + break; + if (thepage.n_sections && i < thepage.n_sections) + sect = thepage.sections + i; + else + { + /* We need to allocate or reallocate the section array. */ + size_t old_n = thepage.n_sections; + size_t new_n = 20; + + if (!old_n) + thepage.sections = xcalloc (new_n, sizeof *thepage.sections); + else + { + thepage.sections = xrealloc (thepage.sections, + ((old_n + new_n) + * sizeof *thepage.sections)); + memset (thepage.sections + old_n, 0, + new_n * sizeof *thepage.sections); + } + thepage.n_sections += new_n; + + /* Setup the tail pointers. */ + for (i=old_n; i < thepage.n_sections; i++) + { + sect = thepage.sections + i; + sect->lines_tail = §->lines; + } + sect = thepage.sections + old_n; + } + + /* Store the name. */ + assert (!sect->name); + sect->name = xstrdup (name); + return sect; +} + + + +/* Add the content of LINE to the section named SECTNAME. */ +static void +add_content (const char *sectname, char *line, int verbatim) +{ + section_buffer_t sect; + line_buffer_t lb; + + sect = get_section_buffer (sectname); + if (sect->last_line && !sect->last_line->verbatim == !verbatim) + { + /* Lets append that line to the last one. We do this to keep + all lines of the same kind (i.e.verbatim or not) together in + one large buffer. */ + size_t n1, n; + + lb = sect->last_line; + n1 = strlen (lb->line); + n = n1 + 1 + strlen (line) + 1; + lb->line = xrealloc (lb->line, n); + strcpy (lb->line+n1, "\n"); + strcpy (lb->line+n1+1, line); + } + else + { + lb = xcalloc (1, sizeof *lb); + lb->verbatim = verbatim; + lb->line = xstrdup (line); + sect->last_line = lb; + *sect->lines_tail = lb; + sect->lines_tail = &lb->next; + } +} + + +/* Prepare for a new man page using the filename NAME. */ +static void +start_page (char *name) +{ + if (verbose) + inf ("starting page '%s'", name); + assert (!thepage.name); + thepage.name = xstrdup (name); + thepage.n_sections = 0; +} + + +/* Write the .TH entry of the current page. Return -1 if there is a + problem with the page. */ +static int +write_th (FILE *fp) +{ + char *name, *p; + + fputs (".\\\" Created from Texinfo source by yat2m " VERSION "\n", fp); + + name = ascii_strupr (xstrdup (thepage.name)); + p = strrchr (name, '.'); + if (!p || !p[1]) + { + err ("no section name in man page '%s'", thepage.name); + free (name); + return -1; + } + *p++ = 0; + fprintf (fp, ".TH %s %s %s \"%s\" \"%s\"\n", + name, p, isodatestring (), opt_release, opt_source); + free (name); + return 0; +} + + +/* Process the texinfo command COMMAND (without the leading @) and + write output if needed to FP. REST is the remainer of the line + which should either point to an opening brace or to a white space. + The function returns the number of characters already processed + from REST. LEN is the usable length of REST. TABLE_LEVEL is used to + control the indentation of tables. */ +static size_t +proc_texi_cmd (FILE *fp, const char *command, const char *rest, size_t len, + int *table_level, int *eol_action) +{ + static struct { + const char *name; /* Name of the command. */ + int what; /* What to do with this command. */ + const char *lead_in; /* String to print with a opening brace. */ + const char *lead_out;/* String to print with the closing brace. */ + } cmdtbl[] = { + { "command", 0, "\\fB", "\\fR" }, + { "code", 0, "\\fB", "\\fR" }, + { "url", 0, "\\fB", "\\fR" }, + { "sc", 0, "\\fB", "\\fR" }, + { "var", 0, "\\fI", "\\fR" }, + { "samp", 0, "\\(aq", "\\(aq" }, + { "file", 0, "\\(oq\\fI","\\fR\\(cq" }, + { "env", 0, "\\(oq\\fI","\\fR\\(cq" }, + { "acronym", 0 }, + { "dfn", 0 }, + { "option", 0, "\\fB", "\\fR" }, + { "example", 1, ".RS 2\n.nf\n" }, + { "smallexample", 1, ".RS 2\n.nf\n" }, + { "asis", 7 }, + { "anchor", 7 }, + { "cartouche", 1 }, + { "ref", 0, "[", "]" }, + { "xref", 0, "See: [", "]" }, + { "pxref", 0, "see: [", "]" }, + { "uref", 0, "(\\fB", "\\fR)" }, + { "footnote",0, " ([", "])" }, + { "emph", 0, "\\fI", "\\fR" }, + { "w", 1 }, + { "c", 5 }, + { "efindex", 1 }, + { "opindex", 1 }, + { "cpindex", 1 }, + { "cindex", 1 }, + { "noindent", 0 }, + { "section", 1 }, + { "chapter", 1 }, + { "subsection", 6, "\n.SS " }, + { "chapheading", 0}, + { "item", 2, ".TP\n.B " }, + { "itemx", 2, ".TQ\n.B " }, + { "table", 3 }, + { "itemize", 3 }, + { "bullet", 0, "* " }, + { "*", 0, "\n.br"}, + { "/", 0 }, + { "end", 4 }, + { "quotation",1, ".RS\n\\fB" }, + { "value", 8 }, + { NULL } + }; + size_t n; + int i; + const char *s; + const char *lead_out = NULL; + int ignore_args = 0; + + for (i=0; cmdtbl[i].name && strcmp (cmdtbl[i].name, command); i++) + ; + if (cmdtbl[i].name) + { + s = cmdtbl[i].lead_in; + if (s) + fputs (s, fp); + lead_out = cmdtbl[i].lead_out; + switch (cmdtbl[i].what) + { + case 1: /* Throw away the entire line. */ + s = memchr (rest, '\n', len); + return s? (s-rest)+1 : len; + case 2: /* Handle @item. */ + break; + case 3: /* Handle table. */ + if (++(*table_level) > 1) + fputs (".RS\n", fp); + /* Now throw away the entire line. */ + s = memchr (rest, '\n', len); + return s? (s-rest)+1 : len; + break; + case 4: /* Handle end. */ + for (s=rest, n=len; n && (*s == ' ' || *s == '\t'); s++, n--) + ; + if (n >= 5 && !memcmp (s, "table", 5) + && (!n || s[5] == ' ' || s[5] == '\t' || s[5] == '\n')) + { + if ((*table_level)-- > 1) + fputs (".RE\n", fp); + else + fputs (".P\n", fp); + } + else if (n >= 7 && !memcmp (s, "example", 7) + && (!n || s[7] == ' ' || s[7] == '\t' || s[7] == '\n')) + { + fputs (".fi\n.RE\n", fp); + } + else if (n >= 12 && !memcmp (s, "smallexample", 12) + && (!n || s[12] == ' ' || s[12] == '\t' || s[12] == '\n')) + { + fputs (".fi\n.RE\n", fp); + } + else if (n >= 9 && !memcmp (s, "quotation", 9) + && (!n || s[9] == ' ' || s[9] == '\t' || s[9] == '\n')) + { + fputs ("\\fR\n.RE\n", fp); + } + /* Now throw away the entire line. */ + s = memchr (rest, '\n', len); + return s? (s-rest)+1 : len; + case 5: /* Handle special comments. */ + for (s=rest, n=len; n && (*s == ' ' || *s == '\t'); s++, n--) + ; + if (n >= 4 && !memcmp (s, "man:", 4)) + { + for (s+=4, n-=4; n && *s != '\n'; n--, s++) + putc (*s, fp); + putc ('\n', fp); + } + /* Now throw away the entire line. */ + s = memchr (rest, '\n', len); + return s? (s-rest)+1 : len; + case 6: + *eol_action = 1; + break; + case 7: + ignore_args = 1; + break; + case 8: + ignore_args = 1; + if (*rest != '{') + { + err ("opening brace for command '%s' missing", command); + return len; + } + else + { + /* Find closing brace. */ + for (s=rest+1, n=1; *s && n < len; s++, n++) + if (*s == '}') + break; + if (*s != '}') + { + err ("closing brace for command '%s' not found", command); + return len; + } + else + { + size_t len = s - (rest + 1); + macro_t m; + + for (m = variablelist; m; m = m->next) + if (strlen (m->name) == len + &&!strncmp (m->name, rest+1, len)) + break; + if (m) + fputs (m->value, fp); + else + inf ("texinfo variable '%.*s' is not set", + (int)len, rest+1); + } + } + break; + default: + break; + } + } + else /* macro */ + { + macro_t m; + + for (m = macrolist; m ; m = m->next) + if (!strcmp (m->name, command)) + break; + if (m) + { + proc_texi_buffer (fp, m->value, strlen (m->value), + table_level, eol_action); + ignore_args = 1; /* Parameterized macros are not yet supported. */ + } + else + inf ("texinfo command '%s' not supported (%.*s)", command, + (int)((s = memchr (rest, '\n', len)), (s? (s-rest) : len)), rest); + } + + if (*rest == '{') + { + /* Find matching closing brace. */ + for (s=rest+1, n=1, i=1; i && *s && n < len; s++, n++) + if (*s == '{') + i++; + else if (*s == '}') + i--; + if (i) + { + err ("closing brace for command '%s' not found", command); + return len; + } + if (n > 2 && !ignore_args) + proc_texi_buffer (fp, rest+1, n-2, table_level, eol_action); + } + else + n = 0; + + if (lead_out) + fputs (lead_out, fp); + + return n; +} + + + +/* Process the string LINE with LEN bytes of Texinfo content. */ +static void +proc_texi_buffer (FILE *fp, const char *line, size_t len, + int *table_level, int *eol_action) +{ + const char *s; + char cmdbuf[256]; + int cmdidx = 0; + int in_cmd = 0; + size_t n; + + for (s=line; *s && len; s++, len--) + { + if (in_cmd) + { + if (in_cmd == 1) + { + switch (*s) + { + case '@': case '{': case '}': + putc (*s, fp); in_cmd = 0; + break; + case ':': /* Not ending a sentence flag. */ + in_cmd = 0; + break; + case '.': case '!': case '?': /* Ending a sentence. */ + putc (*s, fp); in_cmd = 0; + break; + case ' ': case '\t': case '\n': /* Non collapsing spaces. */ + putc (*s, fp); in_cmd = 0; + break; + default: + cmdidx = 0; + cmdbuf[cmdidx++] = *s; + in_cmd++; + break; + } + } + else if (*s == '{' || *s == ' ' || *s == '\t' || *s == '\n') + { + cmdbuf[cmdidx] = 0; + n = proc_texi_cmd (fp, cmdbuf, s, len, table_level, eol_action); + assert (n <= len); + s += n; len -= n; + s--; len++; + in_cmd = 0; + } + else if (cmdidx < sizeof cmdbuf -1) + cmdbuf[cmdidx++] = *s; + else + { + err ("texinfo command too long - ignored"); + in_cmd = 0; + } + } + else if (*s == '@') + in_cmd = 1; + else if (*s == '\n') + { + switch (*eol_action) + { + case 1: /* Create a dummy paragraph. */ + fputs ("\n\\ \n", fp); + break; + default: + putc (*s, fp); + } + *eol_action = 0; + } + else if (*s == '\\') + fputs ("\\\\", fp); + else + putc (*s, fp); + } + + if (in_cmd > 1) + { + cmdbuf[cmdidx] = 0; + n = proc_texi_cmd (fp, cmdbuf, s, len, table_level, eol_action); + assert (n <= len); + s += n; len -= n; + s--; len++; + /* in_cmd = 0; -- doc only */ + } +} + + +/* Do something with the Texinfo line LINE. */ +static void +parse_texi_line (FILE *fp, const char *line, int *table_level) +{ + int eol_action = 0; + + /* A quick test whether there are any texinfo commands. */ + if (!strchr (line, '@')) + { + fputs (line, fp); + putc ('\n', fp); + return; + } + proc_texi_buffer (fp, line, strlen (line), table_level, &eol_action); + putc ('\n', fp); +} + + +/* Write all the lines LINES to FP. */ +static void +write_content (FILE *fp, line_buffer_t lines) +{ + line_buffer_t line; + int table_level = 0; + + for (line = lines; line; line = line->next) + { + if (line->verbatim) + { + fputs (line->line, fp); + putc ('\n', fp); + } + else + { +/* fputs ("TEXI---", fp); */ +/* fputs (line->line, fp); */ +/* fputs ("---\n", fp); */ + parse_texi_line (fp, line->line, &table_level); + } + } +} + + + +static int +is_standard_section (const char *name) +{ + int i; + const char *s; + + for (i=0; (s=standard_sections[i]); i++) + if (!strcmp (s, name)) + return 1; + return 0; +} + + +/* Finish a page; that is sort the data and write it out to the file. */ +static void +finish_page (void) +{ + FILE *fp; + section_buffer_t sect = NULL; + int idx; + const char *s; + int i; + + if (!thepage.name) + return; /* No page active. */ + + if (verbose) + inf ("finishing page '%s'", thepage.name); + + if (opt_select) + { + if (!strcmp (opt_select, thepage.name)) + { + inf ("selected '%s'", thepage.name ); + fp = stdout; + } + else + { + fp = fopen ( "/dev/null", "w" ); + if (!fp) + die ("failed to open /dev/null: %s\n", strerror (errno)); + } + } + else if (opt_store) + { + inf ("writing '%s'", thepage.name ); + fp = fopen ( thepage.name, "w" ); + if (!fp) + die ("failed to create '%s': %s\n", thepage.name, strerror (errno)); + } + else + fp = stdout; + + if (write_th (fp)) + goto leave; + + for (idx=0; (s=standard_sections[idx]); idx++) + { + for (i=0; i < thepage.n_sections; i++) + { + sect = thepage.sections + i; + if (sect->name && !strcmp (s, sect->name)) + break; + } + if (i == thepage.n_sections) + sect = NULL; + + if (sect) + { + fprintf (fp, ".SH %s\n", sect->name); + write_content (fp, sect->lines); + /* Now continue with all non standard sections directly + following this one. */ + for (i++; i < thepage.n_sections; i++) + { + sect = thepage.sections + i; + if (sect->name && is_standard_section (sect->name)) + break; + if (sect->name) + { + fprintf (fp, ".SH %s\n", sect->name); + write_content (fp, sect->lines); + } + } + + } + } + + + leave: + if (fp != stdout) + fclose (fp); + free (thepage.name); + thepage.name = NULL; + /* FIXME: Cleanup the content. */ +} + + + + +/* Parse one Texinfo file and create manpages according to the + embedded instructions. */ +static void +parse_file (const char *fname, FILE *fp, char **section_name, int in_pause) +{ + char *line; + int lnr = 0; + /* Fixme: The following state variables don't carry over to include + files. */ + int skip_to_end = 0; /* Used to skip over menu entries. */ + int skip_sect_line = 0; /* Skip after @mansect. */ + int item_indent = 0; /* How far is the current @item indented. */ + + /* Helper to define a macro. */ + char *macroname = NULL; + char *macrovalue = NULL; + size_t macrovaluesize = 0; + size_t macrovalueused = 0; + + line = xmalloc (LINESIZE); + while (fgets (line, LINESIZE, fp)) + { + size_t n = strlen (line); + int got_line = 0; + char *p, *pend; + + lnr++; + if (!n || line[n-1] != '\n') + { + err ("%s:%d: trailing linefeed missing, line too long or " + "embedded Nul character", fname, lnr); + break; + } + line[--n] = 0; + + /* Kludge to allow indentation of tables. */ + for (p=line; *p == ' ' || *p == '\t'; p++) + ; + if (*p) + { + if (*p == '@' && !strncmp (p+1, "item", 4)) + item_indent = p - line; /* Set a new indent level. */ + else if (p - line < item_indent) + item_indent = 0; /* Switch off indention. */ + + if (item_indent) + { + memmove (line, line+item_indent, n - item_indent + 1); + n -= item_indent; + } + } + + + if (*line == '@') + { + for (p=line+1, n=1; *p && *p != ' ' && *p != '\t'; p++) + n++; + while (*p == ' ' || *p == '\t') + p++; + } + else + p = line; + + /* Take action on macro. */ + if (macroname) + { + if (n == 4 && !memcmp (line, "@end", 4) + && (line[4]==' '||line[4]=='\t'||!line[4]) + && !strncmp (p, "macro", 5) + && (p[5]==' '||p[5]=='\t'||!p[5])) + { + if (macrovalueused) + macrovalue[--macrovalueused] = 0; /* Kill the last LF. */ + macrovalue[macrovalueused] = 0; /* Terminate macro. */ + macrovalue = xrealloc (macrovalue, macrovalueused+1); + + set_macro (macroname, macrovalue); + macrovalue = NULL; + free (macroname); + macroname = NULL; + } + else + { + if (macrovalueused + strlen (line) + 2 >= macrovaluesize) + { + macrovaluesize += strlen (line) + 256; + macrovalue = xrealloc (macrovalue, macrovaluesize); + } + strcpy (macrovalue+macrovalueused, line); + macrovalueused += strlen (line); + macrovalue[macrovalueused++] = '\n'; + } + continue; + } + + + if (n >= 5 && !memcmp (line, "@node", 5) + && (line[5]==' '||line[5]=='\t'||!line[5])) + { + /* Completey ignore @node lines. */ + continue; + } + + + if (skip_sect_line) + { + skip_sect_line = 0; + if (!strncmp (line, "@section", 8) + || !strncmp (line, "@subsection", 11) + || !strncmp (line, "@chapheading", 12)) + continue; + } + + /* We only parse lines we need and ignore the rest. There are a + few macros used to control this as well as one @ifset + command. Parts we know about are saved away into containers + separate for each section. */ + + /* First process ifset/ifclear commands. */ + if (*line == '@') + { + if (n == 6 && !memcmp (line, "@ifset", 6) + && (line[6]==' '||line[6]=='\t')) + { + for (p=line+7; *p == ' ' || *p == '\t'; p++) + ; + if (!*p) + { + err ("%s:%d: name missing after \"@ifset\"", fname, lnr); + continue; + } + for (pend=p; *pend && *pend != ' ' && *pend != '\t'; pend++) + ; + *pend = 0; /* Ignore rest of the line. */ + push_condition (p, 1, fname, lnr); + continue; + } + else if (n == 8 && !memcmp (line, "@ifclear", 8) + && (line[8]==' '||line[8]=='\t')) + { + for (p=line+9; *p == ' ' || *p == '\t'; p++) + ; + if (!*p) + { + err ("%s:%d: name missing after \"@ifsclear\"", fname, lnr); + continue; + } + for (pend=p; *pend && *pend != ' ' && *pend != '\t'; pend++) + ; + *pend = 0; /* Ignore rest of the line. */ + push_condition (p, 0, fname, lnr); + continue; + } + else if (n == 4 && !memcmp (line, "@end", 4) + && (line[4]==' '||line[4]=='\t') + && !strncmp (p, "ifset", 5) + && (p[5]==' '||p[5]=='\t'||!p[5])) + { + pop_condition (1, fname, lnr); + continue; + } + else if (n == 4 && !memcmp (line, "@end", 4) + && (line[4]==' '||line[4]=='\t') + && !strncmp (p, "ifclear", 7) + && (p[7]==' '||p[7]=='\t'||!p[7])) + { + pop_condition (0, fname, lnr); + continue; + } + } + + /* Take action on ifset/ifclear. */ + if (!cond_is_active) + continue; + + /* Process commands. */ + if (*line == '@') + { + if (skip_to_end + && n == 4 && !memcmp (line, "@end", 4) + && (line[4]==' '||line[4]=='\t'||!line[4])) + { + skip_to_end = 0; + } + else if (cond_in_verbatim) + { + got_line = 1; + } + else if (n == 6 && !memcmp (line, "@macro", 6)) + { + macroname = xstrdup (p); + macrovalue = xmalloc ((macrovaluesize = 1024)); + macrovalueused = 0; + } + else if (n == 4 && !memcmp (line, "@set", 4)) + { + set_variable (p); + } + else if (n == 8 && !memcmp (line, "@manpage", 8)) + { + free (*section_name); + *section_name = NULL; + finish_page (); + start_page (p); + in_pause = 0; + } + else if (n == 8 && !memcmp (line, "@mansect", 8)) + { + if (!thepage.name) + err ("%s:%d: section outside of a man page", fname, lnr); + else + { + free (*section_name); + *section_name = ascii_strupr (xstrdup (p)); + in_pause = 0; + skip_sect_line = 1; + } + } + else if (n == 9 && !memcmp (line, "@manpause", 9)) + { + if (!*section_name) + err ("%s:%d: pausing outside of a man section", fname, lnr); + else if (in_pause) + err ("%s:%d: already pausing", fname, lnr); + else + in_pause = 1; + } + else if (n == 8 && !memcmp (line, "@mancont", 8)) + { + if (!*section_name) + err ("%s:%d: continue outside of a man section", fname, lnr); + else if (!in_pause) + err ("%s:%d: continue while not pausing", fname, lnr); + else + in_pause = 0; + } + else if (n == 5 && !memcmp (line, "@menu", 5) + && (line[5]==' '||line[5]=='\t'||!line[5])) + { + skip_to_end = 1; + } + else if (n == 8 && !memcmp (line, "@include", 8) + && (line[8]==' '||line[8]=='\t'||!line[8])) + { + char *incname = xstrdup (p); + FILE *incfp = fopen (incname, "r"); + + if (!incfp && opt_include && *opt_include && *p != '/') + { + free (incname); + incname = xmalloc (strlen (opt_include) + 1 + + strlen (p) + 1); + strcpy (incname, opt_include); + if ( incname[strlen (incname)-1] != '/' ) + strcat (incname, "/"); + strcat (incname, p); + incfp = fopen (incname, "r"); + } + + if (!incfp) + err ("can't open include file '%s': %s", + incname, strerror (errno)); + else + { + parse_file (incname, incfp, section_name, in_pause); + fclose (incfp); + } + free (incname); + } + else if (n == 4 && !memcmp (line, "@bye", 4) + && (line[4]==' '||line[4]=='\t'||!line[4])) + { + break; + } + else if (!skip_to_end) + got_line = 1; + } + else if (!skip_to_end) + got_line = 1; + + if (got_line && cond_in_verbatim) + add_content (*section_name, line, 1); + else if (got_line && thepage.name && *section_name && !in_pause) + add_content (*section_name, line, 0); + + } + if (ferror (fp)) + err ("%s:%d: read error: %s", fname, lnr, strerror (errno)); + free (macroname); + free (macrovalue); + free (line); +} + + +static void +top_parse_file (const char *fname, FILE *fp) +{ + char *section_name = NULL; /* Name of the current section or NULL + if not in a section. */ + macro_t m; + + while (macrolist) + { + macro_t next = macrolist->next; + free (macrolist->value); + free (macrolist); + macrolist = next; + } + while (variablelist) + { + macro_t next = variablelist->next; + free (variablelist->value); + free (variablelist); + variablelist = next; + } + for (m=predefinedmacrolist; m; m = m->next) + set_macro (m->name, xstrdup ("1")); + cond_is_active = 1; + cond_in_verbatim = 0; + + parse_file (fname, fp, §ion_name, 0); + free (section_name); + finish_page (); +} + + +int +main (int argc, char **argv) +{ + int last_argc = -1; + const char *s; + + opt_source = "GNU"; + opt_release = ""; + + /* Define default macros. The trick is that these macros are not + defined when using the actual texinfo renderer. */ + add_predefined_macro ("isman"); + add_predefined_macro ("manverb"); + + /* Option parsing. */ + if (argc) + { + argc--; argv++; + } + while (argc && last_argc != argc ) + { + last_argc = argc; + if (!strcmp (*argv, "--")) + { + argc--; argv++; + break; + } + else if (!strcmp (*argv, "--help")) + { + puts ( + "Usage: " PGM " [OPTION] [FILE]\n" + "Extract man pages from a Texinfo source.\n\n" + " --source NAME use NAME as source field\n" + " --release STRING use STRING as the release field\n" + " --date EPOCH use EPOCH as publication date\n" + " --store write output using @manpage name\n" + " --select NAME only output pages with @manpage NAME\n" + " --verbose enable extra informational output\n" + " --debug enable additional debug output\n" + " --help display this help and exit\n" + " -I DIR also search in include DIR\n" + " -D gpgone the only usable define\n\n" + "With no FILE, or when FILE is -, read standard input.\n\n" + "Report bugs to <bugs@g10code.com>."); + exit (0); + } + else if (!strcmp (*argv, "--version")) + { + puts (PGM " " VERSION "\n" + "Copyright (C) 2005 g10 Code GmbH\n" + "This program comes with ABSOLUTELY NO WARRANTY.\n" + "This is free software, and you are welcome to redistribute it\n" + "under certain conditions. See the file COPYING for details."); + exit (0); + } + else if (!strcmp (*argv, "--verbose")) + { + verbose = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--quiet")) + { + quiet = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--debug")) + { + verbose = debug = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--source")) + { + argc--; argv++; + if (argc) + { + opt_source = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "--release")) + { + argc--; argv++; + if (argc) + { + opt_release = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "--date")) + { + argc--; argv++; + if (argc) + { + opt_date = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "--store")) + { + opt_store = 1; + argc--; argv++; + } + else if (!strcmp (*argv, "--select")) + { + argc--; argv++; + if (argc) + { + opt_select = strrchr (*argv, '/'); + if (opt_select) + opt_select++; + else + opt_select = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "-I")) + { + argc--; argv++; + if (argc) + { + opt_include = *argv; + argc--; argv++; + } + } + else if (!strcmp (*argv, "-D")) + { + argc--; argv++; + if (argc) + { + add_predefined_macro (*argv); + argc--; argv++; + } + } + } + + if (argc > 1) + die ("usage: " PGM " [OPTION] [FILE] (try --help for more information)\n"); + + /* Take care of supplied timestamp for reproducible builds. See + * https://reproducible-builds.org/specs/source-date-epoch/ */ + if (!opt_date && (s = getenv ("SOURCE_DATE_EPOCH")) && *s) + opt_date = s; + + /* Start processing. */ + if (argc && strcmp (*argv, "-")) + { + FILE *fp = fopen (*argv, "rb"); + if (!fp) + die ("%s:0: can't open file: %s", *argv, strerror (errno)); + top_parse_file (*argv, fp); + fclose (fp); + } + else + top_parse_file ("-", stdin); + + return !!any_error; +} + + +/* +Local Variables: +compile-command: "gcc -Wall -g -Wall -o yat2m yat2m.c" +End: +*/ |